The company engaged 1898 & Co., part of Burns & McDonnell, to conduct a full IACS cybersecurity assessment based on global standards and the operation’s engineering standards specific to OT. The goal was to identify potential threats and prioritize fixing them. Without guidance, the project owners knew continued attacks would result in costly unplanned outages, operational challenges that threatened demand and the loss of public confidence.
While there are hundreds of cybersecurity operations in the enterprise information security space, 1898 & Co. was uniquely positioned for this project because it has cyber professionals working alongside designers and engineers. Our team was chosen for its experience with cybersecurity, control systems, industrial networking, field instrumentation and OT/IT-security. Additionally, there are team members who have extensive knowledge of design, engineering and construction processes.
Using as guides the ISA/IEC 62443 industrial automation and control system cybersecurity standards and the National Institute of Standards and Technology cybersecurity framework categories of identify, detect, protect, respond and recover, the goal was to create a plan that would leave the client more cybersecure and better prepared for more complex and frequent attacks.
The 1898 & Co. team implemented a five-step process to conduct a vulnerability analysis of the client’s assets, including industrial control systems. Cybersecurity specialists did an asset inventory by going into the field and identifying what equipment security state the systems were in, how they were configured and the communication to and from the systems within their zones and conduits. The team used noninvasive vulnerability tools, data gathering and more to identify cyberthreats and take a deep dive into data flows and determining what access and administrative controls were in place.
Examining in-field culture and looking at how employees executed their jobs was also a part of the analysis, especially when it came to shortcuts and processes instituted by staff to help with access, speed and convenience.
An important step in the assessment was identifying the highest impact cyberevents that could occur and providing recommendations for remediation. As part of the asset inventory, team members combined what they discovered on-site with what the industry was citing as vulnerabilities specific to vendors and equipment. The team utilized information sharing resources such as the National Vulnerability Database hosted by the National Institute of Standards and Technology, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, and other information-sharing resources to help with vulnerability identification and remediation recommendations.
Using the resulting assessment data, the team focused on developing a system to address issues and prioritize threats. One key finding was that equipment from OEMs deemed secure — and sold as safe and reliable — was not. Much of this equipment had connectivity through the internet to domains that were undocumented. Another finding was that staff had created shortcuts and extra access points for convenience’s sake that made control systems highly vulnerable. These threats to safety were high on the list for remediating. Hardening security systems, keeping legacy systems as current as possible, and deploying security at the front end of new systems are other key factors that were examined closely.
1898 & Co. was able to effectively identify and develop strategies that will lock down areas of risk. Awareness and technical training that helps better manage staff and contractor access will be provided on an ongoing basis. Other strategies include working with OEMs to implement a more streamlined approach to securing industrial control systems and critical networks. Specifically, the project team secured the client’s perimeter, forcing OEMs to go through a secure entrance point and demarcation. This forces a defense-in-depth approach and secure-by-design access and patching to the integrated administration and control system.
The approach taken during this assessment has allowed the client to efficiently analyze its entire service territory and provided the information needed to begin fine-tuning the security of its operation. After the analysis, cybersecurity operators at the company now have the resources needed to enhance monitoring and detection capabilities both physically and remotely. Additionally, the client is better able to secure its devices and networks, including the supervisory control and data acquisition systems used to manage operations.