Enhancing Operational Resilience in OT

Threats to our critical infrastructure is a risk to our way of life. According to the Dragos 2023 Year in Review report there has been an increase in the number of reported incidents and the use of extortion tactics against industrial systems. Phishing and the exploitation of public-facing services are common methods identified for initial access. Around 2013, the Dragonfly group shifted the focus of their espionage campaign towards European and US energy companies. We only need to follow publicly reported cyber-attacks against Ukraine since 2015 to understand the effectiveness of performing espionage and pre-positioning activities. More recently, Volt Typhoon has been infiltrating and building a network of espionage across organizations in the power, water, transportation, and communications sectors. Disclosed in 2023 and beginning as early as 2021, this vast espionage network was partially disrupted in 2024.

I have been involved in the operational technology/industrial control system (OT/ICS) space for over 20+ years. I recall back in the early 2000's attempting to convince critical infrastructure sectors as to why they must address their cybersecurity gaps. A difficult proposition when many of these organizations were struggling with operating a solid and robust network infrastructure; a foundational necessity of doing cybersecurity. I helped many organizations faced with these realities move the proverbial ball forward while working through funding and integration challenges. Today, with ransomware and state-sponsored threats, organizations are asking, “What must we do next?” But some still haven't even started or completed the first step: understanding how to be vigilant to ensure core OT operations remain resilient while under cyber-attack.

For an OT/ICS environment to be operationally resilient, one must understand the basic functional requirements of critical systems. This includes the integrity of and availability to maintain safety and control while balancing people and technology as well as manual and automated systems and processes. The concept of critical systems begins with a bottom-up understanding when viewed in the context of what is being produced or delivered and the immediate systems needed to perform those activities. When combined with an operational risk analysis and process hazard analysis, this creates a better understanding of what must be included as 'critical' but also where operational resilience must be considered. There are, of course, wildly different perspectives when looking at different organizations.

We also know that many sectors must deal with increasing operational costs while also having to adopt new methods and technologies to remain competitive and/or operationally viable. Herein lies the challenge. Organizations must continuously balance the allocation of funding of either new technologies or architecture philosophies while navigating constraints in place to ensure viability as a business.

Over the years, there has been many competing and well-intended philosophies on how to move forward. Neither of these are bad for the community as it ensures we continuously evolve with each new threat and provide options for each sector and organization. After all, we sometimes forget that critical infrastructure includes multiple sectors, all of which are unique.

There have also been multiple new, but necessary, approaches to regulatory governance that have either been tabled or are in their early stages. Regulation has its purpose when used to establish goals and objectives without prescription, however, prescriptive regulation becomes rigid when faced against agile adversaries. Owners and operators of regulated systems must remain agile when deciding where and how to deploy cybersecurity to reinforce operational resilience as the threat landscape changes.

In review of the industry today, each critical infrastructure organization, at least in some part, can be categorized in one of these three perspectives:

1. Some organizations carried forward their IT-based solutions due to the need for 1) a more robust network infrastructure and 2) not having the OT staff to effectively take on the cybersecurity role. This has led to conflict, disruptions, and a lack of effective response capabilities. These organizations struggle with a bottom-up approach due to the size and complexities of their operational environments.
2. Organizations that are either relying on a perceived airgap or have overextended their OT systems with external systems. I say ‘perceived’ because for most organizations, an airgapped OT/ICS is no longer feasible. These organizations have either not looked or do not understand the solutions they have deployed. Maybe it is perspective, how they define airgap, or the trust in their service provides. As we look across organizations today, and due to the challenges of increasing productivity, there is typically some operational relationship between IT, OT, and even the cloud. Manufacturing has had a tight relationship between IT and OT long before the term ‘convergence’ was a thing.
3. There are organizations, including critical infrastructure, that have not started or are in their infancy. Often, they are faced with either an unskilled workforce and/or insufficient finances to do conduct adequate cybersecurity. This is a significant challenge for smaller utilities due to their cost structure focusing on the necessity to maintain normal, basic operations outside of a cyber event. Introducing additional security tools and solutions will likely lead to them simply not being used at all or being undermanaged rendering them vulnerable.

What must we do?

Organizations must focus on doing what they can do to prevent cyber incidents. However, they must also understand how to respond to incidents and equally important; maintain operations during an incident. There must be a strong relationship and collaboration between security operations and operational resilience. Regulation does build a culture and allocate funds, but it can cause a divergence between security goals and compliance which will limit the effectiveness of cybersecurity funding.

The challenges with running IT vulnerability management program within OT are many, including:

• An automated roll-out causing unplanned outages and instabilities.
• Using IT methodologies that do not align with ICS operations.
• Funding and ROI outpace maintaining operational resilience as scale.
• Running an IT vulnerability management program distracts from conducting necessary cybersecurity tasks.

Finally, implementation gaps and operational priorities must balance the fact that ICS have limited security features and adaptability to current security operations. Mission-driven priorities can bring operational effectiveness and agile security capabilities to the entire team of security and operations members.

So where do we go from here?

Regardless of the current state of an organization's cybersecurity, their operational mission and the presence of threats/risks must be clearly understood by all employees. The mission of every ICS defender is to maintain operations before, during, and after a cyber-incident.

It is always good to remind ourselves why we do the things we do and ensure the path we are on is aligned with our organizational goals and mission. Sure, this sounds obvious, but what is clear is that ICS teams set out to defend critical infrastructure often migrate into silos of activity leading to having tunnel vision on only their day-to-day activities. In many cases, teams do not take the time to walk in the shoes of other teams. This is unfortunate because this practice is an extremely useful way to identify opportunities to improve effectiveness and hardening defenses. For example, a security analyst or architect does not need to be a controls engineer to defend a controls system. Since they are on the same defense team, the analyst can easily engage in conversation with the engineer. Maximum effectiveness is gained when each group understands the other’s challenges, limitations, and decision-making process.

Critical infrastructure systems are a complex orchestration of people and digital and physical systems. Everything about the orchestra is engineered and understood; centered around a primary function and purpose. To ensure integrity and reliability, the industry has standardized methods and technologies that can be repurposed and adapted across all sectors and employees. Our adversaries understand this as well; and as such they leverage that knowledge into their capabilities. We sometimes believe that we can block all attacks and plug all vulnerabilities, however, living-of-the-land is the abuse and misuse of existing tools and services typically used for operational purposes.

SANS Institute's ICS612: ICS Cybersecurity In-Depth course progresses skills development to bring teams together, focus on the mission, and bring in operational resilience. This course provides a hands-on learning experience across multiple disciplines to cross-train the knowledge and skillset needed to align your team, effectively secure critical operation systems, and maintain operational resilience.

Each ICS612 class stages an in-classroom reference operations environment used to solidify the methodologies taught, including:

• Learning any OT environment
• Working with various roles and disciplines
• Identifying and mitigating operational risk
• Identifying attack scenarios against identified weaknesses

ICS612 takes all participants on a journey through the various roles needed to operate a secure ICS from its functional operating equipment to the network and security design and concluding with monitoring and maintaining. You will progress through basic programmable logic controller (PLC) and human machine interface (HMI) operations to advanced IT and OT security architecture and monitoring activities. These skills are reinforced through 50% lab exercises and a capstone incident response scenario where you will investigate and recover classroom operations; building confidence and assurance in your ability to implement your newfound skills upon return to work.