Cyber-Informed Engineering (CIE) is a new perspective on OT cyber risk – one that is being embraced by OT/engineering teams and IT/enterprise cybersecurity teams alike. This kind of consensus among IT and OT teams is unprecedented in the twenty-year history of the OT security field.

Threats

The OT threat environment continues to worsen, which means we have an increasingly pressing need to engage IT and OT teams in addressing material cyber risks to physical operations. In particular, in 2023, 68 cyber-attacks shut down, damaged, or otherwise physically impacted over 500 operational technology (OT) sites, according to the latest Waterfall / ICSStrive 2024 Threat Report. The rate of this class of attack was mostly “flat” between 2010 and 2019, with zero to five attacks in the public record every year for manufacturing and heavy industry. Since the turn of the decade, the number of these attacks has roughly doubled annually, compounded. The problem of OT security has changed, from a “theoretical” problem, to one that is real and growing exponentially.

Most attacks causing these shutdowns are ransomware, though hacktivist, supply chain and nation-state attacks are increasing as well. Worse, the most sophisticated ransomware groups are buying and selling attack tools from and to nation states – the tools and techniques used by the two kinds of threat actors are becoming indistinguishable.

OT Is Different

A perennial problem with cybersecurity in OT is that OT is different. In most IT networks, information is the asset, and our imperative is to protect the information. OT networks automate physical processes – often very expensive, dangerous physical processes. The cybersecurity imperative on OT networks is to protect safe, reliable and efficient physical operations, and only secondarily to protect sensitive trade secrets and other information, if there is any information such in the OT network at all.

A second issue with OT networks is change control. When enterprise security teams ask engineering teams to bring the entire OT network up to date with security updates, the engineering teams most often refuse. Why? The clarifying question most engineering teams really should ask but rarely do, is “How likely is that change to kill anyone?” Engineers need that question answered before they make any change, and the likelihood of a safety incident is never zero. There is no way to make physical processes perfectly safe.

A second question that helps clarify the problem is “How likely is that change to trip the plant and trigger an un-planned shutdown of our billion-dollar asset?” All change represents a physical risk. Engineering teams are required, by their businesses, by their professional associations and often by law, to address material risks to physical operations. Engineering Change Control (ECC) is the discipline by which the risks of proposed changes are evaluated, tested and managed. The problem is that ECC is very expensive. Change on OT networks is not impossible, but someone is going to have to allocate budget to charge engineering services against, especially in organizations with small or no in-house engineering teams.

Cyber-Informed Engineering

These threats and the “difficult” nature of OT / industrial automation networks are why Idaho National Laboratory is working on the new Cyber-Informed Engineering (CIE) initiative. CIE is positioned as “a coin with two sides.”

  • One side is cybersecurity – from teaching engineering teams about cyber threats to physical operations and engineers’ obligations to the business and to society to address those threats.
  • The other side is engineering – use the powerful tools that engineers have for managing physical risk – use these tools to address cyber threats as well.

For example, imagine you work in a large refinery. The refinery uses catalytic crackers – six story tall pressure vessels filled with hot hydrocarbons. Imagine you work 8 hours a day inside the kill radius of a worst-case cracker explosion. How would you prefer to be protected from a cyber-attack that over-heats the furnace under one of your crackers? Would you prefer a mechanical, spring-loaded over-pressure relief valve that, if the cracker over-pressurizes, is forced open mechanically to route hot hydrocarbons to a flare stack? Or would you prefer a longer password on the computer controlling the furnace?

Most people answer that they would prefer a mechanical valve – these valves have no CPUs after all, and thus are in a real sense “unhackable.” True experts respond that they want three or four of these valves, thank you, because there are risks of corrosion and metal fatigue that might impair the operation of a single valve. And they want a longer password on the computer controlling the furnace. And they want an absolute “boatload” of cybersecurity in addition to these two measures – this is their life on the line after all. This latter answer is the correct one – when we “spend the CIE coin,” we do not spend one side of the coin or the other. We spend the whole coin.

But think about it – where is the over-pressure relief valve in the ISO 27001 standard? In the NIST Cybersecurity Framework? Or even in the industrial IEC 62443 standard? There is no hint of over-pressure relief valves or other engineering tools in those standards – these are cybersecurity standards, not engineering standards. Safety engineering, protection engineering, automation engineering and related disciplines all have powerful tools at their disposal to address all threats that can bring about physical operations. These tools have not been applied universally nor systematically to address cyber threats but should be.

The Most Significant Change In a Decade

CIE is arguably the most significant change in OT security in over a decade. When engineering teams and even many enterprise security teams learn about CIE, they often react with something like, “This makes so much sense. Why is this new? This shouldn’t be new. Why have we not been looking at the problem this way since the beginning?”

Engineers understand consequences, physical process design, and a wide variety of “unhackable” electro-mechanical and other protections and need to come up to speed on cyber threats and the applicability of their tools to cyber threats. Enterprise security understands threats and the “boatload” of cybersecurity mitigations that can be deployed as needed for those systems that do not yet have electro-mechanical or analog mitigations. With each team contributing their unique knowledge and perspectives, the OT security problem suddenly becomes tractable and affordable.

About the Author

Cyber-Informed Engineering – A New Perspective on OT SecurityAndrew Ginter is the VP of Industrial Security at Waterfall Security Solutions. He leads a team of subject matter experts who work with the world’s most secure industrial sites. Andrew also writes about what he learns from these sites, having written three books on OT security and contributed regularly to industrial security standards and guidance.

For a high-level introduction to CIE, the engineering perspective on cybersecurity and due care obligations, you can request a free copy of Andrew’s latest book Engineering-Grade OT Security. Andrew can be reached at [email protected] and at our company website https://waterfall-security.com/

Source: www.cyberdefensemagazine.com