Risk Assessment in Operational Technology – The most common risks and how to avoid them
First used in 2006 by Gartner, the term ‘operational technology’, or OT for short, is meant to talk about hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes, and events. As OT is closely associated with critical infrastructures such as utility control systems, cybersecurity in OT bears vital importance. In this article, we’ll examine how risk assessment and evaluation is done in industrial control systems, why it’s important, and what the potential risks are if it’s not done properly.
Why proper risk analysis is critical in OT
Practically speaking, one of the biggest problems decision makers have with OT cybersecurity is the seemingly endless amount of money and time that could go into building it, as well as the fact that even the most state-of-the-art, sophisticated security measure can’t guarantee the full protection of all areas. For this reason, many believe that there’s no point in even trying to accomplish such a “hopeless” mission. However, this is exactly where risk analysis comes into the picture. It helps assess the cyberthreats and risks that OT systems are faced with and ensure that proper response is in place in any specific incident. What’s more, a proper risk analysis can even help determine the areas where businesses can achieve the best results using as little budget and resources as possible, which has sadly become an increasingly important factor in cybersecurity.
In addition, it is also dictated by law that organizations operating critical infrastructures such as utility control systems must regularly perform risk assessment and evaluation to be prepared to fend off potential cyberattacks.
OT risk analysis – How we do it at SOCWISE
However, OT environments require a different approach to risk analysis than that in IT. For this reason, we at SOCWISE decided to reimagine our risk analysis methodology to be able to assist industrial technology companies as well. Let’s talk about how we at SOCWISE perform risk analysis for industrial companies.
Our methodology consists of the following phases and deliverables:
- An asset inventory
- A list of relevant threats and vulnerabilities
- A risk catalogue containing the evaluation of the risks
- Recommendations for managing the identified risks
Naturally, we do all this in line with and based on globally accepted OT standards.
The deliverables of an OT risk assessment methodology
Now, let’s dive a little deeper into the deliverables we produce when assessing and evaluating the risks faced by industrial companies.
For us to know what needs to be protected, we first need to conduct a thorough OT asset inventory. This inventory contains all the OT software, hardware, support services, and staff divided into different categories such as servers, HMIs, and PLCs, which we also evaluate based on availability, vulnerability, and confidentiality. Then, we assign these to different business processes.
Threats and vulnerabilities
When we’re done with the asset inventory, we assess the vulnerabilities as per the relevant OT-specific vulnerability list of the NIST 800-82 standard. Such vulnerabilities include applying weak configurations settings or unsafe protocols. We then assess the threats that could potentially endanger the organization and split them into five categories based on their severity or relevance. Examples of these threats include the reprogramming of control units, the insertion of malicious codes, or the modification of the control logic.
Finally, we prepare a risk catalogue in which we list the potential risks we found, such as unauthorized access to OT servers, accessing sensitive production data, and modifying configurations or PLC programs. We assign these risks to the relevant vulnerabilities, threats, assets, and business processes, and we also define their risk levels. These risks and their properties are illustrated in multiple ways for easier understanding.
Now, at this point, some would probably say their job’s done and call it a day, but we know this is a lot to take in and the information we provide can be difficult to turn into action items. So, we conclude our risk analysis process by making recommendations on how to efficiently manage the identified risks in our findings.
The most common risks in operational technology
Now that we thoroughly discussed how we conduct risk analysis in OT environments, let’s look at the most frequent risks we find using our methodology. Based on our assessments, we can draw the conclusion that there are a number of common, recurring risks that most industrial companies need to cope with. These include:
- Compromised OT server availability
- Unexpected devices on the network
- Modified configuration of control systems
- Denial of Service attacks
Naturally, this list is far from being exhaustive – there are a lot more risks that threaten OT systems, but these are the ones that our customers face most frequently, so it’s worth talking about them in more detail. Let’s take a closer look.
Compromised OT server availability
When the availability of a server that’s running the services of OT control systems is compromised, it can become difficult or even impossible to maintain production continuity. This can be caused by a number of vulnerabilities, such as incorrect configuration of admin rights on the server. But there is good news, too: you can prepare for this risk in multiple ways, for example, by having a Unified Access Management (UAM) system in place that’s applicable for all devices.
Unexpected devices on the network
Another common risk is when a new device appears on the network unexpectedly and starts sending ‘stop’ commands. As you probably guessed, it’s another risk that’s aimed at disrupting the production process. The easiest way to defend your infrastructure against this risk is to monitor your network 24/7.
Modified configuration of utility systems
Utility systems are frequent targets of cyberattacks such as the modification of configuration settings or disabling the utility services of production plants. One of the most common ways they manifest is through the malfunction of electricity on the production line. To handle this risk, it’s possible for example to use a secondary entry point or, in the case of critical equipment, securing power supply with their own generators. But above all, as a preventive measure, it’s always best to separate utility control systems from the business IT network.
Denial of Service (DoS)
DoS attacks are designed to shut down a service or stop a company’s production process (or at least degrade its performance level in the long term) and are one of the most well-known threats to enterprises around the globe – including ones running OT systems. The most effective way to respond to them is having a frequently tested and maintained business continuity and disaster recovery (BCDR) plan which ensures that in the event of a DoS attack, or any other unforeseen disruptive event for that matter, the company can carry on providing service or maintaining production.
As you can see from the above, risk analysis is a critical exercise in OT systems, and it should be taken very seriously. As such, it’s an integral part of our services, but it’s still only one of the many security activities we specialize in.
We think that cybersecurity isn’t limited to any one specific area. We believe that it should be managed with a holistic approach, one that includes the creation of the concept, designing the architecture, and even technicalities such as network segmentation, internal and external perimeter security, OT client protection, and managing the network analysis tools.
And, no matter what OT tool you decide to go with, by all means you should implement a proper central event management solution so you can monitor it and process any event that gets on the radar. If you have the slightest doubt as to how to do it, talk to us. Thanks to our own SOC, we can help keep your OT environment safe – or even help you build a SOC of your own.