In our last newsletter, we discussed how a traditional “IT” centric approach to cybersecurity was not enough to counter the malware threats to the industrial control systems (ICS). The ICS environment is more commonly called “operational technology” (OT) as opposed to “information technology” or IT. In this newsletter we’re going to address another point made in that prior newsletter: while malware is the best known of the threats, it is not the only one.
In order to understand the non-malware related threats, we first need to look at how we define some of the most common terms related to cybersecurity. First we need to define exactly what “IT” and “OT” mean. The common definitions for these two terms can be found in countless cross-industry references. Since we’re dealing specifically with the offshore sector – the definition provided by International Maritime Organization (IMO) is most appropriate.
From MSC.1 Circ 1526 June 2016:
“2.1.2 The distinction between information technology and operational technology systems should be considered. Information technology systems may be thought of as focusing on the use of data as information. Operational technology systems may be thought of as focusing on the use of data to control or monitor physical processes. Furthermore, the protection of information and data exchange within these systems should also be considered.”
Information Technology (IT) systems manage data and generally refer to systems related to computing technology. Some examples are: CRM, ERP, Email, etc. Operational Technology (OT) systems manage activity and generally refer to hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. Some examples of OTs are: SCADA, PLCS, HMIs, etc.
The next term we need to look at is “cybersecurity” itself. Just as with IT and OT, it can be found in countless cross-industry references. However, when dealing with systems comprised of both IT and OT, the common definition is not comprehensive enough. In order to accommodate the unique issues associated with OT, the definition of cybersecurity must be expanded.
The traditional IT definition of cybersecurity covers protecting the IT infrastructure, the programs and the data from unintended or unauthorized access and harm. However – operational technologies are those command and control systems that actually operate the systems and machinery on the vessel. From an OT perspective, cybersecurity must be defined to also prevent these systems from doing harm to people, the environment, and the asset.
In IT, cybersecurity is intended to protect the IT system from harm. For OT, we need to go further – for OT systems, cybersecurity must also prevent the system being operated from doing harm to people, the environment, and the asset.
The use of the terms “unintended” and “unauthorized” in the definition of cybersecurity provides a critical additional dimension to the definition. The term “unintended” brings the system design within the scope of the definition.
A poorly designed system, which “unintentionally” allows for damage or harm to be done represents an internal latent cyber threat equally dangerous to an “unauthorized” external threat.
Finally, we need to look at how we define “malware”. Similar to IT/OT and cybersecurity, the definition for malware can be found in countless cross-industry references. However, when dealing with an OT, the common definition for malware also needs to be expanded.
From the IT perspective, we define malware as any software capable of compromising or doing harm to a network, computer, or data. Adding the OT perspective means we need to expand the definition to include any software that compromises the integrity of a system to allow or cause the system to perform a harmful operation. This brings the integrity of the system design under the umbrella of cybersecurity for OT systems.
IMO addresses this issue in its guidance in MSC.1 Circ 1526 June 2016 (emphasis added):
“2.1.4 Malicious actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or user permissions).
2.1.) Vulnerabilities can result from inadequacies in design, integration and/or maintenance of systems, as well as lapses in cyberdiscipline. In general, where vulnerabilities in operational and/or information technology are exposed or exploited, either directly (e.g. weak passwords leading to unauthorized access) or indirectly (e.g. the absence of network segregation), there can be implications for security and the confidentiality, integrity and availability of information. Additionally, when operational and/or information technology vulnerabilities are exposed or exploited, there can be implications for safety, particularly where critical systems (e.g. bridge navigation or main propulsion systems) are compromised.”
For an OT system, the threat of performing a harmful operation does not have to come from externally introduced malware. The capability to perform a harmful act can be present in the original design of the system.
What this means to the owner, end-user, or marine insurance underwriter is that in order to evaluate the cybersecurity capabilities of an OT system, we must go beyond the cybersecurity capability provided by IT approaches, or the roadmap for prevention of cybersecurity threats as described in the Cybersecurity Capability Maturity Model for the Oil & Natural Gas Subsector (ONG-C2M2). The design of the system, the lack of effective failure modes analysis (FMEA, FMECA), insufficient acceptance and integration testing, insufficient management of change, poor outsourcing decisions, and poor supervision of I&C contractors are all significant contributors to ineffective cybersecurity.
Cybersecurity surveys must be specifically engineered to provide the IT AND OT coverage necessary to match your specific risk tolerance for your specific system and operational plan. The control system is a critical element – OT harm is not mechanically based – it is the result of a control system telling the equipment to do the harm.
Athens Group Services surveyors are skilled at verifying the performance and potential failure modes of complex integrated OT systems and stands uniquely qualified to understand their impact on cyber-related threats. We understand that verifying the cybersecurity of integrated controls-based OT systems requires specific integrated systems test engineering experience grounded in software controls.