Helping IT Ensure OT Cybersecurity

By Jack Smith
April 05, 2022
Accenture
Feature

Summary

Accenture’s 2022 OT Cybersecurity Summit discussed cyber threats and protections for industrial operational technology (OT) environments. One panel provided insight for IT professionals who might be new to industrial automation and control systems.

The Accenture Operation: Next 2022 OT Cybersecurity Summit, held on March 23, discussed the dangers of cyber threats to industrial operational technology (OT) environments and posed solutions for how to deal with them from several perspectives. Of particular interest was the panel on automating OT security. Jason Holcomb, managing director, OT Security at Accenture, moderated a panel discussion titled, “Why automation is the future of OT security.”

“Once you do get to a point where you’re taking sweeping actions to fend off an active cyber-attack in a production control system environment, that human-in-the-loop process … becomes really important.” -- Jason Holcomb, managing director, OT Security at Accenture

“In the context of what many consider automation systems,” said Holcomb, “a lot of these industrial control systems are industrial controls and automation.”

Cybersecurity acceptance

The panel included Russ Richardson, senior manager of OT cybersecurity at Duke Energy. “The first challenge I see is getting cybersecurity accepted in OT. It’s a space that’s traditionally been dominated by engineers who design and maintain the systems and the operators who rely on those systems,” Richardson said. “They’re very protective as they should be of those systems, depending on what their OT is controlling. Disruption could mean the production line stops and you’re costing your company millions of dollars an hour, or in my case, it could mean you take a plant offline and you’re no longer generating electricity for your customers. It’s no wonder cyber hasn’t been welcomed into this space and is seen as more of a threat to reliability than a necessity.”

Richardson also cited scars from early experiments of bringing IT tools into the OT space. “I’ve learned that to overcome those challenges of acceptance, you have to educate them, you have to listen to them, and you have to build a lot of trust,” he said.

Richardson advocates building a lab that includes the same equipment users have and layering the security on the architecture they use in production. It can be demonstrated that cybersecurity tools won’t “break” the system and they can coexist without interference. “Once you have that little bit of success under your belt, you start to pilot at a small location and eventually you build that trust and get to even the most critical sites.”

A foot in the door

Richardson advocates starting with passive activities to get your foot in the door. “Start off with network monitoring log collection. Once you’ve demonstrated success with those passive approaches, start to move into more active measures like querying devices for information, or even targeted scanning of the space. The last step is automation. The challenge with automation is people are afraid you will introduce something that will break their environment.”

Richardson also emphasized the importance of understanding assets. He said if the security operation center (SOC) gets an alert, the faster they can understand the assets involved, the better chance they have of preventing something bad from happening. Understanding what an asset is, where it is located, and who owns it are all important things.

An example of automation in the security operation center (SOC) is “correlating security alert data from a positive network sensor with an existing outage management system (OMS) data feed. Another example we’ve gotten a lot of benefits from is enriching asset management data.” -- Trevor Houck, senior manager at Accenture

Also on the panel, Trevor Houck, senior manager at Accenture agreed with Richardson. “There’s a lot more acceptance on the SOC side for automation opportunities, just because there’s not as much risk to the downstream assets and to operations to actually automate functions,” Houck said. An example of automation in the SOC is correlating security alert data from a positive network sensor with an existing outage management system (OMS) data feed.

“Another example we’ve gotten a lot of benefits from is enriching asset management data,” Houck continued. Trying to tackle asset management in OT environments is complicated. “You have multiple owners of a piece of equipment. You may have someone in charge of the firmware, someone in charge of patch level, and someone in charge of the physical security. Then you open a source of record, and you find seven or eight different owners. The majority of OT security data is going to be on the network level.”

Automation at the control system level

“When it comes to threat responses, you need to first do threat modeling and identify those potential scenarios in the future that you want to be prepared for. You prepare for those by making playbooks for each scenario. -- Byron Chaney, security consultant at Accenture

Another panelist, Byron Chaney, security consultant at Accenture, explained automation at the control system level. His presentation placed automation in the context of the control system as a threat response action. “We all know how important timeliness is when it comes to responding to cyber threats. The faster you can remediate, the better position you are in to minimize negative outcomes from those situations. There’s nothing faster than automation. As Russ [Richardson] mentioned, historically there’s been a hesitancy to adopt cyber automation into OT.”

Chaney gave two potential reasons for that hesitancy—one is perceived adoption overhead. “What I mean by that is the perceived costs associated with bringing in a new platform into an existing environment. The second is the perceived loss of control, or maybe loss of visibility, or otherwise the risks posed to the existing environment.

Chaney also proposed a solution: SOAR, which stands for security, orchestration, automation and response, is a platform that automates the analysis of and response to ingested cyber data.

“The challenge with automation is people are afraid you will introduce something that will break their environment.” —Russ Richardson, senior manager of OT cybersecurity, Duke Energy

“That means when it comes to threat responses, you need to first do threat modeling and identify those potential scenarios in the future that you want to be prepared for,” Chaney said. “You prepare for those by making playbooks for each scenario. Within those playbooks are your actions that SOAR is going to take. SOAR is integrated into the environment so it can make changes to that environment. When you bring all these things together, SOAR is effective at stopping the spread of cyber incidences. That helps to ease the fears about the resources needed to integrate SOAR into an existing environment.”

Chaney said probably the most important is human in the loop. “’Human in the loop’ is a functionality that puts a human between your automation and the execution of that automation, essentially ensuring that no action is taken without human approval.”

“The scenario is we know our control system is under attack, and we need to be able to act with machine speed to respond to that and so we’re predefining these scenarios with the human in the loop,” Holcomb said. “The big takeaway from this is once you do get to a point where you’re taking sweeping actions to fend off an active cyber-attack in a production control system environment, that human-in-the-loop process and having that redefined becomes really important.”

Find out more from the Accenture Operation: Next 2022 OT Cybersecurity Summit online, where sessions are available on demand.

About The Author

Jack Smith ([email protected]) is a contributing editor for Automation.com and ISA’s InTech magazine. He spent more than 20 years working in industry—from electrical power generation to instrumentation and control, to automation, and from electronic communications to computers—and has been a trade journalist for 22 years.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..