How high should we set the bar?
23 June 2020
One of the many challenges that can be encountered when setting out to improve Operational Technology (OT) security is determining what good looks like.
I'll look at this challenge in three parts:
- gaining a clear understanding of the current situation
- determining how good the design and operations need to become
- justifying, in business terminology, the effort required to get there
I'll explore this challenge here, as I did in person at NTT Ltd.'s Information Security World (ISW) 2019, held at the Institution of Engineering and Technology (IET) in London.
The session discussed securing businesses through digital transformation and included excellent presentations from Nozomi Networks, Fortinet and LogRhythm.
As part of my introduction to the session, I tried to link three of my interests into one concept; athletics, instrumentation and control engineering, and OT security.
Know how high to set your bar
First of all, earlier that month I had watched Mutaz Barshim win a thrilling high jump contest at the 2019 World Athletics Championships, soaring over the bar set at 2.37m in front of a home crowd - just months after sustaining a potentially career-ending ankle injury. An amazing performance. No other tenuous link, my first point is simply about the concept of setting the height of a bar (or setting a target) and knowing how high to set it.
Learn from experience
Secondly, with ISW 2019 held in the IET building, I was thinking back over the engineering methodology I used as a safety systems engineer earlier in my career. I used historical data to help estimate reliability and, therefore, how well to design and maintain a safety system. As a team, we'd gather this data from manufacturers, independent sources, our own operating experience and from others via collaboration across the industry. Once that data was validated and trusted, it helped to form the justification for the design and operation.
This process is vastly more complicated if we need to include software justification, but I'll exclude that here for simplicity.
Use data to inform decision making
Thirdly, I've been reading the excellent book ‘Solving Cyber Risk: Protecting Your Company and Society’, which uses examples of assessing the total impact, in business terms, of a cyberattack on an organization. By using the ever-increasing amount of cyber-impact analysis data, we can justify the improvements required to reach a target, and to help determine what that target needs to be. Targets for OT security, both technical and organizational, are nothing new; IEC 62443 Security Levels, IEC 62645 Security Degree definitions and C2M2 Maturity Indicator Levels for example. Making the required technical and organizational improvements to reach these targets requires change, almost certainly requiring justification via a business case.
Make data work for you
By using emerging and historical data, you can make the business case more convincing, and more specific to the organization in relation to their own business context; to avoid or minimize the impact of loss of production, loss of revenue, loss of reputation etc.
This tied in well with the point made by Daniel Eitler from BMW at ISW's keynote morning session: “Cybersecurity is a priority at BMW, it is what differentiates us from other companies”. Even though being secure is good for business, it still requires justification.
Nothing I have written here is new. I'm not taking credit for Barshim's winning jump, for decades of engineering good practice, or for the work of Coburn, Leverett and Woo in ‘Solving Cyber Risk: Protecting Your Company and Society’.
However, by simply linking these concepts together, it is my hope that something resonates with you and is of use in helping to address some known challenges:
- the lack of investment for cybersecurity
- the difficulty in communicating cyber-risk to the board
- and the challenge in assessing risk across numerous complex systems performing important business functions.
Finally, linking back to the key theme of ISW 2019 which was smart society and digital transformation, covering a range of topics and technologies; cloud, IoT, IT, IIoT and OT.
With all these technologies being available to businesses, it can be difficult to manage, plan, assess and prioritize all these complex systems in terms of cyber-risk. So my final thought is to use another concept from safety system engineering practice; focus on functions first, systems second, technology third.
Keeping sight of the importance of the functions that OT provides (for example, generating electricity, protecting the workers and public) can help determine how well the systems need to be designed and operated, what technology is best suited for realizing those systems, and therefore how well they should be secured.
In other words – how high to set the bar, how much effort is required to reach it, and how to measure the progress in getting there.
This is the general approach we provide for the development of security programs: to assess the current situation, determine the target state and develop a roadmap to achieve that target state.
The threat landscape will change, the build-up of historical cyber-impact data will (unfortunately) continue, and therefore the setting of the bar may need adjusting. However, once that roadmap is set and understood, at least the delta will be known, and measurable.