It would be fair to say that cyber security is at the top of most businesses’ list of concerns. The increased emphasis on IT and technology – every company is a technology company today, after all – has made it this way.

Technology and data have become so deeply entrenched in many organisations that if it is compromised the damage to their operations, brand reputation and bottom line can be catastrophic. You merely need to flick through any daily newspaper to read about the latest data breach to see how much of an issue cyber security is.

Those same newspapers also arguably perpetuate some myths around cyber security, namely that not every hack, attack or breach is the same. It could be ransomware like the recent WannaCry attack, a DDoS attack like that faced by the BBC in 2016, or a phishing scam in the shape of those suspect emails we’ve all received from suspiciously generous foreign diplomats and royalty. Cyber security is a catch-all term to categorise a diverse ecosystem of threats.

So it follows that protecting different infrastructures and systems too would require different approaches and skillsets – protecting the automated systems of an oil refinery, for instance, would be quite different from the CMS of a retailer. The stakes are much higher too.

For those working in industrial settings, understanding the nuances of protecting operational technologies is the first step to mitigating risk.

OT vs IT

It is an open secret that Operational Technology (OT) cyber security is not the same as IT cyber security.

It’s true that these systems are often based on the same technologies and as such many of the threats they face are exactly the same. However, there are some important differences that mean your operational assets should not be managed as an extension of your IT infrastructure:

Age: OT computer systems are usually procured for a specific function and represent a significant investment. These platforms are not easily replaced and it is not unusual to find computer hardware that has been in operation with little or no modification for over 10 years. Consequently, they are vulnerable to a wide range of cyber-threats that have already been mitigated for your business systems.
Availability: These systems are at the centre of every industrial company; excessive downtime goes directly to the bottom line. There is, therefore, an understandable reluctance to take these systems out of service for maintenance, including patching and anti-virus updates. If these systems cannot be updated frequently (consider how often requests to update appear on your own Windows PC) or they cannot be updated at all then alternative measures are required to manage the risk.
Process hazards: Many OT assets are responsible either for direct control, supervisory control or the safe operation of manufacturing processes. Business systems are also critical but their failure is unlikely to result in the uncontrolled release of hazardous materials or energy. If a control system is not sufficiently secure from cyber threats then it cannot be regarded as adequately safe, and there is a clear implication here that the security lifecycle should be managed appropriately.

Setting the standards for security

There are two standards (both published by the International Electrotechnical Commission) relevant to the identification and management of risk for industrial control systems. The first is IEC 61511 “Functional safety - Safety instrumented systems for the process industry sector”. The second is IEC 62443 “Security for industrial automation and control systems”. It is worth noting that the ISO/IEC 27000 family of standards are sometimes adopted for OT cyber security but their focus is more on information security, not the safety and / or security of industrial control assets. As OT systems are often responsible for the control of a physical process, good practice in ISO/IEC 2700x should be adopted where appropriate, but the IEC standards should take precedence at all times. For example, a password lockout policy might be appropriate for preventing unauthorised access to a business system (business confidentiality) but not for the control room where locking an Operator out of the control system could have serious consequences (availability is more important).

IEC 61511 for functional safety was updated at the end of 2016 and Edition 2 now includes requirements for:

Carrying out a security risk assessment to identify the security vulnerabilities of a safety system and also
(Re)-designing the system such that it provides the necessary resilience against the identified security risks

This change brings the two IEC standards closer together in their scope and requirements. This trend is likely to continue. For example, the UK’s Health and Safety Executive (HSE) has recently issued an Operational Guidance note to its Inspectors outlining its expectations for the management of cyber security risk on Major Accident Hazard (MAH) sites. Unsurprisingly, the HSE’s focus is on the continuing safe operation of these systems but this Operational Guidance note also makes clear the HSE’s expectations in terms of identifying and mitigating the risks posed by inadequate OT security. It also states that, “duty holders should take reasonably practicable steps to reduce security risks”. The guidance note cites IEC 61511 as “Relevant Good Practice” and also references IEC 62443 under “Relevant Standards” but it does not mention the ISO 27000 family of standards. This effectively reinforces the status of IEC 62443 as THE standard for the security of industrial control systems.

Dedicated rather than deviation

Managing the security of your control systems as an extension of your IT security procedures will almost certainly lead to problems. At best this will result in deviations from your IT policy and at worst will result in mismanagement of the security of your industrial control assets. There are key differences between the security management of IT assets and the security management of OT assets, and surely your control systems are too important to be managed as just a deviation from IT policy? Indeed, in the modern connected enterprise where your industrial systems are networked to your business systems (which they almost certainly are) and your business systems are Internet facing (again very likely) then your business systems should be regarded as a potential source of threat to the integrity, safety and security of your control systems. That threat should be appropriately managed.

Read our other articles on cyber security here.

This article was originally featured on ITproportal.com

Apr 18, 2024

Oil & Gas Operations and Decision-Making in the Cloud Era

Recently, KBC launched the Acuity Industrial Cloud Suite, consolidating its simulation software solutions. It aligns with KBC's portfolio to address challenges in energy transition, process optimization, value chain optimization, and asset management. For insights, we interviewed Rolando Gabarron, a senior consultant in product management.

Apr 2, 2024

Behind the scenes of Pioneers: Pursuing objectives while also focusing on personal growth with Esmeralda Roxas

In the dynamic landscape of professional careers, the journey of growth and adaptation of Esmeralda Roxas at Yokogawa stands out. From her humble beginnings in system sales engineering for upstream oil and gas to her current role in network security, her trajectory is a testament to resilience, proactivity, and a thirst for knowledge.

Dec 21, 2023

The Necessity of Converged IT/OT SOC in Strengthening Cybersecurity for Today's Industrial Landscape

In the rapidly advancing technological landscape, industrial organizations face escalating cyber threats. To fortify cybersecurity, embracing a Converged IT/OT SOC is imperative. Yokogawa's cloud-based IT/OT SOC service provides a holistic defense, offering integrated visibility, proactive measures, and real-time monitoring. As cyber threats evolve, businesses can stay ahead with Yokogawa, safeguarding operations effectively in the cybersecurity race.

Dec 19, 2023

Yokogawa Recognised as a ‘Leader’ in Verdantix Green Quadrant for Process Safety Software 2023

Yokogawa has been acknowledged as a key software platform provider in the Green Quadrant report published by Verdantix and achieved the title of a 'Leader' in Process Safety Management. This recognition stands as a great achievement for Yokogawa, showcasing excellent performance in areas such as Control of Work, Mobile, Platform Interoperability, Integration, and Sustainability, including ESG considerations, among other notable areas.

Dec 18, 2023

Behind the scenes of Pioneers: Mahalakshmi R, Deputy Head, Yokogawa India Service: A Trailblazer in Leadership and Career Success at Yokogawa

In a recent interview, Mahalakshmi, Deputy Head at Yokogawa India Service, revealed her remarkable 28-year journey with the company. A leader in training and customer service, she has driven innovative projects and fostered a culture of success. Let's explore the key elements that have defined her leadership and career at Yokogawa.

Nov 30, 2023

Optimizing Energy Efficiency for Industrial Enterprise Buildings & Offices

Explore Yokogawa's EEMS revolutionizing energy efficiency in industrial buildings, recognizing their substantial impact on global energy consumption and CO2 emissions. This blog delves into EEMS's digital prowess for optimizing energy dynamics through real-time monitoring and a centralized platform. Uncover insights into smart meters, sensors, and communication protocol challenges and solutions.

Oct 2, 2023

Enhancing Energy Security Unveils the Power of Convergence and Yokogawa's Cybersecurity Program

In an age of looming cyber threats, the energy sector's vulnerability is glaring. Embracing IT-OT convergence is vital to combat these risks. Explore the benefits, challenges, and the pivotal role of Yokogawa's cybersecurity program in safeguarding energy systems against cyber threats. Discover more in our enlightening infographic, here: Access the infographic. Convergence merges security aspects for a unified defense, yet poses new risks. The Colonial Pipeline incident highlighted the cascading impact of IT breaches on OT systems. Yokogawa's comprehensive cybersecurity program addresses these challenges, offering tailored solutions, risk assessment, layered defense, monitoring, and employee education. Join us in fortifying cybersecurity posture.

Digital Solutions Blog

Industrial Cyber Security – Securing Operational Technology 101

OT vs IT

Setting the standards for security

Dedicated rather than deviation

Looking for more information？

Yokogawa Digital Solutions

Contact us