How multidisciplinary collaboration can fortify operational technology resilience

Engineering, IT and cybersecurity teams bring unique insights and approaches to building an organization’s resilience to operational technology cybersecurity threats. 

In brief

• Cybersecurity threats can be minimized through the approach of identifying high-consequences events, understanding critical systems, thinking like an adversary and eliminating such threats.
• Multidisciplinary teaming is vital in accelerating progress towards achieving a strong and unified cybersecurity in the OT environment. 

The frequency and sophistication of cyber threats have increased consistently every year. The impact on cybersecurity in every industry is significant and this is evident from the well published attacks on operational technology (OT) especially on industrial control systems (ICS). During the last 18 months we have seen well published ransomware attacks in the food manufacturing, oil and gas, and water utility industries.

The mandate from almost every board is to do more with less. As cybersecurity professionals we cannot “do it all” but we must choose wisely where our focus goes. New approaches to cybersecurity in OT environments are often avoided due to the fear of additional overheads and the need for the organizations to rebuild their legacy infrastructure.

It is a well-known fact that OT systems are built to be resilient by design. This means that a hierarchy of engineering controls has been designed and implemented to mitigate any hazards that may have an impact on the availability or the safety operating parameters of the OT system; especially when long-lead-time-to-replace equipment is damaged resulting in a production, generation, transformation or distribution outage.

A common internal challenge I often see is the difference in opinion between engineering, information technology (IT) and cybersecurity teams on the importance and approach to cybersecurity in OT environments.  Each of the disciplines bring a unique insight to the situation and instead of being a hurdle for progress it must be used as an accelerator.

The key question is, how can an organization achieve this?

There are different methods to achieve this, and one approach is the ”fairly” new concept of CCE (Consequence-driven, Cyber-informed Engineering)[1]. The model turns the traditional method of designing and operating controls based on a form of OT cybersecurity risk assessment process (risk is the cumulation of threat, vulnerabilities and consequence) upside down. It uniquely focusses on consequence prevention without guestimating the likelihood of a thread materialising.

1. Identify and prioritize high-consequence events

The first step is to understand, identify and prioritize high-consequence events that can significantly harm your organization or even your operating assets. A high-consequence event is the key function or process that are integral to keep your organization operating every day. Generally, these are the events that have already been evaluated and considered within business continuity plans or crisis management plans.

2. Understand your critical systems

The second step is to understand and prioritize the systems (also known as “crown jewels”) your organization or operating asset is dependent on to achieve its purpose.  We are all familiar with the concept that ”if you do not know what you have, you cannot protect it”. Asset visibility is key but for OT, you need to have a very good understanding of how the OT system functions and what the dependencies are on other systems, individual components and processes.

Now the most interesting part starts with the identified high-consequence events, that would harm the organization or operating asset, along with the crown jewels with the various dependencies. This is where the different disciplines come together to bring their unique views, skills, and experiences to the table. The focus here is to place the team in the shoes of an adversary (the assumption here is that you are dealing with a very skilled and well-versed adversary with in-depth knowledge across engineering, IT, and cybersecurity) and challenge them on how they would go about to achieve all the high-consequence events. 

3. Think like an adversary

The third step here is for the team to identify all the possible attack vectors that can be used to achieve the identified high-consequence events. The team must see vulnerabilities, not as a hygiene problem that requires fixing, but as an opportunity for an adversary to create an unwanted high-consequence event.

4. Eliminate and protect

Now that the attack vectors have been identified, the fourth step is about the process of elimination. The team needs to identify the key choking points where the attack vector can be halted, and vulnerabilities can be eliminated using engineering, IT, and cybersecurity controls. The primary focus should be to eliminate; then protect followed by detect, response and recover, which is very similar to the hierarchy of engineering controls[2]. Cyber hygiene practices are now part of a defense-in-depth strategy and not a reactive and unachievable maintenance process.

With one of EY clients, EY teams successfully used this approach to bring the various disciplines - engineering, IT, and cybersecurity - together to work as one; identifying the key areas where an adversary can be stopped before real high-consequence events can materialize. EY professionals helped in implementing a unified defense-in-depth strategy and established a strong collaboration between disciplines that historically did not see eye-to-eye in the approach to safeguarding the organization or operating asset.