Protecting your estate: securing your operational technology
Protecting your estate: securing your operational technology
Operational technology is at the heart of defence activities, from equipment and munitions manufacturing to fuel delivery and building management. Suzanne Wharton describes some of the work AtkinsRéalis’ has delivered to UK defence suppliers, helping the organisations understand and address their systems’ vulnerabilities, and improving their security posture.
While many organisations’ have strong cybersecurity processes and activities in place to protect their information technology systems, there is often a lack of maturity in the security awareness and culture surrounding companies’ operational technology (OT). Organisational siloes may mean the way the operational/production side works differs from the information technology side, and is not shared across different departments. This results in there being a gap in understanding at board level. Add to this competing stakeholder requirements – with the needs of operational production vying with those of security controls, plus ageing, legacy and obsolete systems which can’t easily be secured, and it can be a real challenge to achieve improvements in industrial control systems’ security.
But the potential outcomes of cyber attacks on operational systems in defence could be extremely damaging. From lengthy shutdowns, to intellectual property risks, to safety problems – by affecting a business’s operations, attackers can have a serious impact. A recent US study on the state of OT security found that of the ~2,000 industry respondents, nearly 70% had experienced cyberattacks during the past year, and one in four said they had to shut down their operations temporarily due to a cyber attack.[1]
To protect its operational systems against these risks, our clients have sought to assess the security of their OT estates, to ensure they comply with UK and US regulations, internal standards, external safety requirements and customer needs. Our AtkinsRéalis experts deliver the security assessments they need to identify the estate and their risks, and then support the activities required to remediate their vulnerabilities.
Understanding the problem, developing the solution
For one defence client, our first step was to assess the security of the systems within the project’s scope. In some areas, the client was able to provide detailed information relatively quickly, but in other areas that level of detail was lacking, or was held by third parties and difficult to obtain. This is a common theme for OT, and something we see frequently across other sectors as well as defence. Using client-provided templated documents, we visited a range of sites identifying, collecting and documenting information relating to assets within the project’s scope and their security.
We used this information, along with feedback from discussions with key stakeholders, to produce an asset register, simple network diagram, solution design document, and risk identification document, as well as a gap analysis showing where systems didn’t align with the controls specified in NIST-800-82 Rev.3. Several security concerns were identified that had not been discovered during the client’s initial review, including issues with security in the supply chain and boundary control issues.
Once we had gained an understanding of the vulnerabilities, in collaboration with the client’s team including the design authority, security, and control engineers, we supported the remediation activities needed to mitigate the identified shortcomings. By giving the client visibility of the security posture of its OT estate for the first time, it was able to understand the business risks associated with the security needs identified in these areas. The additional guidance we offered to support it in remediating these shortcomings, gave management the information needed to secure buy-in and, perhaps more importantly, funding for the required work.
A single source of security truth
In developing the internal governance documents, we ensured the client’s OT systems would be in line with both industry best practice and NIST SP-800-82 wherever possible, or with the client’s own internal security standards. Where this was not possible, this was clearly articulated to ensure the associated risks were appropriately managed. Delivering this full and thorough suite of documentation, covering security risk assessments and solution design, provided the client with a single authoritative source for all security-related information relating to its OT estate.
Created to meet the client’s own internal standards, which were developed to align with NIST SP-800 controls, the new solution will be able to be understood and maintained effectively by in-house teams. This will support ongoing operation and maintenance, benefitting reliability, as well as any future modification of the OT systems. It will also provide ready-made guidance on security measures when new systems are bought by the client. In assuring the cybersecurity of its OT estate, we helped the client protecting its operations, and keep its operational technology heart beating.
Upcoming Cyber Security events
Cyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.
Authors
