“A cyber-related industrial 9/11 is not science fiction,” Leon Panetta, former US Secretary of Defense, said a few years ago. The original Siberian pipeline ‘logic bomb’ explosion of 1982, the centrifuges destroyed in Iran by Stuxnet in 2010 and a blast furnace shutdown failure at a German steel mill earlier this year are all evidence of the increasing vulnerability of the operational technology (OT) environment to attack, whether from external sources such as terrorists or foreign governments, or even internal sources like rogue employees.
OT is generally referred to as the hardware and software systems that monitor and control physical devices and processes in industrial manufacturing and critical infrastructure, including facilities that produce and manufacture energy.
OT security challenge
“In the OT environment the assumption has historically been ‘security by obscurity’ with the use of proprietary protocols and systems, but the attacks which have already happened have proven this is no longer the case,” Shmulik Aran, CEO of US and Israeli cybersecurity company NextNine, told Engerati in an exclusive interview. “On the ‘dark internet’ viruses such as Stuxnet can be readily purchased and thus there are real risks with potentially disastrous results.”
Mr Aran says in recent years there has been a growing realization of the risks but many companies have been slow to take action to protect their OT environments. At national levels, there have been increasing regulations and guidelines, such as the NERC CIP requirements for critical energy infrastructure in the US, the Cybersecurity Frameworks of the US and Qatar, Cyber Essentials in the UK, and more. At the company level, there has also been growing appreciation of the fiduciary responsibility to protect against cyber attacks.
“These two waves have now started to generate a lot of actual purchasing and implementation activity around cyber protection in the energy sector with the challenge that there are not many appropriate technological solutions available. One can’t simply take IT security solutions and copy and paste them to the OT world,” he says.
OT security solutions
Mr Aran says that a key requirement from an OT cybersecurity solution – applicable to the energy sector but also any other sectors with industrial or manufacturing processes, such as oil and gas, chemicals, mining, etc. – is that it should be able to operate at multi-site environments with centralized security management. He further explains that OT cybersecurity solutions must support incumbent proprietary systems, secure access for third parties connecting remotely and the ability to comply with government regulations and corporate policies. All this and more need to happen without interrupting operational production.
While there are various challenges to overcome, including the generally siloed approach between OT and IT, the good news is that a growing number of solutions are available. Mr Aran estimates that there are more than 25 worldwide – mostly small companies - each focusing on different aspects of OT.
NextNine’s focus is on the management of OT cyber security, which Mr Aran says runs from defining a security policy, based on any local national and governance requirements, to implementing the policy and measuring compliance, quickly increasing the cyber-hardening of the OT environment.
“A dashboard measures the level of hardening of the system at a device, sub-network or location and how compliant these are with the policy,” he says. “It works in a circular form with the corporate office using this data to refine the policy and then the refinements can be implemented and measured, and so on.”
Other major functionalities of NextNine’s solution – which is vendor agnostic – include granular and secure remote access, file transfers, log collection, backup/restore, anti-virus signatures, Windows and product patching and white- and blacklisting.
“The NextNine software automates and streamlines the cybersecurity working procedures of an organization. It is a non-intrusive solution with a server per each remote location and a central security centre. In fact, NextNine is one of only few companies offering such an OT security management solution. We already have 6,000 installations and established channel relationships with the largest vendors, system integrators and industrial MSSPs, including Cisco, ABB, Schneider Electric, Rockwell, Honeywell, Yokogawa, BAE and Accenture.”
An OT security management case study
As an example of an implementation of NextNine’s OT Security Management solution, Mr Aran cites a large global oil and gas company implementation that extends to several hundred locations across the globe. As a result of CEO level action, this tier-one global company decided to increase both the hardening of its OT environment as well as the enterprise visibility of the hardening status.
“We are replacing an old homegrown security solution with a secure remote access solution, working with Cisco and Yokogawa as the system integrators,” he says, noting that thousands of ICS systems on several continents have been connected, inventoried and hardened over the two years the project has been running to date.
“We started with a full asset inventory to establish what equipment is there, which in itself isn’t a trivial task. There are many proprietary systems running on top of Windows systems which should be patched only with the vendor certified patches and anti-virus signatures, to avoid risking production availability for hardening.”
For compliance management and reporting a dashboard colour scheme has been introduced, with Green marking well hardened systems, Yellow a system with some issues and Red a system that needs attention. For each system it is possible to drill down on the dashboard to indicate actions that can be taken to improve the hardening and thus the dashboard system colour.
“The implementation was named as one of the most successful software implementations in the history of that enterprise and it is bringing significant cost savings compared to their original system with improved cyber security compliance and hardening.”
Cost savings with centralized security
As an indication of the potential cost savings possible, Mr Aran quotes findings of a study by Accenture on a mid-size oil and gas company with 30 plants and 52 fields, which introduced manual system hardening over two years at a cost of US$28 million. The study found NextNine’s solution could have been be implemented at about half the cost in a third of the time and with a greater degree of in-built automation, for keeping the hardening level in the ever changing industrial environment.
“The energy industry has acknowledged the cybersecurity risk and has to stand up to the hardening compliance and regulation challenge and finally there is a timely and cost effective solution to enable it,” concludes Mr Aran.
NextNine will be exhibiting at European Utility Week 2015 at the Israel Pavilion (A.d23). NextNine will be meeting with CIOs and CISOs of utilities companies as well as system integrators and consulting firms that provide cyber-security solutions for this market, looking to better protect their process control and automation and better comply with their governments and corporate IT policies.