For cybersecurity, “Operational technology is different,” says Daniel Lewis, CEO, Awen Collective. The company focuses on reducing the cost of cyber threats to critical infrastructure and manufacturing. It seems there is something of a dichotomy. Within a critical infrastructure system, the IT cyber security procedures can be pretty good. But operation technology, which can consist of multiple devices which are connected, are not so secure. This is why Awen Collective focuses on the automation of industrial control systems security.
Let’s start with an example and move on to some regulation.
The example is the Norsk Hydro cyber attack. It was back in March 2019, when the Norwegian aluminium supplier was subject to a ransomware attack. This caused an entire system shut down and the workforce had to go back to doing things manually. It took several months to get back to 100% capacity at a cost of 45 million euros and counting.
Operational technology is a quite different
But that was an aluminium plant — suppose an organisation that supplies water or electricity is subjected to the same kind of attack — the consequences for the affected population could be disastrous.
And that takes us to the regulation — NIS directive. This is an EU directive that came into force at about the same time as GDPR, and which requires critical national infrastructure services across the entire EU, for critical infrastructure organisations to apply a certain minimal level of cyber security that they should have embedded throughout their organisations.
Is cyber security automation a viable solution?
In other words, for critical infrastructure and operations technology, automation in industrial control systems security could be critical.
The challenge here is the pressure on critical infrastructure organisations to provide continuous service. Traditional digital forensics might take weeks and to be effective needs the system to be shut down.
The importance of third-party validation for cyber solutions
“Key digital forensic data is typically at a very low level. They don’t store data for a particularly long period of time, they don’t have a history capture. And so it’s very important to be able to preserve that data as much as you can and extract as fast as you can.
“The temptation, of course, is always to unplug everything, stop building things back up and bring things back online. If you do, you’ll lose that information.”
Jules Farrow: Because of industry 4.0, there are new technologies coming into the OT environment, which are providing huge amounts of efficiency, and visibility into production processes, creating cost savings, that are potentially enormous. There has been strong focus on these technologies at the board level of these large organisations. But the cyber security aspect hasn’t really been thought about.
Jules Farrow, CTO of Awen Collective and a former Head of IT for cyber-security company Darktrace, explained further:
“In critical infrastructure IT systems, are usually well looked after, well configured. Operational technologies, on the other hand, are a lot more distributed. They were set up by engineers rather than IT technicians and IT engineers. And they are made to ensure continuous supply.
“Traditionally, there has been a big separation between those two environments, the IT network, might be quite well serviced both by having a strong cyber security team internally, but also because of the huge wealth of products out on the market to help cyber security on the network.
“Then there’s your OT network on the other side. Because of industry 4.0, there are new technologies coming into the OT environment, which are providing huge amounts of efficiency, and visibility into production processes, creating cost savings, that are potentially enormous. There has been strong focus on these technologies at the board level of these large organisations. But the cyber security aspect hasn’t really been thought about.”
Simulation software: protecting your organisation during a sustained period of cyber war
So, what’s the answer? How can automation in industrial control systems security be provided?
Awen itself has two products:
* In the UK, NCSC, which is GCHQ’s public facing arm, has produced a cyber assessment framework based on the NIS directive. Awen Collective has produced an interactive tool that organisations can use to help them understand where they’re at, collaborate with their colleagues, and make it a lot easier for them to go through the compliance process.
* They have also created an automated asset and risk discovery tool, called DOT. This allows organisations to go into an OT environment and ‘listen’ to the network traffic within.
Farrow explained further:
“The impression that we have so far is that cyber is not really entering into the conversation as it should be. And the temptation obviously will be to rip the offending device off the wall, popping a new one up, hoping for the best. They need to be back up and running immediately.
“And the regulators are on top of critical infrastructure organisations on any downtime.
“So, by having this data it should help inform those plans and processes to ensure that cyber is part of our organisation.”