Combating Cybersecurity Risks - Common Challenges and Impacts in an OT/IACS environment in the Energy and Power Industry

With the ever-increasing complexity in the Operational Technology (OT) / Industrial Automation and Control Systems (IACS) landscape, cybersecurity risks associated with OT/IACS are increasingly becoming significant, especially for sectors such as Energy and Power, which rely heavily on OT/IACS for their core business operations. The objective of this article is to examine the most prevalent challenges organisations face with regards to their OT/IACS environments, to analyse the potential impact of successful cyber-attacks on these systems, and to explore solutions to reduce these risks to an acceptable level while enhancing the overall cybersecurity posture of the OT/IACS environment.

Common cybersecurity challenges in OT/IACS environments across organisations

The primary function of OT/IACS is to control physical processes – many of these processes cannot be interrupted and they often rely on legacy technology with limited security features. This creates several inherent challenges in implementing robust cybersecurity measures in the OT/IACS environment. The most common cybersecurity challenge pertaining to OT/IACS globally, is the presence of out-of-support or end of life systems in the OT/IACS environment, where even patching known vulnerabilities can be challenging.

In addition to the above, through numerous OT/IACS cybersecurity assessments conducted across different organisations within the middle east as well as in other countries globally, we have come across multiple commonly seen critical challenges pertaining to OT/IACS cybersecurity which organisations often face:

Fragmented ownership:

• While organisations with higher cybersecurity maturity tend to have clearer definitions of roles and responsibilities, it is often seen that the responsibilities pertaining to OT/IACS cybersecurity are shared among stakeholders from various departments (i.e., IT, Operations, Process Control, Instrumentation, Cybersecurity, etc.) and multiple third parties (i.e., maintenance/service providers and product suppliers (OEM vendors)), making it difficult to establish clear accountability.
• Many organisations do not have well-defined and documented roles and responsibilities pertaining to OT/IACS cybersecurity, often resulting in unclear ownership across different components of the OT/IACS environment and increasing the chances of oversight and human errors.

Significant reliance on third parties (maintenance/service providers and product suppliers):

• Most organisations rely almost completely on third-party contractors and/or OEM vendors to operate, manage and troubleshoot their OT/IACS environments. While this is difficult to fully avoid for OT/IACS, it is often seen that organisations do not have well-defined cybersecurity requirements, clauses, roles, responsibilities, and accountability defined for vendors/contractors.
• There is a general assumption which OT/IACS stakeholders make – processes associated with leading OT/IACS vendors or contractors are “inherently secure” and do not require cybersecurity monitoring or oversight.

Lack of visibility over OT/IACS assets and the associated cyber-attack surface:

• Many organisations lack adequate visibility into their OT/IACS assets (i.e., systems and components) resulting in “not knowing” where the cyber risk exposures are – and ultimately not knowing what to protect.
• A common trend across organisations is the absence of well-defined asset inventory and vulnerability management processes, which further hinders proactive preventive efforts. For example, due to an incomplete or inadequate asset inventory, some critical assets or groups of assets are often missed out while implementing cybersecurity monitoring and control capabilities.

Insufficient segmentation and isolation:

• Ensuring sufficient segregation and isolation between various network levels (i.e., Enterprise Systems, Supervisory Control, Operations/Systems Management, Site Monitoring, Safety & Protection, Basic Control and Process Control), systems, and components is often challenging due to the legacy nature of these OT/IACS environments. Failure to adequately isolate critical systems and components across different network levels could facilitate lateral movement of the malicious actor and potentially gain unauthorised access to a critical system or component impacting the availability or the safety.

Insecure remote access:

• In some organisations, specially associated with power generation, establishing remote access to the OT/IACS environment is a commonly seen trend. Weak authentication mechanisms associated with remote access, such as the use of default passwords or lack of multi-factor authentication increases the risk of unauthorised access and malicious attacks.
• Uncontrolled and unmonitored remote access to OT/IACS can provide attackers with a pathway to gain unauthorised access and control. Furthermore, inadequate logging and auditing of remote access activities make it difficult to identify suspicious behaviour.

In addition to the above, there are several contributing factors towards OT/IACS cybersecurity risks and challenges:

• Lack of resources and expertise pertaining to OT/IACS cybersecurity often hinders timely action to address cybersecurity risks and vulnerabilities in the OT/IACS environment.
• Myths associated with OT/IACS cybersecurity – stakeholders often believe that segregating the OT/IACS environment from the internet sufficiently protects their systems from cyber-attacks. However, use of removable media or infected laptops are commonly exploited attack vectors for hackers.
• Limited understanding of the consequences of cyber-attacks in the OT/IACS environment – often, cybersecurity awareness trainings do not cover the implications of a cyber-attack on availability, safety, and security of OT/IACS, as well as associated people and processes. This often leads to complacency when it comes to OT/IACS cybersecurity, making stakeholders vulnerable and prone to human errors.
• Limitations pertaining to backup-restoration testing in the OT/IACS environment, such as absence of test systems and/or a robust restoration testing plan, often limit an organisation’s ability to test their recovery capabilities, resulting in several key dependencies and steps being overlooked.
• Lack of, or inadequate cybersecurity incident response planning and testing for the OT/IACS environment can delay response times and exacerbate the impact of cyber-attacks. Cybersecurity Incident Response Plans across organisations often lack OT/IACS elements.

Understanding the consequences of OT/IACS cyber attacks

Cyber-attacks on OT/IACS can have widespread consequences. Below are some key examples of OT/IACS cyber-attacks, some of which occurred because of the risks/challenges which were discussed in the previous section.

• Attack on gasoline and jet fuel pipeline in 20211: One of the most well-known cyber-attacks on OT/IACS infrastructure took place in 2021, when a major gasoline and jet fuel pipeline operator in US suffered a ransomware attack. The attack resulted in a 6-day outage of the pipeline operations, subsequently resulting in fuel shortages at airports as well as panic buying among consumers. It eventually ended with a payment of a large ransom amount. What caused this attack? A seemingly simple control gap - an exposed password for a VPN account.
• Attack on Petrochemical Company in 20172: A geopolitical motivated cyber-attack took place at a middle eastern petrochemical company, where the attackers used reconnaissance and lateral movement to specifically target Safety Instrumentation Systems (SIS) in the OT/IACS environment. Fortunately, the attack was averted, however, had the SIS controllers been compromised, the attackers could have manipulated the safe states of all the equipment or processes controlled by the SIS, potentially triggering an explosion.
• Attack on Ukrainian Power Grid in 20153: A Ukrainian Power Grid was attacked in December 2015 resulting in power outages for roughly 230,000 consumers in Ukraine for up to 6 hours. The cyber-attack was initiated through a phishing email, several months prior to triggering the outage. After careful intelligence gathering, the attackers utilised malware to remotely take control of the human-machine interface and switch off most of the switch gears. They further used custom-developed exploits to prevent the operator from regaining control by wiping out many disks and overwriting the Ethernet-to-Serial gateway firmware with random code, thus turning the devices into unrecoverable pieces of scrap.

The above examples are just a sample of some cyber-attacks which have happened in the past, however there are many more scenarios possible. Marsh Risk Engineering can provide clients with extensive support defining credible scenarios and consequences for a cyber-attack on an operating facility via the Marsh Cy-PHA (Cyber Process Hazard Analysis) Technical Method. The outcome of this process is to define an Estimated Maximum Loss (EML) and a Probable Maximum Loss (PML) event with a 1 in 10,000 and 1 in 100 year frequency respectively. Naturally these scenarios will vary greatly between specific energy and power technologies.

In the event of a cyber-attack, it is possible that all DCS based parameters could be manipulated whilst returning normal values to the operations team. However, it is not deemed possible to defeat physical safeguards (for example, safety valves or manually operated valves). It is likely that a cyber-attack would target a system which is simple to manipulate in a short time frame, to avoid detection and preventative action.

Depending on the technology, EML scenarios may be substantial, both in terms of Property Damage, but also with significant Business Interruption potential, due to either loss of access to control systems or equipment repair/re-build times. Potential scenarios could cover some of the following areas:

• Manipulation of fired heater control (whilst showing normal operation), creating a fuel rich environment and potentially extinguishing furnace flames, before maximising air flow rates, leading to a furnace explosion. There are many examples of this scenario occurring purely due to failures of the O2 analyser or tramp air ingress, deliberate manipulation would have a very high likelihood of success.
• Disabling overspeed protection on critical compressors and inputting a maximum speed signal leading to catastrophic failure of the compressor and an extended shutdown. Alternatively, manipulation of level control of compressor liquid knock-out pots, leading to liquid carry-over, compressor damage and extended shutdown.
• Initiating Emergency Shut Down (ESD) on a Fluid Catalytic Cracking unit and forcing open the slide valve to initiate a hydrocarbon and air mixture, creating a flammable environment and subsequent explosion. This type of scenario has happened on multiple occasions due to erosion and improper closure of these valves, so is certainly credible to replicate through a cyber-attack.
• Reduction of quench gas and increase of inlet temperature on highly reactive or exothermic reactors, leading to runaway reaction and vessel rupture with subsequent explosion.

These example events would all have potentially significant process and personal safety impact, as well as a likely large financial exposure through both Property Damage and Business Interruption. It is important to note that cyber attackers always try to find new ways to exploit vulnerabilities or to find weaknesses within an organisations’ OT/IACS environment – this makes it imperative for organisations to “think like an attacker” and establish a proactive and robust approach to counter such attacks.

Countering cyber-attacks in the OT/IACS environment

While each organisation’s unique operating environment and circumstances drive their efforts towards cybersecurity, a timely, planned, risk-based approach can help avert major cyber-triggered catastrophes. A question often asked is, “Where to begin?”. Considering the OT/IACS cybersecurity challenges which organisations commonly face, below is a summary of the key steps that should be considered to strengthen the cybersecurity posture of the OT/IACS environment:

• Identify your “crown jewel” processes – based on this, identify the assets that support these critical processes, and assess risks and consequences associated with them. Accordingly, and with reference to industry leading practices such as ISA/IEC 62443, define the cybersecurity requirements for these critical assets.
• Establish a complete and reliable asset inventory, assign criticality/security levels to different assets (in line with the step above), and accordingly design zones and conduits within the OT/IACS network. For example, a critical system such as a Safety Instrumentation System (SIS), should be adequately segregated from other systems to prevent the consequences of lateral movement.
• In line with the above, implement Purdue Model to segregate IT and OT/IACS networks, as well as different systems and components within the OT/IACS network. Furthermore, ensure “effective” segmentation, i.e., if a firewall is implemented, ensure that it is configured securely.
• Implement different layers of protection based on criticality/security levels defined (refer to the image below). For example, consider measures such as implementation of strong security baselines, industrial firewalls (if needed), application whitelisting etc. for critical assets.

• Develop an OT/IACS framework aligned with industry leading practices such as ISA/IEC 62443 and NIST, thereby setting the organisation’s OT/IACS cybersecurity baseline and compliance requirements covering the various domains of OT/IACS cybersecurity. The framework should also include clear roles and responsibilities (including a RASCI Matrix) pertaining to OT/IACS cybersecurity.
• Monitor your OT/IACS environment to analyse expected behaviour and document this as a baseline which ultimately allows you to identify “suspicious” behaviour when implementing continuous monitoring and logging capabilities.
• Prior to conducting a vulnerability assessment, always consult with your asset owner, maintenance/service providers and product suppliers (OEM vendors), since vulnerability scanner/tools could have an impact on availability of the OT/IACS assets resulting in severe consequences (business interruption, equipment damage, etc.). Decide on alternative strategies in case a vulnerability assessment using a tool is not possible (e.g., identify vulnerabilities associated with your OT/IACS assets manually using public sources, utilise threat intelligence for zero-day exploits and consult with your product suppliers).
• Ensure timely and adequate patching of systems to address vulnerabilities. However, wherever not feasible, explore other strategies such as implementing strong mitigating controls like system hardening, monitoring, and segmentation.
• Restrict remote access to OT/IACS environment. If remote access is necessary, ensure that necessary controls are in place such as unique credentials, multifactor authentication, session control, session monitoring/recording and logging, and time-bound access.
• Define clear cybersecurity requirements, roles and responsibilities for maintenance/service providers and product suppliers (OEM vendors) and include them as part of contracts and Service-Level Agreements (SLAs).
• Conduct regular (at least annual) OT/IACS cybersecurity awareness sessions for all stakeholders involved with OT/IACS and ensure risks and consequences of cyber-attacks in the OT/IACS environment are included as part of these sessions.
• Define and document an OT/IACS cybersecurity incident response plan, along with OT/IACS cybersecurity incident response playbooks. Also, conduct table-top exercises based on the OT/IACS incident response plan and playbooks developed to verify the cyber incident response and crisis management capabilities (annually).

In conclusion, it is important to note that strengthening the OT/IACS cybersecurity posture of an organisation is a journey, and not a quick fix. While it has similarities with IT cybersecurity, however, the approach can be much more time-consuming considering the complexities and constraints of the OT/IACS environment. It is critical to embark on this journey with appropriate planning, a robust strategy, and a clear roadmap.