The message from Cisco’s panel of experts was clear; while Norwegian industrial companies have become good at securing their IT systems against intruders, many lag behind when it comes to protecting the systems that control production and processes. (OT systems). The potential for damage is great if unauthorized persons gain access to these systems.
Representatives of the business community in Agder packed the auditorium of Noroff in Kristiansand on Wednesday 15. February, where the Cyber Security Forum had invited to a discussion on security around OT systems. Partners in the forum are GCE NODE, Eyde and Digin, in collaboration with Noroff, Maritimt Forum Sør and NFEA.
Frank Tuhus, system architect for OT systems at Cisco, says that businesses have now seriously begun to realize how vulnerable they are to cyber criminals. Cyber security has become a hot topic, and for good reason.
“It is no coincidence that The Norwegian Police Security Service (PST) in its most recent National threat assessment, ranks attacks on computer network operations and digital sabotage as a high risk. While we have come a long way safeguarding IT systems, we need to implement stronger measures to protect our OT systems, says Tuhus.
GROWING FLOW OF DATA
Merete Asak, CTO in Cisco Norway, shared experiences from her time as security manager for OT on a large oil installation in the North Sea.
“I came from the IT industry and saw a huge skills gap in the understanding of how exposed the production systems were.. When we build integrated operations, or operations from shore, connections are made from these locations into the production systems on the platform. When we implement these kinds of solutions the security walls around OT needs to be at a whole different level. ” said Asak.
Mads Lindback, OT industry sales specialist at Cisco, explained why the industry is becoming more and more vulnerable to cyber criminals. A few years ago the OT systems lived their own lives, isolated from the Internet. Today they are likely to be connected to the web and cloud-based services.
“It is all about the implementation of Industry 4.0. Production processes are automated and remotely controlled, in order to increase efficiency and reduce costs. Sensors monitor machines and send data streams to control units. Data from the process is synchronized with data from administrative systems, which are in turn connected to the web. As the OT systems in many cases share their data freely and in good faith, companies are becoming more and more vulnerable to hacking, said Lindback.
TWO CULTURES
To move forward, the IT culture needs to merge with the OT culture in Norwegian business, according to Cisco.
“Traditionally, the IT and OT environments have been separate, with little information exchange. The IT people don’t think that the OT people know anything about best practice in data security, while the OT people think that the IT people don’t know anything about engineering and production.” We must unite these communities and build mutual trust and understanding,” said Lindback.
Frank Tuhus said that the time is over when the OT network could protect itself by closing the door to the outside world. Digitalisation, automation and optimization of production processes require access to the Internet and cloud solutions.
“This presents security challenges that we must take seriously. First, you must map your own network connections and applications. You can’t protect something you don’t know you have. Secondly, it is about uncovering vulnerabilities in the system. Which applications have contact with which functions? A PLC (programmable logic controller) that controls a valve on an oil platform, should not have a direct connection to the Internet,” said Tuhus.
The solution is a security architecture where layers upon layers of security, with segmentation, firewalls and and Access Control protocols are built. Data to be shared on the Internet must be sent from the highest possible level in the data hierarchy, so that IP addresses in the OT system are protected. Also, built-in monitoring features are needed.
“By making sure that the security architecture contains functions for deep packet inspection and cyber vision sensors, unauthorized access and anomalies in data traffic will be detected, and damage averted, said Tuhus.
