Friday, August 12, 2022
HomeIoTAssessing OT and IIoT cybersecurity danger

Assessing OT and IIoT cybersecurity danger

This weblog is co-authored by Ryan Dsouza, AWS and John Cusimano, Deloitte 


Modern and forward-looking oil and gasoline, electrical technology and distribution, aviation, maritime, rail, utilities, and manufacturing corporations who use Operational Expertise (OT) to run their companies are adopting the cloud in lots of varieties on account of their digital transformation initiatives. Information lakes, Web of Issues (IoT), edge know-how, machine-to-machine communication, and machine studying (ML) are enablers for this industrial digital transformation. That is driving adjustments to the OT panorama, and as these environments proceed to evolve, OT environments are leveraging extra IT options to enhance the productiveness and effectivity of manufacturing operations.

Industrial prospects usually begin their digital transformation journey by sending OT knowledge to the cloud for evaluation and analytics with out sending instructions again to the commercial automation and management system (IACS). This course of is usually known as “open loop” operations, since there may be one-way communication from edge to cloud.  Clients usually discover this comparatively simple to safe and handle.

Nevertheless, one of many targets of Industrial Web of Issues (IIoT) options is to optimize operations by producing an computerized or operator-initiated response within the manufacturing facility or plant, based mostly on insights gained from cloud analytics. This course of is sometimes called “closed loop” operations with two-way communication between edge and cloud. The safety and compliance practices for closed loop operations are extra rigorous as a result of closed loop operations manipulate OT gadgets remotely. Creating these practices must be rooted in a cyber danger evaluation to assist companies perceive and prioritize safety issues.

This convergence of IT and OT methods creates a mixture of applied sciences that have been designed to function inside hostile networks environments with ones that weren’t, which creates the necessity for brand new danger administration issues. When making the most of IT applied sciences in OT environments, it’s necessary to conduct a cybersecurity danger evaluation to completely perceive and proactively handle dangers, gaps, and vulnerabilities.

Within the ten safety golden guidelines for industrial IoT options, AWS gives suggestions together with conducting a cyber-security danger evaluation initially of an IIoT digital transformation mission and utilizing it to tell system design. There’s a well-defined and mature methodology that has been utilized in performing danger assessments on IT methods for many years known as ‘Risk Modeling,’ which is additional defined in an AWS Safety Weblog known as Learn how to method risk modeling. On this publish, we’ll enable you apply this steering particularly for an OT/IIoT use-case and viewers in addition to spotlight the distinctive issues in OT/IIoT environments.

Understanding cybersecurity danger

Individuals usually battle with the time period danger and what it means within the context of cybersecurity. Threat is usually outlined as a perform of chance and impression, the place the chance is the probability of an occasion occurring, and the impression is a measure of the extent of the opposed circumstance (i.e., the consequence). The frequent formulaic method of expressing that is:

Threat = Probability x Affect

Within the discipline of knowledge safety danger administration, the probability element within the above system is damaged down into its core parts: threats and vulnerabilities. The frequent formulaic method expressing that is:

Cybersecurity Threat = Threats x Vulnerabilities x Affect

A superb reference to study extra about cyber danger is the Nationwide Institute of Requirements and Expertise (NIST) cyber safety framework which follows a risk-based logic: “establish, defend, detect, reply, get better.” The NIST framework refers back to the many frequent IT and OT safety requirements, akin to ISO/IEC 27000, COBIT, ISA/IEC 62443. NIST states that, “Threat is a perform of the probability of a given threat-source exercising a specific potential vulnerability, and the ensuing impression of that opposed occasion on the group.”

7-step method to assessing OT and IIoT cybersecurity danger

There are a number of requirements, finest practices, and methodologies, akin to ISA/IEC 62443, Cyber PHA, NIST, and so on. that present steering on conducting cybersecurity danger assessments for IACSs. Most of them are usually in settlement with each other about the important thing factors, so we have now summarized the steering from these sources right into a 7-step method that aligns with “what are we engaged on,” “what might go incorrect,” and “what are we going to do about it,” as follows:

  1. Outline the system being assessed
  2. Determine penalties of unintended entry or habits
  3. Enumerate identified vulnerabilities
  4. Determine threats
  5. Estimate probability
  6. Rank the found dangers
  7. Develop a danger mitigation technique

Let’s speak by every of those steps briefly.

Step 1 – Outline the system being assessed

This step aligns with “what are we engaged on.” Clearly documenting and defining the OT and IIoT system being assessed is a crucial first step. It entails creating diagrams that describe each the logical and bodily connectivity that cowl the complete software from sensors to cloud and every part in-between. Greatest apply from ISA/IEC 62443 requirements is to partition the system into safety zones and conduits. As per ISA/IEC 62443-3-2, Safety Threat Evaluation for System Design, a key step within the danger evaluation course of is to find out the scope of the danger evaluation by partitioning the System Beneath Consideration (SUC) into separate Zones and Conduits. The intent is to establish these property which share frequent safety traits as a way to set up a set of frequent safety necessities that scale back cybersecurity danger. Partitioning the SUC into Zones and Conduits may also scale back total danger by limiting the impression of a cyber incident. Half 3-2 requires or recommends that some property are appropriately partitioned as follows:

  • Isolate enterprise and management system property
  • Isolate quickly linked gadgets
  • Isolate wi-fi gadgets
  • Isolate safety-related gadgets
  • Isolate gadgets linked by way of exterior networks (instance: Web)

Defining the system additionally entails a practical description of system operations, an asset stock, dataflows, and different info required for the evaluation workforce to know ‘regular’ operations.

Determine 1: ISA/IEC 62443-3-2 Threat Evaluation workflow (Courtesy of ISA)

The next instance in Determine 2 exhibits the zones and conduits in a Information Stream Diagram (DFD) with completely different parts in an IIoT system with Zone boundaries between IIoT gadget, IIoT Gateway, and Cloud and Belief Zones between completely different cloud companies. For instance, in AWS, prospects can use a number of AWS accounts and AWS Digital Personal Cloud (Amazon VPC) to launch AWS sources in a logically remoted method.

Determine 2: Instance of zones and conduits in IACS with IIoT methods

Step 2 – Determine penalties of unintended entry or habits

The subsequent step is contemplating what might go incorrect if the IACS and IIoT system have been to be accessed inappropriately. The entry might lead to a number of of the next penalties:

a) unauthorized entry, theft, or misuse of confidential info

b) publication of knowledge to unauthorized locations

c) lack of integrity or reliability of course of knowledge and manufacturing info

d) lack of system availability

e) course of upsets resulting in compromised course of performance, inferior product high quality, misplaced manufacturing capability, compromised course of security, or environmental releases

f) tools injury

g) private harm

h) violation of authorized and regulatory necessities

i) knock-on results on crucial methods on the native, regional, or nationwide scale

j) risk to a nation’s safety

Whereas many of those penalties are attainable for each IT and IACS methods, penalties e, f, g, and that i are extra possible with cyber-physical methods that may change the bodily area. That is the attribute that distinguishes IACS and IIoT methods from IT methods and defines the scope of the SUC.

When performing this evaluation, the workforce ought to consider and doc the impression to course of security, reliability, and the atmosphere along with evaluating the impression of knowledge confidentiality, integrity, and availability (CIA) wherever within the system, contemplating each knowledge at relaxation and knowledge in transit. Having outlined safety zone and conduits in Step 1 is helpful as a result of it permits the evaluation workforce to compartmentalize the implications by zone or conduit as proven within the instance in Determine 2.

Step 3 – Enumerate identified vulnerabilities

On this step, which aligns with “what might go incorrect,” the evaluation workforce evaluates and paperwork identified cybersecurity vulnerabilities within the system. This info will be gathered in plenty of methods akin to utilizing vulnerability scanning instruments and/or vulnerability analysis on the system parts and their configuration. This doesn’t essentially must be an exhaustive listing of each frequent vulnerabilities and exposures (CVE), but it surely ought to not less than embrace courses of vulnerabilities that unauthorized customers could possibly exploit. Once more, having partitioned the system into zones and conduits is helpful because the workforce can set up their vulnerability discovery and documentation efforts by zone and conduit.

Step 4 – Determine threats

On this step, which aligns with “what might go incorrect,” the evaluation workforce considers the credible threats (risk actors, risk sources, risk sorts) that might try to take advantage of the vulnerabilities recognized in Step 3 and makes use of a mannequin like STRIDE to enumerate “what might go incorrect” in every aspect of the DFD. One good supply to reference is the MITRE ATT&CK® for Industrial Management Methods (ICS) framework as MITRE gives broad steering on describing the actions an adversary could take whereas working inside an ICS community. It highlights explicit points of the specialised functions and protocols that ICS methods usually use, and that adversaries make the most of, to interface with bodily tools. MITRE ATT&CK breaks down the lifecycle of a cyber incident utilizing Ways, the place every Tactic describes a selected aim that an adversary may have to realize utilizing Strategies, which describes a selected methodology of reaching the associated aim. For instance, an unauthorized consumer could exploit a weak spot in distant companies (Approach) to achieve preliminary entry (Tactic) to the IIoT system. Utilizing a mix of Ways and Strategies can present concrete steering for an IIoT system risk modeling train.

Step 5 – Estimate probability

This step aligns with “What are we going to do about it.” When trying to evaluate cybersecurity danger, many individuals have problem estimating probability. Whereas it’s difficult, it may be estimated by decomposing probability into its core parts of threats and vulnerabilities and utilizing semi-quantitative strategies to outline ranges of probability. A high-quality reference for this step is the Issue Evaluation of Info Threat (FAIR) framework revealed by the FAIR Institute. They’ve developed a mannequin for understanding, analyzing, and quantifying cybersecurity and operational danger. The FAIR framework components safety danger into its parts making it simpler to know and extra sensible to evaluate.

Step 6 – Rank the found dangers

On this step, which aligns with “what are we going to do about it,” risk situations are outlined by describing how a risk can lead to a consequence. Risk situations embrace risk actors, risk actions, and the vulnerabilities they might exploit to hold out the occasion. As soon as the situation is outlined, the danger will be scored and ranked based mostly on the severity of the consequence and the probability of every risk. One good option to conduct this step is in a workshop setting the place the evaluation workforce walks by every zone and conduit and develops and analyzes credible risk situations. Rating of the dangers is usually guided by means of a danger matrix which is a matrix of probability on one axis and impression on the opposite. Threat matrices are usually developed by company danger administration or well being, security, and environmental organizations.

Determine 3: Instance Threat Matrix

Step 7 – Develop a danger mitigation technique

This step aligns with “what are we going to do about it.” As soon as the danger evaluation is accomplished and its outcomes analyzed, a report must be produced documenting the dangers to the group in addition to a plan to mitigate dangers to a tolerable degree, offering choice makers with a concise danger and remediation image. This plan is usually based mostly on security, monetary contribution, and even model protection- whichever issues most to the group. An efficient remediation plan features a prioritized listing of actions, budgetary estimates, schedules, and useful resource necessities. Usually, these plans embrace short-term tasks to mitigate excessive and important dangers and long-term tasks which will contain many sources, modernizing the OT atmosphere with new tools, and coaching.

Determine 4: Instance Threat mitigation roadmap (click on to enlarge)


On this weblog publish, we outlined particular actions that allow prospects to know and assess cyber danger when implementing IIoT options. It’s a crucial exercise inside OT/IT convergence danger administration and helps to reply the questions: “What can go incorrect?” “What’s the probability that it might go incorrect?” and “What are the implications?” These actions assist enhance total danger visibility and consciousness and lay the inspiration for constructing a secure-by-design IIoT resolution. Deloitte and AWS are collaborating to assist industrial corporations successfully handle the dangers coming from industrial digital transformation initiatives by providing IIoT cyber danger assessments. Study extra about Deloitte’s danger assessments and the Cyber PHA methodology right here and AWS IIoT companies.

To study extra about IoT safety finest practices, go to The Web of Issues on AWS – Official Weblog.

Concerning the authors

Ryan Dsouza is a Principal Options Architect for IoT at AWS. Based mostly in New York Metropolis, Ryan helps prospects design, develop, and function safer, scalable, and revolutionary options utilizing the breadth and depth of AWS capabilities to ship measurable enterprise outcomes. Ryan has greater than 25 years of expertise in digital platforms, good manufacturing, vitality administration, constructing and industrial automation, and OT/IIoT safety throughout a various vary of industries. Earlier than AWS, Ryan labored for Accenture, SIEMENS, Normal Electrical, IBM, and AECOM, serving prospects for his or her digital transformation initiatives.

John Cusimano is {an electrical} & pc engineer and enterprise chief with greater than 30 years of expertise in course of management, practical security, operational know-how (OT) and industrial cybersecurity. He’s a managing director inside Deloitte & Touche LLP’s Cyber OT apply.

John has carried out numerous industrial management system (ICS) cybersecurity vulnerability and danger assessments. He’s a voting member of the ISA 99 cybersecurity requirements committee. As a part of that committee, he chaired the subcommittee that authored the ISA/IEC 62443-3-2:2020 customary, “IACS Safety Threat Evaluation & Design”. He was the developer and teacher of a number of industrial cybersecurity provided by Deloitte and ISA.

John is a Licensed Purposeful Security Professional (CFSE), a Licensed Info Methods Safety Skilled (CISSP), World Industrial Cyber Safety Skilled (GICSP), and ISA 62443 Professional.

This text incorporates common info solely and Deloitte and AWS will not be, by way of this text, rendering accounting, enterprise, monetary, funding, authorized, tax, or different skilled recommendation or companies. This text shouldn’t be an alternative to such skilled recommendation or companies, nor ought to it’s used as a foundation for any choice or motion which will have an effect on your corporation. Earlier than making any choice or taking any motion which will have an effect on your corporation, it is best to seek the advice of a certified skilled advisor. Deloitte and AWS shall not be accountable for any loss sustained by any one who depends on this text. As used on this doc, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see for an in depth description of our authorized construction. Sure companies might not be obtainable to attest purchasers beneath the principles and laws of public accounting.

Copyright © 2022 Deloitte Improvement LLC. All rights reserved.

© 2022, Amazon Net Providers, Inc. or its associates. All rights reserved.



Please enter your comment!
Please enter your name here

Most Popular