Amazon Web Services, the first true cloud service provider, started in 2005. The auction of the radio frequencies for 4G telephony, enabling fast data services in the Netherlands happened in 2012. Now, these technologies are fully established. We not only can exchange administrative information but the machines can also control and communicate with each other, moving containers from the ship to the trucks. All fully automated. This offers unprecedented benefits, not only in terms of cost and scale but also new opportunities.
Operational Technology (OT) environments, such as factories, power plants, refineries, and container terminals are often not designed with these new technologies and capabilities in mind. The application of new technologies and means of communication within the OT environments expose them to all the vulnerabilities associated with these technologies. Any connection to a partner or service is additional exposure to the outside world which the equipment and software in factories and installations are not designed to handle. Factory facilities and production processes are not designed or unable to stop, start and change frequently. The relatively long-life cycle of equipment and control software’s, and the pace of their maintenance and changes, together make an OT environment significantly different from an IT environment.
Still, the benefits of new technology and its opportunities beckon. To take advantage of these new opportunities with confidence, the security measures associated with these technologies need to take the traditional properties of such an OT environment into account.
Cybersecurity is often seen as an unwieldy double-edged sword. It reduces the risks for your organization but also limits the possibilities to quickly implement new technologies or respond to new opportunities. Cybersecurity should serve the organization: ensure that opportunities are utilized, and technology can be adopted from a position of trust. A good program that safeguards cybersecurity within the OT environment, makes this possible.
Define the systems
Implementing Cybersecurity in industrial environments is slightly different than usual. As with so many processes, it starts with mapping what needs to be protected. This does not only include equipment and processes but also the partners, applications, systems, and organizations which connect to the environment. This information is not only useful for securing a factory, but also for (better) integration of production processes with the administrative business processes, necessary for Industry 4.0 applications. Based on this information and the strategy of the organization a roadmap and the reference architecture are drawn up. The roadmap describes which measures must be implemented in which order. The reference architecture describes a system of building blocks and rules, procedures, standards, and guidelines that help to determine per object what needs to be done. This architecture and roadmap not only contain the protective measures, but also the reasons why a specific measure is applied or not. This allows regular architecture review and updates to the roadmap. This roadmap and reference architecture guide the security of the installation so that new technology or new integrations can be realized with confidence. This way the organization stays away from cybersecurity dogmas and the associated risks, and also exploit the opportunities for the organization.
All this together forms the Define step, now we know what to protect and how to protect it.
Protect the systems
Cybersecurity projects aspect within an OT environment requires a special combination of experience, knowledge, and expertise. The project team should be capable of meeting specific requirements of the OT environment to be protected, often in combination with requirements from the central IT environment which makes for an interesting mix. Existing maintenance and support processes must continue. Besides, physical, logical, or organizational restrictions must be anticipated during the project. When all these competencies are addressed properly cybersecurity measures and new technologies can be successfully implemented.
This combination of project experience, skills, and knowledge form the basis for the Protect step. Now we can protect and change the OT environment.
Defend the systems
The OT environment, with all its cybersecurity measures, must be managed and monitored. Monitoring of the security controls ensures timely identification, analysis, and resolution of security incidents. To resolve these incidents not just knowledge of cybersecurity itself is needed, but also the knowledge of, and insight into the production processes and the installations is required. Maintenance and engineering departments at the local site and centralized IT departments often do not have the right combination of knowledge, skills, and insights or do not consider themselves competent enough.
By selecting and implementing the right tooling, right training, and perhaps some organization change or external services, the management and monitoring of these secured OT environments can be deployed.
This forms the Monitor step, enabling the adoption of new technologies and addressing new opportunities with confidence.
Capgemini has the right combination of knowledge and experience to go through all these steps together with the clients. With the largest cybersecurity unit of The Netherlands (170 FTE), experience in a lot industries and the recent acquisition of Altran, Capgemini has everything it takes to help clients complete the entire OT cybersecurity process, from start to finish and to help manage the secured OT environment.
Please contact us with questions about this article or to help you build an effective cybersecurity roadmap.
Follow me on LinkedIn.
To find out more about how we can help you, visit our cybersecurity services page.
Disclaimer: This blog is a translation from the article published by the author in the Eurpoort Kringen magazine, August 2020.
Head of OT cybersecurity in Netherlands
IT infrastructure architect with experience in educational institutions and industry.
Focus on datacenter architectures and their interactions with business goals. Holistic view on storage, processing and IO.