Industrial Cybersecurity Pulse
  • SUBSCRIBE
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
SUBSCRIBE
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
Industrial Cybersecurity Pulse
Subscribe
Industrial Cybersecurity Pulse
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • IT/OT

System integrators’ role in the OT cybersecurity crisis

  • Robert Fairfax
  • October 12, 2021
Courtesy: Chris Vavra, CFE Media and Technology
Courtesy: Chris Vavra, CFE Media and Technology
Total
1
Shares
0
1
0
0

Whether it’s the shift toward remote work or the growing importance of digital business, trends that have been around for years have only been accelerated by the COVID-19 pandemic. This holds true for the digital transformation, bringing operational efficiencies at the cost of increased cyber risk to our critical infrastructure we’re only beginning to see the true effects of. This shift has continued to blur the lines between information technology (IT) and operational yechnology (OT), further complicating the boundaries of the system integrator’s role.

The conventional role of the system integrator had been to design, build and support industrial control systems (ICS) through a process called the system development lifecycle. These ICS automate processes in sectors such as energy, manufacturing, transportation and building automation. Due to the demands of customers and the competitive nature of the industry, a system integrator’s focus when developing a project proposal has traditionally been on efficiency and the bottom-line impact of a system measured against its cost.

As conversations around the digital transformation have picked up, system integrators have seen this as an opportunity to improve the efficiency of their delivered systems, building out Industrial Internet of Things (IIoT) and data science capabilities found in IT-centric organizations than OT ones.

System integration has often been confined to the OT realm with a priority on efficiency and has comprised of project-focused engagements. While many integrators have started to build out cybersecurity capabilities & service offerings outside their core business units, it shouldn’t stop there. To properly address the worsening ICS cybersecurity crisis, system integrators will need to embrace the shift from project-focused engagements to ongoing service relationships, as well as fully embed ICS cybersecurity capabilities into the system development lifecycle for client-delivered systems.

IT/OT interconnection reducing cyber resilience

While IT/OT interconnection sounds like a reasonable trend towards industrial efficiency, an unintended consequence has been a widened OT attack surface. This has decreased the ICS’s cyber resiliency, or its ability to carry out industrial processes in the event of an adverse cyber incident such as a cyberattack.

The negative outcomes that can result from this interdependency between IT and OT systems have been realized in 2021. Two notable attacks were the Oldsmar Water Treatment Plant, which threatened to alter drinking water chemical composition, and the Colonial Pipeline attack, which cut off the major fuel supply to the US East Coast for several days.

This isn’t to say system integrators have missed this development. They haven’t. Most system integrators understand the cybersecurity implications of the OT systems they build. However, they face stiff competition within the industry and a system integrator that includes cybersecurity controls beyond a customer’s stated requirements risks submitting a bid that isn’t cost-competitive. Even though many system integrators understand the cybersecurity problem and can address it, this effect constitutes a strong headwind to delivering secure OT systems.

Courtesy: Chris Vavra, CFE Media and Technology
Courtesy: Chris Vavra, CFE Media and Technology

Four ways cybersecurity fits into the system development lifecycle

With growing OT market awareness of the risk to business operations that accompanies a poor cyber posture, System integrators have a tremendous opportunity to differentiate themselves by building out and touting their cybersecurity capabilities. A cyber-resilient ICS brings cost-savings through reductions in asset damage, human safety risk and legal liability, the internal and external personnel and technology costs of incident response and process restoration, as well as lost revenue due to unplanned downtime.

By stressing the cost savings of ICS cyber resiliency throughout the sales process and by integrating cybersecurity technologies into their delivered systems, system integrators can establish a sustainable competitive advantage over those who can’t or choose not to adapt to the evolving cybersecurity demands of the industry and the growing set of industrial cybersecurity regulations.

As mentioned, the system development lifecycle is the process by which system integrators gather requirements for, design, develop, and test the control systems they deliver to customers.

  1. Requirements: In the requirements stage, the client presents a set of system requirements which are refined through a collaborative and iterative process between the system integrator and the client. Systems are usually built to customer-given cybersecurity requirements, however often none are given. As the trusted technical partner this is a crucial stage to educate and set expectations with the client regarding the cyber risk they face, the technical mitigation capabilities the system integrator can implement, and how this benefit accrues to the client’s bottom line through greater system availability and cyber resiliency.
  2. Design and development: With client buy-in on more rigorous cybersecurity controls, the system integrator has the flexibility to design a more resilient system. While cybersecurity needs vary by system and are often compliance-driven, these can include controls such as strict network segmentation between layers of the Purdue model of ICS cybersecurity, firewalls configured to only allow whitelisted connections. This is especially true at the demilitarized zone (DMZ) between the corporate IT and the production OT network as well as implementing data collection and anomaly detection technologies at all layers of ICS communication. Integrating a zero trust and defense-in-depth strategy from the outset will result in superior outcomes than attempting to retrofit security after an incident occurs.
  3. Testing: Once the control system is designed and built, it must be measured both against functional and security requirements. While functional testing can generally be performed in-house, security testing should be performed by a separate team than those that designed it – either a separate in-house security team or 3rd party penetration testers. The integrator and end user also can engage in red/blue/purple team security exercises here as well for additional process rigor. Security validation outside of the design team helps the system integrator to ensure system quality and control for process mistakes that could lead to the compromise of a customer and damage to the integrator’s reputation.
  4. Ongoing services: Following system delivery, it may seem that the client-integrator relationship has concluded until a new system must be developed, however this area arguably presents the largest opportunity for system integrators. Cybersecurity is not a product to be delivered but an ongoing effort, and a continuing relationship with a cyber-forward system integrator can prevent the degradation of system security over time. While maintenance and support contracts are a well-explored aspect of the industry, cybersecurity services such as managed security operations center (SOC) services enable clients to outsource their cybersecurity monitoring to a trusted third party.

Through economies of scale, a system integrator could offer these services to a client at a lower cost than they could supply themselves, whereas the client accrues the benefit of increased system resiliency. By extending their cyber capabilities in this way, system integrators can deepen their client relationship to reduce customer churn and drive recurring revenue that increases business stability while improving the cybersecurity posture of their clients.

To address the cybersecurity crisis facing OT critical infrastructure, the system integrator relationship needs to extend the system development lifecycle into an ongoing relationship and embed ICS cybersecurity capabilities into client-delivered systems to achieve the best firm-level and societal outcomes. Whether it’s global supply chains or the cybersecurity posture of ICS, one of the many lessons to take from this period of crisis should be that trading some cost efficiency to ensure a system’s resiliency is well worth the investment.

Robert Fairfax is a financial officer at Cynalytica, a CFE Media content partner. Edited by Chris Vavra, web content manager, CFE Media and Technology, cvavra@cfemedia.com.

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.

Robert Fairfax

Rob Fairfax, financial officer, Cynalytica

Related Topics
  • CFE Content
  • Featured
Previous Article
Courtesy: CFE Media
  • IT/OT

How to solve legacy OT security challenges

  • Chris Bihary
  • October 11, 2021
Read More
Next Article
As threat increases, college cybersecurity programs are more in demand
  • Education

Designing ‘smart’ security for smart devices

  • University of Missouri
  • October 13, 2021
Read More
You May Also Like
Richard Robinson, CEO of Cynalytica Inc.
Read More

Using Machine Learning to Protect OT: Expert Interview Series, Richard Robinson, Cynalytica

Courtesy: Industrial Defender
Read More

Six ways to strengthen OT security

Courtesy of: Verve Industrial
Read More

Four benefits of OT endpoint security asset management

Courtesy: CFE Media
Read More

Adapting XDR for OT cybersecurity

Read More

How Conti ransomware took down operational technology

As threat increases, college cybersecurity programs are more in demand
Read More

Dragos YIR report shows rise in threat groups, vulnerabilities and ransomware

Courtesy: CFE Media
Read More

Using defensive deception to prevent IT/OT manufacturing threats

Many wonder where to start when attempting to protect embedded systems in OT cybersecurity? Here are some great places to start.
Read More

How ‘Think Global: Act Local’ can help manage OT security through COVID-19

SUBSCRIBE

GET ON THE BEAT

Keep your finger on the pulse of top industry news

SUBSCRIBE TODAY!
VULNERABILITY PULSE
  • Mitsubishi Electric - June 14, 2022
  • Meridian Cooperative - June 14, 2022
  • Johnson Controls - June 14, 2022
  • Microsoft - June 14, 2022
  • Citrix - June 14, 2022

RECENT NEWS

  • Protecting the power grid through cyber-physical threat response
  • How to secure Industry 4.0 in a highly connected world
  • Managing external connections to your operational technology (OT) environment
  • Webcast: Addressing Cybersecurity Challenges in Industry 4.0
  • How a desert water utility helped protect critical infrastructure

EDUCATION BEAT

Introduction to Cybersecurity within Cyber-Physical Systems

Cyber-physical systems serve as the foundation and the invention base of the modern society making them critical to both government and business.

REGISTER NOW!
HACKS & ATTACKS
  • Ron Brash Interview: Expert advice on finding the root of the ransomware problem
  • Throwback Attack: How the modest Bowman Avenue Dam became the target of Iranian hackers
  • Minimizing the REvil impact delivered via Kaseya servers
  • Key takeaways from 2020 ICS-CERT vulnerabilities
Industrial Cybersecurity Pulse

Copyright 2022 CFE Media and Technology.
All rights reserved.


BETA

Version 1.0

  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions

Input your search keywords and press Enter.

By using this website, you agree to our use of cookies. This may include personalization of content and ads, and traffic analytics. Review our Privacy Policy for more information. ACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT