In Ra Reimagining OT Cybersecurity Strategy Noexp
In Ra Reimagining OT Cybersecurity Strategy Noexp
In Ra Reimagining OT Cybersecurity Strategy Noexp
Contents
Introduction 4
Conclusion 16
2
Reimagining OT cybersecurity strategy
3
Reimagining OT cybersecurity strategy
Introduction
Digital transformation has started making its way well into the energy and
industrial sector. Organisations are adopting newer technologies to improve
efficiencies, manage supply chains, and enable remote operations. While
technology has many merits in improving the time to market, it is also
instrumental in achieving the sustainability vision.
This POV probes into why organisations need to reimagine and re-strategise
cybersecurity considerations for their OT environment as they embark on their
journey of digital transformation and the IT−OT integration.
*According to the US Energy Information Administration, the industrial sector includes refining, mining, manufacturing, agriculture, and construction.
4
Brochure / report
Reimagining OT cybersecurity
title goes here
strategy
Section title goes here
|
5
Reimagining OT cybersecurity strategy
Digital transformation and Industry The sector is expected to drive growth Digital transformation and the
4.0 are no longer seen as merely new and garner strong focus under the adoption of the latest technologies in
buzzwords. They offer immense potential government’s ‘Make in India’ initiative the energy and industrial sector
to companies in the industrial and and its various Production-Linked (examples)
energy sectors. Whether automating Incentive (PLI) schemes. For example,
the factory floor, monitoring/operating INR 25,938 crore for the automotive and
systems remotely, or using predictive auto-component sector and INR 76,000 An oil and gas enterprise in 2019
insights for maintenance, newer use crore for semi-conductors and display signed MoUs with various start-ups
cases continue to emerge. Technologies, manufacturing, amongst many others. offering solutions such as intelligent
including automation, Internet of Things These schemes present an opportunity automation, industrial AI platform,
(IoT), mobility solutions, robotics, and for organisations to scale their operations AR/VR/3D simulation, and
Augmented Reality (AR)/Virtual Reality while leveraging digital transformation to Unmanned Aerial Vehicle (UAV).
(VR), are being introduced into factory bring in efficiencies.
floors, in the supply chain and industrial
processes. Even industries such as power, oil
A moulded glass manufacturer in
and gas, and chemicals are priming to
India installed a new glass furnace
According to a NASSCOM 2021 report 3, embrace digital solutions. Last year,
during the pandemic using
60 percent manufacturing firms in the Cabinet approved the Revamped
technologies such as AR. It also
India reported increasing their digital Distribution Sector Scheme4. The
bolstered the infrastructure to
investments, compared with 63 percent scheme focuses on implementing smart
enable remote operation of its plant
globally. meters, along with promoting the use
in a week.
of Artificial Intelligence (AI), to analyse
data, forecast demand, reduce loses, and
While most organisations provide various predictive analysis. The
Ministry of Petroleum and Natural Gas, In 2022, an Indian telecom company
continue to invest in point India, published a digitisation roadmap5 using 5G standalone network did a
solutions, some are also for upstream processes in 2020. The trial run to integrate energy utilities.
roadmap highlights encouraging results
creating digital twins of of using technologies such as AI, IoT, and
their factory environment automation in upstream processes. In India, a manufacturer
to bring the cyber and The overall concept of smart cities
categorising itself in the SME
segment highlights that its Industry
physical worlds together requires real-time and remote monitoring 4.0 implementation is more than 60
of integrated systems, such as water
in a more systematic and management systems, electricity
percent complete.
6
Reimagining OT cybersecurity strategy
7
Reimagining OT cybersecurity strategy
IT-OT convergence – an
enabler and enigma
According to Deloitte US’ 2022 If we look at cyber challenges, OT
manufacturing industry outlook6, more systems have traditionally worked in
than half of the organisations surveyed complete or a partial air gap, isolated
plan to enhance data integration for from the enterprise network and traffic.
supply-and-demand visibility and The transition from isolated industrial
planning. Even in India, the pandemic control systems to Industry 4.0, and
has established the need for end-to-end subsequently to a fully converged
supply chain visibility, which effectively environment, allows any existing cyber
means integrating data from operational threats in the IT environment to move
technologies to have a single laterally into the OT environment. Even a
consolidated view. malware from a third party can make its
way into OT systems and cause havoc.
For improved outcomes and productivity,
data must be harnessed from operational Even air gapping as a method has been
technologies and made available for challenged in the past, and malware has
enterprise usage, connected to enterprise been accidently introduced into the OT
software, and fed into analytics and AI environment during regular maintenance
engines. by third parties.
8
Reimagining OT cybersecurity strategy
9
Reimagining OT cybersecurity strategy
Injection
10
Reimagining OT cybersecurity strategy
11
Reimagining OT cybersecurity strategy
Hence, the first step towards the right OT cybersecurity strategy is to acknowledge the following:
12
Reimagining OT cybersecurity strategy
13
Reimagining OT cybersecurity strategy
• In line with the evolving threat landscape, the Indian government in 2021 released guidelines for cybersecurity in the
power sector (see Appendix).
• The joint advisory8 from CISA, FBI, and NSA for critical infrastructure (amidst the rising state-sponsored attacks)
recommends patching systems (amongst other requirements). It also suggests implementing multi-factor authentication
(MFA), robust log collection and retention, behavioural detection, and proactive threat hunting, alongside formulating an
incident response and resilience plan, and a plan for continuity of operations.
14
Reimagining OT cybersecurity strategy
Amidst greenfield or brownfield digital projects, a comprehensive security assessment helps understand
security maturity levels and existing gaps. Moreover, it provides visibility on asset inventory across levels – field
devices, process controls, supervisory, and enterprise IT network. This helps understand the current security
levels and put the right OT security process and roadmap in place.
Following IEC 62443 standards (Cybersecurity for Industrial Control Systems) across policies, management,
industrial IT, products, and components, is important.
Security considerations include, but are not limited to, designing a secured network segmentation model and
secured remote access, as well as managing privileged access, data backup, and passive monitoring for visibility
of networked assets and activity.12
Any digital programme or third-party collaboration must have a “security-by-design” and “resilient-by-design”
approach to be able to successfully mitigate risks. For products, systems, and the development lifecycle, third-
party assurance certifications complying with standards such as IEC 62443-4 are imperative.
Periodical risk and vulnerability assessments and audits can help take the right step towards bolstering security,
while providing the required security assurance.
24x7 monitoring via a robust next-gen IT-OT security operations centre (SOC)/threat intelligence centre
As both the environments integrate, it is pragmatic to have a common IT-OT SOC, using specialised OT security
solutions that help in asset identification, visibility, anomaly detection, and monitoring. Having custom OT-
specific playbooks, use cases, and a common SOC empowers security teams to effectively join the dots and
respond faster to threats.
Incident response and cyber crisis management plan for the OT environment
Formulating a cyber incident response and cyber crisis management plan is imperative. The plan must undergo
regular reviews of the board and others. The plan should address various scenarios affecting OT systems,
including emerging threats and attacks such as ransomware. Industries should also focus on having table-top
exercises for executives to prepare them towards various scenarios.
Training and awareness is one of the crucial aspects of OT cybersecurity strategy. It helps create an in-house team
of OT security specialists (for example, with expertise in PLC testing and infrastructure testing) or provide awareness
and hygiene training to employees that operate systems. Training is also important to create a security-first mindset
to ensure that cybersecurity remains a key tenet of Industry 4.0 implementation within an organisation. This can
also help prevent Shadow IT, which becomes a pain point in the effective management of security.
Red teaming
Red teaming is essential to test resistance and resiliency of OT environments to stay ahead of malicious threat
actors. A robust mechanism should also be set in place to incorporate leanings, plug-in gaps, and enhance
security.
15
Reimagining OT cybersecurity strategy
Conclusion
While the industrial sector was The geopolitical environment will
gearing up and strategising for digital continue to rapidly evolve, making the
transformation, the pandemic provided security considerations for OT not only
an opportunity to test the waters, even an organisational mandate, but also a
for the most reluctant organisations. This country-wide imperative. The road to a
helped place the spotlight on possibilities safer, secured, and resilient industrial
and opportunities, and at the same time, ecosystem must include removing silos,
brought awareness about various risks. collaborating to synergise intelligence
There is, perhaps, no turning back. Driven and proactively dealing with syndicated
by the changing business priorities, attacks.
regulatory environment, and the threat
landscape, organisations with OT must There is no better time than now
look at embracing a cybersecurity to prioritise and streamline OT
strategy that puts OT security into cybersecurity.
perspective.
16
Reimagining OT cybersecurity strategy
Endnotes
1. “EIA projects nearly 50% increase in world energy usage by 2050, led by growth in Asia”, US Energy Information Administration
(EIA) (https://www.eia.gov/todayinenergy/detail.php?id=41433)
2. Smart Manufacturing 2.0 series, Implementing the smart factory - New perspectives for driving value, Deloitte (https://www2.
deloitte.com/cn/en/pages/energy-and-resources/articles/implementing-the-smart-factory.html)
3. Reimagining Indian Enterprises' Tech Landscape In A Digital-First World – A New Order Out Of Chaos, NASSCOM analysis
(https://nasscom.in/knowledge-center/publications/reimagining-indian-enterprises-tech-landscape-digital-first-world)
4. “Cabinet approves Revamped Distribution Sector Scheme: A Reforms based and Results linked Scheme”, Press Information
Bureau (https://pib.gov.in/PressReleasePage.aspx?PRID=1731473)
5. Digitalization Roadmap for Indian Exploration and Production (E&P) Industry, Ministry of Petroleum and Natural Gas http://
petroleum.nic.in/sites/default/files/Draft_digitalization_roadmap_document.pdf)
8. Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, Cybersecurity and
Infrastructure Security Agency (CISA) (https://www.cisa.gov/uscert/ncas/alerts/aa22-011a)
9. Ten key questions and actions to tackle ransomware in critical infrastructure, Deloitte (https://www2.deloitte.com/tw/en/pages/
risk/articles/ransomware-in-critical-infrastructure-ten-questions.html)
10. Indian businesses hit by more ransomware attacks than Australia, Japan and Singapore reveals new survey, Business Insider
(https://www.businessinsider.in/tech/enterprise/news/indian-businesses-hit-by-more-ransomware-attacks-than-australia-
japan-and-singapore-reveals-new-survey/articleshow/79279334.cms)
11. Newsletter, October 2021, National Critical Information Infrastructure Protection Centre (NCIIPC) (https://nciipc.gov.in/
documents/NCIIPC_Newsletter_Oct21.pdf)
12. Cybersecurity for smart factories, Deloitte and the Manufacturers Alliance for Productivity and Innovation, 2020 (https://www2.
deloitte.com/us/en/pages/energy-and-resources/articles/smart-factory-cybersecurity-manufacturing-industry.html)
17
Reimagining OT cybersecurity strategy
Appendix
Central Electricity Authority (Cybersecurity in power sector) guidelines, 2021
In line with the evolving threat landscape, the Indian government has also come up with cybersecurity guidelines for the power
sector. These guidelines lay emphasis on certain key aspects (amongst others):
• Making cybersecurity issues a part of the board agenda, taken up every quarter
• Defining electronic security perimeter, with conducting vulnerability assessment of access points at least once in six months
• Devising a cyber risk assessment and mitigation plan, with quarterly reviews
• Conducting security and testing of cyber assets, and external audit of IT and OT systems at least once in six months
• The CISO is expected to report any anomalous activity caused by the sabotage of critical systems within 24 hours of occurrence.
For not reporting any identified sabotage, CISO to be held responsible.
• Ensuring cyber supply chain risk management with assurance certification for embedded device security, system security, and
security development lifecycle (in line with IEC 62443-4 standards)
• Putting in place cybersecurity incident response and cyber crisis management plans
• Conducting annual cybersecurity training for employees having access to critical systems (either cyber or physical access)
• For IT and OT professionals, providing training to introduce various standards, such as ISO/IEC:15408, ISO/IEC:24748-1, ISO:
27001, ISO: 27002, ISO 27019, IS 16335, and IEC/ISO:62443
18
Reimagining OT cybersecurity strategy
Connect with us
Contributor
Manishree Bhattacharya
19
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK
private company limited by guarantee (“DTTL”), its network of member firms,
and their related entities. DTTL and each of its member firms are legally
separate and independent entities. DTTL (also referred to as “Deloitte Global”)
does not provide services to clients. Please see www.deloitte.com/about for a
more detailed description of DTTL and its member firms.
No entity in the Deloitte Network shall be responsible for any loss whatsoever
sustained by any person or entity by reason of access to, use of or reliance on,
this material. By using this material or any information contained in it, the user
accepts this entire notice and terms of use.