Speakers
Synopsis
OT cyber security has been a rapidly evolving domain over the past decade. Since the term OT was coined, a heavy emphasis has been to articulate the differences between IT and OT cyber security, and that OT is inherently insecure. Hence the lesser the convergence of technology, processes and people, the more secure we are. Whilst there are facts to validate these aspects, it is a dangerous and disproportionate view. If ‘People’ are a pillar of cyber security, we are doing a disservice in continuously propagating this message as it only serves to create deeper barriers between OT and IT teams. Coupled with the FUD (Fear, Uncertainty, Doubt) factor surrounding OT cybersecurity incidents, there is a risk of missing the full picture and not resolving the root cause. Is there a different side to this coin? My career journey through both OT and IT, experiencing the perspectives from both sides has effectively shown me a balance through similarities and looking beyond the FUD factor to resolve root cause. My objective in this session is to provide practitioners with this knowledge to broaden their perspectives and bring a proportionate view to this topic.
We will begin with the technology evolution of OT, detailing components of an Industrial Control System (ICS) as the foundation of OT, and the evolution of the technology stack over the decades. This ensures a deeper understanding of each component’s function in governing for availability/safety controls (using Layers of Protection Analysis - LOPA), the architectural considerations (using the Purdue Model and IEC 62443), and the cybersecurity risks associated when deviating from these design principles. We will use the Ukraine 2015 BlackEnergy cyber security attack as a case study and analyse how these principles potentially aided their response and recovery during that incident.
Next we address the FUD factor and how it reduces our effectiveness in identifying and resolving root causes. We will use an anecdote of a FUD that was used against the late Kevin Mitnick and how this scenario is potentially repeating in the OT Cybersecurity domain. We will travel back in time and analyse case studies of the Maroochydore Shire, Stuxnet and Dragonfly cybersecurity incidents to demonstrate how FUD has potentially masked the root causes for these incidents.
We will end by articulating similarities between cybersecurity and OT operational practices by reviewing how major industrial incidents have shaped the industry’s safety standards. Close to home, we will use the Esso 1998 Longford fire as a case study, and how Alarm management concepts (EEMUA 191 / ISA 18.2) and HAZOP (Hazard and Operability) risk analysis were key outcomes. We will draw parallels with SIEMs and cybersecurity risk assessments to demonstrate how the domains are not as dissimilar as made out to be.
To conclude, we will attempt to look into the crystal ball and the future of OT and its cyber security aspects, taking into consideration the business and technology drivers, and how the lessons above can help shape a better future for both the IT and OT cybersecurity domains.
