Operational Technology – ICS & SCADA
Connectivity is transforming industrial operations:
Industrial operations, from oil refineries and mines, to logistics and manufacturing organizations, are embracing the advantages that connectivity can bring. Integrating business and physical processes can significantly increase production efficiency, whilst improving the safety and effectiveness of predictive maintenance and monitoring.
But introduces significant risks:
But as manufacturers, powers stations and public transportation become more dependent on technology, with connected computers giving access to robotic productions lines and safety-critical sensors, the need to protect and secure this infrastructure has never been greater.
Operational systems often integrate formerly unconnected “air-gapped” ICS systems. These can be highly vulnerable as they were never designed to be internet connected, and their security configurations reflect computing power that existed when they designed, sometimes many decades ago. Software libraries may be many years beyond their support life, or indeed the software developer who created it may no longer be in business.
This creates a relatively accessible, and financial lucrative target for hackers, whether simply focused on criminal extortion, or ‘hacktivists’ looking to cripple an organization that does not fit their moral worldview. Ransomware attacks can cripple production, and the effects of a hack on safety critical systems in a process plant such as an oil refinery could be horrendous.
Operational testing is also typically required for organizations defined as Critical National Infrastructure under regulations such as the EU NIS Directive.
Operational Systems – robust, yet sensitive, testing for the entire ecosystem
Testing operational systems is vital, but has unique challenges. Connected operational systems often include legacy systems, frequently dating back into the 20th Century. These require specialist skills and experience. Newer system components (for example asset integrity monitoring IoT sensors) may be communicating to variety of vendor Clouds, whilst warehouse monitoring systems are often integrated into a number of suppliers’ own IT platforms. To truly give a robust level of security, it is important to test, in risk appropriate manager, all components and integrations.
Overlaying all of these challenges is the nature of test subject itself: poorly constructed or executed test plan could itself production disruption.
- Threat Risk Assessment and Threat Intelligence: Key to designing an effective test plan is understanding the likely threats, and impact. Intertek brings OT clients the benefits of its long experience in Threat Risk Assessment, a specialist team constantly tracing threat actors globally, and also through its Industry Services division, practical understanding of the operations of industrial sites.
- Deep infrastructure pen test experience: Intertek has over 150 cyber security experts based in 6 offices across North America, Europe and Asia. Staff are qualified in CREST, including CCT, CRT and CPSA, and PCI ASV, as well other standards including OSCP, COMPTIA Security +, CISSP, GPEN and GWAPT.
- Extensive Web Application experience: Intertek tests 100s of web applications each year, from all client sectors, types (from websites and client portals, to internal control / monitoring apps, to supply chain integrations) and across very wide range of software. This experience means Intertek can provide a robust level of testing, in a cost and time efficient manner.
- Connected product/component understanding: Intertek has been a leading participant in certification groups for connected products since 1990’s, in particular Common Criteria and FIPS 140-2/3. Intertek is also deeply involved the key Industrial IoT standards IEC 62443 and UL 2900. Understanding the strengths, and limitations of components and systems certified to these standards means Intertek can focus on OT testing on areas of highest risk.
Bringing all this experience together, Intertek is uniquely well positioned to create a comprehensive, effective and cost efficient test program to give you assurance over the cybersecurity of your industrial assets.