Building a Solid OT

Cybersecurity Foundation
How to Prioritize Safety over Compliance
for Long-term Success
Introduction
Over the past 40 years, there
have been over 80 documented
energy sector cybersecurity
attacks, globally. Over 50% of
those cybersecurity attacks
have impacted the United States
and Canada.
As a result, we have a fragile power grid
that has likely already been well studied
by nation-state threat actors looking to
find the grid’s vulnerabilities. In today’s
world, that includes traditional and
renewable energy (including nuclear,
coil, natural gas, windfarms, offshore
windfarms, ocean current, solar and
green hydrogen), all feeding the grid.
Unfortunately, many current
cybersecurity programs are not where
they need to be. In fact, several remain
in poor condition because they lack a
solid foundation to seamlessly add more
assets as the grid continues to expand.

3
A Look Back: Top Cybersecurity
Case Studies

1994 2011 2020

Salt River Project Hack Dragonfly Attacks on SolarWinds Attack
the US and Canada

In 1994 Lane Jarret Davis The Russian group Dragonfly The 2020 SolarWinds attack
was able to shut down the has been active since 2011 and involved sophisticated
Roosevelt Dam’s spill gate conducted a cyber espionage malware that was inserted
SCADA system by accessing campaign against energy grid into the software supply chain,
computers belonging to the operators, major electricity ultimately exposing a quarter of
Salt River Project (SRP) via a generation firms, petroleum the electric utilities SolarWinds
dialup modem on a backup pipeline operators, and energy regulated to vulnerability.
computer. He was able to industry industrial equipment Some experts say the electric
access data and delete files providers. Their goal was to sector could take years to
on systems responsible for steal as much information as determine the full impacts of
the monitoring and delivery possible for future use. the attack.
of water and power to SRP
customers, as well as financial
and personnel records.

4
Managing Reliability Risks with NERC
While companies manage their operations, For NERC, and also the European Commission for
organizations like the North America Energy, some of the CIP requirements can take years
to be approved and go into effect. Although they get
Electric Reliability Council (NERC) publish
updated, these updates likely will not match the rate of
guidelines to help better manage reliability evolution and development of cyber attacks.
risks. However, NERC continues to fight the
common misconception that because it has Power grids worldwide are going to experience
major enhancements over the next ten to twenty
the Critical Infrastructure Protection (CIP)
years. To prepare for this new fast-paced reality,
requirements, cybersecurity processes are in power companies should implement a cybersecurity
place to protect the grid. approach versus a compliance approach in order to
These CIP requirements apply to power production, better protect the grid.
transmission and distribution and are more stringent
depending on the amount of electricity involved.
Although they look like a very comprehensive list of
cybersecurity controls and do provide a baseline for
the power industry to follow, they are not enough to
ensure cybersecurity is applied full-time, all the time.

5
NERC CIP Requirements
In 2008, NERC developed the Critical Infrastructure Protection (CIP) standards
compliance framework to mitigate cybersecurity attacks on the Bulk Electric
System (BES), establishing a baseline set of security measures.

CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 CIP-010 CIP-011

Configuration
Incident
BES Cyber Security Electronic Physical Security Recovery Plansf Change
Personnel and System Security Reporting and Information
System Management Security of BES Cyber or BES Cyber Management
Training Management Response Protection
Categorization Controls Perimeter(s) Systems Systems and Vulnerability
Planning
Assessments

1. Process to 1. BES Cyber 1. Security 1. Electronic 1. Physical 1. Ports and 1. Cyber Security 1. Recovery Plan 1. Configuration 1. Information
Identify and System Cyber Awareness Security Security Plan Services Incident Specs Change Protection
Categorize BES Security Policy Program Perimeter Response Plan Management
2. Visitor Control 2. Security Patch 2. Recovery Plan 2. BES Cyber
Cyber Systems Specifications TFE
2. Low Impact BES 2. Cyber Security 2. Interactive Program Management implementation Asset Reuse
2. Review and Cyber System Training Remote Access 2. Cyber Security and Testing 2. Configuration and Disposal
3. Physical Access 3. Malicious Code
Approval of Cyber Security Program Management Incident Monitoring
Control System Prevention 3. Recovery
Identified Plan Response Plan
3. Personnel Risk Maintenance 4. Security Event Plan Review, 3. Vulnerability
BES Cyber implementation
3. CIP Senior Assessment and Testing Update and Assessments
Systems and Monitoring and Testing
Manager Program Program Communication
Categorizations 4. Transient Cyber
5. System Access 3. Cyber Security
4. Delegation of 4. Access Assets and
Control Incident
CIP Authority Management Removeable
Response
Program Media
Plan Review,
5. Access Update, and
Revocation Communication

6
Building a Solid Foundation: Compliance
Approach vs. Cybersecurity Approach
Compliance Approach
NERC CIP authorities periodically check that requirements are being met. Oftentimes, production, transmission and
distribution companies put their energy into ensuring that an audit goes well, but their attention shifts back to business
once the audit is over.
Example: A firewall is put up based on the CIP requirements. Over time, that firewall gets modified with pinholes and
goes out of date. As CIP changes, the firewall is enhanced, and this process is looped repeatedly. However, there could
be months of insecure pinholes in place before anyone takes action to close them.

Past Today Tomorrow Future

Are You Trapped in this Process?

Invest critical energy The environment is Continuous rebuilding

into a firewall to meet compliant but does before each audit to
CIP requirements not remain secure avoid fines

7
Building a Solid Foundation: Compliance Approach vs.
Cybersecurity Approach
Cybersecurity Approach
Production, transmission and distribution companies have employed people, developed processes and deployed
technologies that enable them to help identify cyber assets, better protect themselves, detect attempted attacks,
respond to cyber incidents, and recover quickly. Over time, these procedures become easier to accomplish,
technologies become more accurate and finely tuned, and people become more cyber-capable and mature. The
added benefit of a mature cybersecurity program is that compliance comes naturally.

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

Past Today Tomorrow Future

Cybersecure Process

Ensure people, Continuous minor

The secure
processes and adjustments are made
environment is
technologies support to stay safe and
adaptive and safe
a cybersecure state secure

With the new and foreseen changes to the grid, power companies should go
beyond compliance and follow the cybersecurity approach to build a solid foundation.

8
5 Foundational Fix-Actions to Implement
the Cybersecurity Approach
In partnership with the SANS Institute, SWOT24TM (OT Cybersecurity by ABS Group) conducted a survey to identify the
actual capabilities Operational Technology (OT) teams have in place to implement a cybersecurity program. The results,
featured below, were largely imperfect and reflect the concerning state of actual OT cybersecurity teams’ capabilities.

NIST Cyber Security Framework

17.2% 23%
Backup and Data Asset Inventory and
Recovery Management

31.3% 29%
Incident Response Secure Configuration
Management

36.9%
Network Monitoring and Defense
(ID/PS, HIDS, EDR, SIEM, etc.)

If we follow the survey results with the five foundational elements included in the National Institute of Standards and
Technology (NIST) cybersecurity capabilities (Identify, Protect, Detect, Respond, and Recover), we can map the fix-
actions to implement a cybersecurity program.

9
FIX-ACTION #1 IDENTIFY

We have conducted numerous asset inventories in many

different types of OT environments. During these efforts,
we typically find that power companies focus most heavily
on their primary Distributed Control System (DCS). This is
the system that controls the primary operational assets
and equipment.
We have also discovered that there are typically more
than five additional control systems (i.e., water feeds,
water treatment, continuous emissions monitoring, co-
generation, gates and access, etc.), many of which
are interconnected with most or all of the systems for
historian, alerting, and control room visibility.
These systems are not always updated, do not usually
have antivirus, and in many cases, are maintained by • Problem: Over 75% of respondents
offsite personnel. On top of these obvious security don’t have manual or automated
issues, we’ve seen how offsite personnel can actually methods for managing their cyber
access these non-critical systems remotely through asset inventories.
the IT networks without on-site personnel’s knowledge
• Solution: Invest in the skilled
or approval.
personnel required to conduct
Your organization should have a dedicated a manual inventory and the
cybersecurity person on staff to maintain these technologies to sustain that
inventories and manage inventory procedures inventory with less effort.
and technologies. With this one practice, each site
could have a better idea of exactly what to build the
cybersecurity program around.

10
FIX-ACTION #2 PROTECT

For over twenty years, our team has been mitigating risk,
including applying security technical configuration settings
to computers, networking equipment and control system
devices. These security settings can be applied to some
of the most common OT systems on these networks,
and mitigating safeguards can be implemented to lower
network risks. Typical cyber-enabled devices include
servers, computers and controllers (e.g., Control Servers,
Data Historians, Engineering Workstations, Human-
Machine Interfaces, Programmable Logic Controllers, etc.).
When you have a dedicated cybersecurity person on
staff, they can also review the security configurations
for all your cyber assets. This job is not easy and
• Problem: Over 70% of respondents
requires mitigations where configuration changes can’t
stated that their control systems
be made; however, it can be manageable with the right
and networks are not securely
person.
configured.
There are also technologies that can monitor for security • Solution: Develop secure
configuration settings and changes. With this one practice, configuration procedures using
each site could have a better idea of exactly how security publicly available benchmarks that
is applied to each cyber asset and where exposures to apply to your cyber assets and
threats exist. review using manual or automated
technologies.

11
FIX-ACTION #3 DETECT

The highest percentage of in-process cybersecurity The technologies available on the market today can
capabilities deployed in our survey was the ability to be really good at identifying threats with support for
detect an OT cybersecurity intrusion. However, that common control system protocols. The added benefit
number was still less than 40% from all respondents. We of these systems is that many of them also actively
have experience standing up intrusion detection systems, support asset and inventory management, vulnerability
security information, and events management services, identification, configuration change monitoring, and threat
and have managed security services for industrial control and exploit detection. Finally, for this specific practice,
systems. We believe this number is higher than all the you should have someone who knows how to manage
others because there are now multiple technologies on these technologies and alerts in order for them to be
the market designed specifically for OT networks, and effective tools.
there’s confusion about what does what and which ones
are a better fit for one’s needs.
However, having the technology in place doesn’t mean
companies have the ability to detect all cybersecurity
incidents. They generally need at least one dedicated
person to tune, update and monitor these alerts. • Problem: Over 60% of respondents
have no network monitoring and
Next comes another predictable and crucial step: use defense capabilities.
that same person to manage your asset inventories
• Solution: Deploy OT specific
and securely configure your control systems to manage
network intrusion detection systems.
an OT intrusion detection system. Even though Detect
comes after Protect in the order of things, OT-specific
passive network monitors are the least intrusive
change you can make to your OT networks while
adding huge capabilities.

12
FIX-ACTION #4 RESPOND

From our experience, we remain pleasantly surprised at

what we have seen for incident response procedures
in the market. Most operational environments have
incident response plans to protect the health and safety
of personnel, the environment, and equipment. However,
when the word “cyber” is not included in these plans, they
can quickly fall apart in practice.
For example, if a physical event in OT is caused by a
cyber breach, the operations team is likely to assume an
alternate cause. As a matter of fact, most of the time if a
disaster occurs, organizations won’t figure out if it was
caused by a cyber event until after the fact.
Assuming a dedicated cybersecurity person is
managing the secured network and monitoring for
cyber intrusions with a network monitoring solution,
they should update the incident response plans. First, • Problem: Over 65% of respondents
they should ensure all points of contact for cyber believe they have insufficient
emergencies are included, and second update the cybersecurity incident response
existing procedures to include the team’s actions, capabilities.
workflows and full process from detection to lessons • Solution: Update the incident
learned. response plans and procedures
and test them regularly.

13
FIX-ACTION #5 RECOVER

Every single control system that we have reviewed

or interfaced with has had some sort of recovery
device. However, those recovery systems are not
always functional or up to date. Our team has been in
organizations where operations and engineering teams
truly believed that they didn’t have backups, but upon
further investigation we were able to find at least one
person who actually had copies. Backup and recovery are
core to disaster preparedness and contingency planning.
For control systems, maintenance personnel conduct
backups for different reasons. Their primary purpose is
to be able to revert to a known-good state if updates or
upgrades go poorly. Even if those backups do or did exist,
this is still not a managed process; and it is not a process
that can always be trusted to work when needed.
If they are following all the practices recommended • Problem: Over 80% of respondents
herein, a cybersecurity leader should know all of do not have manageable backup
their assets, be secure in their configurations, feel and recovery processes.
comfortable identifying threats in the networks, be • Solution: Inventory all system
able to lead their cyber incidents response teams and backups, procedures and
support recovery from cyber incidents to maintain technologies and develop a staged
evidence and improve safeguards. From that point, if disaster recovery plan.
something goes wrong then the company should be
able to recover more quickly and safely if they fully
trust their recovery plans.

14
Guarding the Grid: The Dire
State of Cybersecurity
Today, our sensitive power grids are in a
dire cybersecurity state. Tomorrow, we
will be adding new demands and the most
advanced metering and control systems.
We cannot leave these systems vulnerable
with no cybersecurity plan in place.
Compliance, while extensive, it’s not equal
to a manageable cybersecurity posture.
These 5 foundational fix-actions that organizations
can apply to build their cybersecurity capabilities
are necessary to better ensure that a cybersecurity
approach is in place. From here on out, the
company’s goal should be to ensure these
capabilities are at 100% for a smooth road ahead.

15
Industrial Cybersecurity for
Critical Infrastructure
Digitalization has become a market reality
and the cyber threat landscape is evolving
faster than capabilities are being built. As
a result, industrial cybersecurity is now
an industry-wide business imperative.
Without the proper operational technology
(OT) cybersecurity strategy in place,
your operations could easily become
compromised.
SWOT24™, OT Cybersecurity Services by ABS
Group, works with a diverse range of clients in the
power and energy industry to understand your
unique OT cybersecurity risks and help you build
industrial security solutions to reduce the likelihood
of an attack. From the earliest concept and design
phases to integrating a program into existing
operations, we’ll help your organization develop
and implement the security solutions and controls
you need to better manage cyber risk.

16
Risk-Based Solutions for Converging IT-OT Systems
SWOT24 approaches industrial cybersecurity as a risk management function. Our risk-based
solutions cover every stage of your cyber defense for converging Information Technology (IT)
and OT systems. We offer industrial network security based on our client’s specific needs and
unique operating environment to support existing organizational strategies for risk, reliability
and operational safety. Without a comprehensive industrial cybersecurity program, your
organization is more open to the risk of losing visibility and control over its OT assets.

Cybersecurity Managed Services Cybersecurity Consulting

Gain a comprehensive understanding of your OT Receive guidance for critical decision-making in OT
networks, including continuous monitoring for environments, including insourcing, outsourcing,
potential attacks. technology, vendors and more.
Industrial Security Operations Center Supply Chain Cyber Risk Management
We oversee all activity 24/7/365 from our centralized Manage the risks you inherit from your suppliers by
ISOC with no interference to your operations. controlling exposure and detecting vulnerabilities.
OT Cybersecurity for New Construction Zero Trust for OT (ZT4OT™)
Minimize threats and increase productivity by factoring Utilize Zero Trust strategies that work with your IT and
cybersecurity into the initial design and planning OT environments, network access and compliance
stages of construction. requirements.

17
Why SWOT24TM About ABS Group
SWOT24 provides a comprehensive portfolio ABS Group of Companies, Inc. has been named
of Operational Technology (OT) cybersecurity one of America’s Best Consulting Firms of 2021
consulting, implementation and risk management and 2022 by Forbes. With over 50 years of risk
services. We help organizations, like yours, to management and safety experience in the marine
successfully navigate today’s growing cyber and offshore, oil, gas and chemical, government,
threats. We focus on OT and ICS systems for power and energy and industrial sectors, ABS
critical infrastructure industries, customizing Group provides data-driven risk and reliability
our solutions to fit your operations. Our risk- solutions and technical services that help clients
based solutions cover every stage of the asset confirm the integrity, quality and efficiency of
lifecycle, from concept and design to operations, critical assets and operations.
integrating cutting-edge technology with an
Interested in learning more?
agnostic approach. Our state-of-the-art Industrial
Security Operations Center (ISOC) allows us to Email us at [email protected] for more
identify and mitigate attacks in real-time. We focus information about our portfolio of OT cybersecurity
on stopping the bad guys so you can focus on services for critical infrastructure industries.
what really matters: Your Operations.

[email protected] www.abs-group.com/SWOT24

ABS Group refers to various subsidiaries of ABS Group of Companies, Inc., including ABSG Consulting Inc. © Copyright 2022 ABSG Consulting Inc. All rights reserved. 11/22