Most attacks causing these shutdowns are ransomware, though hacktivist, supply chain and nation-state
            attacks are increasing as well. Worse, the most sophisticated ransomware groups are buying and selling
            attack tools from and to nation states – the tools and techniques  used by the two kinds of threat actors
            are becoming indistinguishable.




            OT Is Different

            A perennial problem with cybersecurity in OT is that OT is different. In most IT networks, information is
            the asset, and our imperative is to protect the information. OT networks automate physical processes  –
            often very expensive, dangerous physical processes. The cybersecurity imperative on OT networks is to
            protect  safe,  reliable  and  efficient  physical  operations,  and only  secondarily  to protect  sensitive  trade
            secrets and other information, if there is any information such in the OT network at all.

            A second  issue with  OT networks  is change  control. When  enterprise  security  teams  ask engineering
            teams to bring the entire OT network up to date with security updates, the engineering teams most often
            refuse.  Why? The clarifying  question  most engineering  teams really  should ask but  rarely do, is “How
            likely  is  that  change  to  kill  anyone?”  Engineers  need  that  question  answered  before  they  make  any
            change, and the likelihood of a safety incident is never zero. There is no way to make physical processes
            perfectly safe.

            A second question that helps clarify the problem is “How likely is that change to trip the plant and trigger
            an un-planned  shutdown of our billion-dollar  asset?” All change represents  a physical risk. Engineering
            teams are required, by their businesses, by their professional associations and often by law, to address
            material risks to physical operations.  Engineering  Change Control  (ECC) is the discipline  by which the
            risks  of  proposed  changes  are  evaluated,  tested  and  managed.  The  problem  is  that  ECC  is  very
            expensive. Change on OT networks is not impossible, but someone is going to have to allocate budget
            to charge engineering services against, especially in organizations with small or no in-house engineering
            teams.



            Cyber-Informed  Engineering

            These  threats and  the “difficult”  nature of OT / industrial  automation  networks  are  why Idaho National
            Laboratory  is working  on the new  Cyber-Informed  Engineering  (CIE)  initiative.  CIE is positioned  as “a
            coin with two sides.”

               •  One  side  is  cybersecurity  –  from  teaching  engineering  teams  about  cyber  threats  to  physical
                   operations and engineers' obligations to the business and to society to address those threats.
               •  The other side is engineering – use the powerful tools that engineers have for managing physical
                   risk – use these tools to address cyber threats as well.

            For example,  imagine  you work in a large refinery.  The refinery uses  catalytic crackers  – six story tall
            pressure vessels filled with hot hydrocarbons. Imagine you work 8 hours a day inside the kill radius of a
            worst-case cracker explosion. How would you prefer to be protected from a cyber-attack that over-heats





            Cyber Defense eMagazine – July 2024 Edition                                                                                                                                                                                                          87
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.