Whose job to consider Cyber Security within Operational ‘OT’ Technology system?
I have specified more automation network solutions over the years than most and have delivered network infrastructure into virtually every industry. There does seem to be one constant in recent times and it relates to ownership of matters relating to Network and Cyber Security.
In 2008 IT4A were fortunate to be involved in the design and implementation of a major Operational ‘OT’ Technology infrastructure network around London, the first of its kind. The telecoms provider was the National Roads Telecommunication Service (NRTS) and they were keen to ensure network security was well and truly on the agenda. Whilst the scope has certainly evolved since 2008, recognition that threats existed that if played out would put aspects of Critical Infrastructure at risk. Whilst lessons were learned along the way the network, that we also monitor and support, has seen and realised the benefit of good practice over nearly a decade or service. In this case there was clear ownership and an acceptance of responsibility by the project. Learn more about this project.
In the years that have followed, with the rapid emergence of Cyber threats, I would have expected more organisations to lead in this way; demanding more from their suppliers than blind cost reduction. On reflection, I would say not. Our product sales team are too often challenged on cost reduction and lead time over product security features and benefits. With projects, it tends to be me or a colleague that puts security consideration clearly on the table – sometimes in time to influence the outcome.
Skills & Competence
Companies seem to feel their engineers, on top of their day job, have all the network & cyber skills and knowhow to support a valueless ‘white goods’ type sale; is this a realistic expectation?
If we are to avoid the potentially catastrophic consequences of a major cyber threat playing out, I feel we should be working and collaborating as part of our Customer’s team. At IT4A we have the skills and resources to design in and supply great products into projects where the desired outcome is sustainable.
Secure by Design
I believe a sustainable solution will include aspects of:
- Scope definition through collaboration
- Threat & risk mitigation by informed design
- Secure product selection
- Hardened configuration & test
- Integration, commissioning & baseline.
- Effective reliable documentation
- Good administration
- Awareness through monitoring events and alerts
- Remedy through skills development / knowledge transfer
- Access to experienced support & maintenance
- Training on the network not the product.
It is not unusual for a network specifications to be limited to specifying technology i.e. Ethernet and possibly speed.
Until behaviours change the networks that support our critical infrastructure will remain unnecessarily vulnerable. Look first at what exists and how to protect what you have today – many lessons will be learned. Then take these lessons into your forward-looking strategy. Find out more about the protection of Operational Technology / SCADA systems.