Understanding the True Essence of Cyber Hardening for OT/SCADA Systems Blog

Cybersecurity threats are rampant today, and you’ve been tasked with the crucial mission of “Cyber Hardening” your OT/SCADA systems. Cyber Hardening is a critical component of this framework, specifically focused on protecting systems by implementing rules, policies, and guidelines. However, it’s vital to recognize that IT Cyber Hardening differs from OT/SCADA Cyber Hardening. To implement Cyber Hardening effectively, it’s important to consider the unique aspects of OT/SCADA systems, evaluate the impact of each rule, and assemble a team of experts.

With the current cyber security threats in the world, you’ve been given a mandate from management to “Cyber Harden” your OT/SCADA Systems. You think” Sure, no problem,” and bring in your IT Security expert, apply the security rules or controls to your OT/SCADA system, and all will be well. All good, right? Wrong! Unfortunately, many have taken this rather simplistic approach to the detriment of themselves and their processes. I’m sure you’ve heard the phrase, “It worked before you touched it; now it doesn’t.” But before moving on to the topic, let’s first establish, in simple terms, what cybersecurity is or isn’t.

What is Cyber Security?

Cybersecurity is NOT just about having antivirus or anti-malware software on individual computers or having a single firewall between production and other parts of the system. While these security controls are essential, they do not provide a complete industrial cybersecurity framework. They are just one part of the overall picture.

Cybersecurity IS a framework of activities and security controls to achieve specific cybersecurity outcomes. In essence, it’s like an immune system for your business. It encompasses the plans, processes, and controls that you implement to help:

• Identify and assess risks to critical assets.
• Protect critical assets.
• Detect attacks, anomalies, and events.
• Respond to critical security events.
• Recover from the event and prevent future occurrences.

Notice that there is no mention of any specific software or hardware solutions!

So, where does Cyber Hardening fit in? Cyber Hardening is “a part” of the framework of activities used to “protect” critical systems after “identifying” critical assets. 

Think of Cyber Hardening as security controls:

• Implemented as system rules, policies, and guidelines.
• Used to secure critical systems by limiting access and functionality.
• That should be implemented on a system-by-system basis.

When implementing Cyber Hardening for OT/SCADA systems, it’s important to remember that IT Cyber Hardening is not the same as OT/SCADA Cyber Hardening. Failing to understand and accept this concept can lead to problems. Before applying standard IT-based hardening rules, policies, and guidelines, consider the following factors for a successful implementation.

• OT/SCADA systems and IT systems are not the same.
• There are technical and operational aspects to every OT/SCADA system.
• Every rule, policy, and guideline must be evaluated to determine its impact before application.

In the industry, you may encounter two common types of cyber-hardening guides: Center for Internet Security (CIS controls) and Security Technical Implementation Guides (STIGs). The CIS Controls, provided by the Center for Internet Security, offer best practices for strengthening your cybersecurity posture. They are prescriptive, prioritized, and simplified. STIGs are guides provided by DISA via DoD Cyber Exchange. They outline how an organization should handle and manage security software and systems and guide how to harden Windows. There are hundreds of STIGs maintained and updated by the DoD, developed for specific operating systems, components, and applications.

When implementing any of these hardening guides, it’s essential to take a project management approach. Assemble your team, including an industrial cybersecurity professional who understands cybersecurity best practices and requirements and knows how to apply them to OT/SCADA environments, considering both the technical and operational aspects. You’ll also need a Vendor Subject Matter Expert (SME) with deep knowledge of the software or systems, installation, setup, configuration, communication with other systems, internal processes, and recovery procedures. If applicable, involve Corporate IT to ensure alignment with network, systems, and corporate security controls, rules, policies, and guidelines. Lastly, an OT/SCADA Engineer SME should be included, since they understand their OT/SCADA.

Before the System Change

Before making any changes to the system, conducting a thorough discovery and audit of each system is essential. This will help determine which OT/SCADA systems need to be hardened and in what areas, what OT/SCADA software is currently running on those systems, what functions or capabilities each of those systems provide, the interactions of each stem, the security mechanisms already in place, and how critical each system is regarding the process, performance, and safety.

Always consider Murphy’s Law to deal with potential mishaps: “Anything that can go wrong will go wrong.” Make the following determinations:

• Determine what disaster recovery strategies are already in place.
• Is there a support agreement with the Vendor?
• If so, what are the support level, hours of support, and response times?
• Is the OT/SCADA software close at hand?
• At what point do you stop and begin the recovery process?
• Determine what backup strategies are already in place. 

Implementation of the System

When moving on to actual implementation, it’s essential first to decide which Cyber Hardening guides to use, such as STIGs or CIS Controls. Take the time to thoroughly review each guide, line by line and section by section, to determine if the rule or policy applies to the specific system. Consider technical and operational aspects and assess the impacts on the system. This should be done with a solid understanding of the software running on the system, the function or capability it provides, and how the rule will affect the overall operations of the software or system.

Before moving on to production, testing the hardened system in a sandbox or development environment is essential. Implementing rules, policies, and guidelines for production systems on a system-by-system and area-by-area basis is paramount. Having a plan and executing it based on a sound strategy is crucial. Take your time, observe, analyze, and focus on the individual sections of the Cyber Hardening guide:

• Apply the rules, policies, or guidelines in a particular section.
• Reboot the computer.
• Login to the computer and test functionality.
• Does the OT\SCADA software still function as expected?
• If it’s “okay,” move on to the next section, rinse, and repeat.
• If it’s “not okay,” revisit the section and determine what rules, policies, or guidelines broke the system.

As you implement Cyber Hardening, avoid using a template approach without considering the nature of the system. A template approach is acceptable if the system is the same as the last one, with the same software and performing the same function. After securing that single computer, evaluate your efforts and change the strategy if necessary. Remember to communicate with stakeholders to ensure that everything works as expected. Finally, move on to the next system.

With the right attitude, team, and planning, OT/SCADA systems can be cyber-hardened. Take the time you need to do it right. If you have questions about Cyber Hardening and how to implement it in your factory, please get in touch with us. We would love to help you.