Policies and procedures for improving securityThe OT security policy is the strategic framework. The procedures define the strategy defined and the programs define the day to day operation of the equipment managing industrial cyber security.
The development of security procedures in the transactional field (IT) is a widespread practice that now needs to be extrapolated to the operations field (OT).
OT policy is the strategic framework an organisation deploys in this field. The procedures are defined to apply the strategy designed and the programs (OPSEC program, or Operational Security program) to determine how day to day operation needs to be for the equipment managing all the aspects of industrial cyber security (perimeter security, network architecture, management of logical and physical accesses, etc.).
Furthermore, it is highly advisable for these policies, procedures and programs to be developed based on standards (NIST, NERC-CIP, ISO, ISA) or best practices in the sector to help implement them more easily and effectively.
We can help you improve your organisation’s OT environment security by providing the following technologies and services:
Quantitative evaluation and risk analysis
- Quantitative evaluation of the risk a system runs enables you to weight the investment you need (and is efficient) in countermeasures. On the other hand, the analysis carried out in parallel enables you to identify, evaluate and classify the main physical and logical risks of the OT environment that affect the organisation’s operational processes and production assets.
- Based on standard methodologies (MAGERIT v3, CRAMM, etc.), this service is carried out:
- By identifying and valuing the assets within the project scope.
- By determining the threats that may apply to the system, as well as the impact (consequences) and vulnerabilities (probability) existing with regards to these assets.
- Calculating the risks based on these metrics and proposing a series of countermeasures.
Analysis of OT vulnerabilities
The main objective of this service is to provide you with detailed information about the level of vulnerability of your OT systems, processes and networks with the aim of enabling you to affect their availability, integrity and confidentiality.
When using anti-malware technologies in OT environments, it should be borne in mind that the applications and systems:
- Are critical and in many cases cannot be shut down for updates.
- Are not open to patching processes.
- The operating systems on which they run have become obsolete and/or the manufacturer has discontinued its support.
- They are isolated.
- They are ruggedised.
For these reasons, specific solutions need to be deployed that take these limitations into account. We work with technologies that enable us to:
- Make non-intrusive virtual patches.
- Evaluate the effect potential malware would have if it reaches the OT environment using “sandbox-type” solutions.
- Configure restrictive rules for access to processes and services (whitelisting) on specific applications (SCADA, HMI, Historian Client, etc.)
- Carry out off-line disinfection of equipment without the need to install any kind of software in critical systems.
Adaptation to best practices
This service is aimed at analysing and confirming your organisation’s level of alignment with the OT cyber security standard you decide.
These standards and/or best practices include: ISA-99/IEC 62443, NIST SP 800-82, NIST SP 800-53 rev. 3 and NRC RG 5.71.
After this intervention you will receive:
- An executive summary of your level of alignment.
- A report providing you with an overview of the evaluation performed.
- A detailed report on the evaluation performed.
- A plan with the main corrective actions or countermeasures enabling your organisation to adapt to the selected standard or best practice.
Developing security policies, procedures and programs
The aim of this intervention is to help you define, expand or improve the policies, procedures and programs or plans that are to guide the implementation of security, organisational and management controls, in line with industrial cyber security best practices.
Change management systems
Change management systems enable you to carry out visible, controlled and ordered management of the logic (programs) associated with the various field devices and elements (PLCs, HMIs, DCS, Robots, PC Control Systems, Drivers) that coexist in an OT environment.
In what context is change management being carried out in the industrial environment?
- Different users make different types of changes.
- Certain standards need to be complied with and the changes need to be visible, controlled and ordered. Failing to comply with these standards and to carry out proper change management can generate risks.
- These risks can produce undesired effects.
What can a CMS give you?
Controlled user access to work stations and the devices in which the logical programs reside.
- Automatic integration with the main manufacturers of field devices (Siemens, Rockwell, Schneider, GE, Omron, Mitsubishi), robots (ABB, Fanuc, Kuka) and SCADA solutions (WinCC, Citec, InTouch, System Platform).
- Automation of processes for generating and comparing backups of these programs.
- Comprehensive management of logical program version control.
- An Audit Trail that enables the detection, notification and automatic logging of changes made.