Marcel Jutte, managing director of Hudson Cybertec, outlines the cyber security risks operators can face and why cyber security in operational technology is just as important as safety
Tank terminals use integrated systems in the operational technology (OT) domain to manage, control and maintain their installations.
Integration of legacy systems and infrastructure with new systems and infrastructure increases the complexity of the OT-domain. To increase efficiency, operators have the option to do their work from a variety of (remote) locations. Their continuous physical presence is no longer required in cases like on- and offloading barges. Tank terminal operations are increasingly dependent on its systems to operate the terminal in a safe manner due to the increased complexity of OT infrastructure and its networks.
This increased level of complexity in combination with increased dependency on integrated systems and centralised control of plant operations in the OT-domain increases the cyber security risks to terminals. The difference between the IT-domain and OT-domain implies that standards and best practices developed for systems in the IT-domain cannot be applied directly to systems in the OT-domain, since these standards do not take the specific OT-domain environment into account. Marcel Jutte, managing director of Hudson Cybertec, says: ‘Often IT cyber security standards are applied to the OT-domain resulting in an improper sense of security and introducing additional risk.’
CYBER SECURITY RISKS
Cyber security risks for tank terminals are present in all forms. Threats can originate from inside and outside an organisation and are continuously evolving. A company’s OT-domain cyber security needs to evolve as well.
The organisation should be prepared, up-to-date with the latest threats and perform cyber security checks regularly.
External actors include activists, competition, and organised crime groups, all with their own agenda, from disruption in operations (loading/unloading from barges), financial gain (stock manipulation) or industrial espionage (access to confidential data). Internal actors include disgruntled employees and third-party personnel that wittingly or unwittingly cause a cyber security incident. Caused by inadequate cyber security controls or lack of awareness due to lack of training. Other cyber security risks are related to the complex infrastructure where legacy equipment and networks are an integral part of the OT-infrastructure. Such equipment and networks were designed according to the standards, knowledge and best practices at the time. This causes cyber security risks since cyber security was not part of the original design. Jutte says: ‘Legacy infrastructure cyber security risks need to be identified by performing an independent cyber security review of the OT-domain.’
THE IMPORTANCE OF PEOPLE
The three pillars of cyber security are: people, process and technology. For security to work these pillars need to be in balance. Ideally cyber security should be an integral part of daily operations within an organisation, supported by the appropriate management systems, policies and procedures.
Cyber security related technology is already used within organisations, most common in the IT-domain and less in the OT-domain. Often the cyber security gap between these two different domains is more than five years.
The human factor of cyber security is often overlooked. Controls are in place for safety but are lacking in cyber security and this introduces cyber security threats. Users, including management, can unintentionally activate espionage malware by clicking on a link on a webpage or email or can introduce ransomware that encrypts data by connecting an infected device.
Recovery from such attacks is often difficult, time consuming and has significant financial impact. Third parties working onsite often use their own equipment, tools and computers to perform specific support and maintenance tasks. In some cases, these tasks are unsupervised. These threats are insufficiently controlled since they are not seen as a threat and can pose an elevated risk since it is not clear who is responsible for the cyber security of those introduced systems. Other threats include lack of policies and procedures to ensure proper access to systems with elevated functionality that allows third party personnel direct access to support sources outside what should be allowed.
For example, retrieving security patches from the internet from a workstation located in the OT-domain for which insufficient security measures were applied. Jutte adds: ‘People should be given the same emphasis in cyber security as in safety.’
IMPROVING CYBER SECURITY IN THE OT-DOMAIN
Security policies are the foundation for security measures and employee behavior while security procedures allow employees to act swiftly and correctly ensuring that no steps in the security process are skipped. These policies and procedures should emphasise the specific needs of OT-domain and the OT-organisation.
‘A cyber security training programme ensures that cyber security awareness with your employees is increased thereby diminishing the chance of a cyber security incident caused by human error. Threats are continuously evolving therefore training should be an integral part of an existing training programme,’ says Jutte.
Due to the nature of the OT-domain, security standards like the ISO27001/2 that were developed for the IT domain cannot directly be applied to the OT-domain. For industrial control systems specifically, an international standard was developed: the IEC 62443. This standard takes all the specifics of the OT domain into account.
PERIODIC CYBER SECURITY REVIEW
Taking the right security measures is only possible if companies know which measures really help. These decisions can only be made if companies know where they are today with the cyber security of their terminal.
An up-to-date independent review of an OT-domain against the IEC 62443 standard gives insight in the cyber security situation of the OT-domain of a terminal.
This can be used to develop or enhance cyber security within the OT-organisation, identify and mitigate risks. Jutte explains: ‘Experience shows that only if you know your current situation, you can take the appropriate action in case of an incident.’
Cyber security in the OT-domain is not a one-off exercise, it is an ongoing process due to the ever-evolving nature of the threats. A regular independent review or audit of an OT-domain against the IEC 62443 standard should become part of normal tank terminal operations just like safety is now.
Jutte adds: ‘Tank terminals need to manage the cyber security of their operational technology, just like they manage safety. I would say start now, before it is too late.’
Jutte will be speaking more about cyber security and how to protect terminals from cyber attacks on the second day of the StocExpo Europe conference, from March 20 – 22. For more information & to register, visit www.stocexpo.com.