Effective control and security of operational technology (OT) and industrial control systems are inextricably linked with good corporate governance. Companies could use compliance with legislation and corporate governance requirements to overcome key growth barriers when looking to expand into new territories and to attract outside investors.
This is according to Charl Ueckermann, CEO at AVeS Cyber Security.
AVeS Cyber Security has recently completed a six-month project to secure the first of four industrial control system (ICS) environments for a large mining company. The company – headquartered in London, with operations in Africa – has plans to open a large mine in South Africa but to get government approval it needs an ISO 27001 certification. The company had undergone ISO 27001 audits annually between 2014 to 2016 but failed on essential OT security requirements.
ISO 27001 (formally known as ISO/IEC 27001:2013) is an internationally-recognised standard for managing information security management systems (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.1
“Industrial control system networks also form part of ISO 27001 assessments. When these are not adequately secured, it impacts compliance with ISO 27001 standards. Critical findings on the audit reports for the mining company showed that the security vulnerabilities of their Supervisory Control and Data Acquisition (SCADA) architecture were significant and severe. Unless they addressed these vulnerabilities to achieve ISO 27001-certification, their plans to expand into South Africa were not going to come to fruition,” says Ueckermann.
A full site survey, penetration testing on the infrastructure, and an assessment of the company’s industrial control system by a team from AVeS Cyber Security and Kaspersky Lab revealed over 500 vulnerabilities that could allow a cyber criminal to obtain full control over the system, steal sensitive information and impact data integrity.
To remedy the vulnerabilities and better equip the company to go forth with its ISO 27001 accreditation journey, the team implemented Kaspersky Industrial CyberSecurity (KICS). This made the client the first in Africa to implement KICS.
Kaspersky Industrial CyberSecurity is a portfolio of technologies and services designed to secure truly industrial layers and elements of an organisation – including SCADA servers, HMI panels, engineering workstations, Programmable Logic Controllers (PLCs), network connections and engineering workstations – without impacting on operational continuity and consistency of the technological process.2
The solution deployed at the mining company, KICS for Nodes, is a specialised product for protecting industrial control systems’ endpoints, called Human_Machine Interfaces (HMIs).. It is designed to specifically address threats at operator level to protect against the various types of cyber threats that can result from human factors, generic malware, targeted attacks or sabotage.
Some of the functionalities include:
- PLC Integrity Check that enables additional control over PLC configurations.
- Application Launch Control that allows control of application from installation to start-up, access and updates according to whitelisting or blacklisting policies
- Device Control that allows administrators to define and specify whitelisted devices that can be connected to the protected industrial hosts.
- Wi-Fi Control that enables the monitoring of any attempt to connect to unauthorised Wi-Fi networks. The Wi-Fi Control task is based on Default Deny technology, which implies automatically blocking connections to any Wi-Fi network ‘not allowed’ in the task settings.
- File Integrity Monitor that enforces and tracks file and folder changes based on predefined task settings to protect SCADA projects.
- Advanced Anti-Malware Protection that detects malicious software to protect Windows workstations against known, unknown and complex threats.
- Host-Based Firewall that provides the ability to block access from network nodes showing suspicious activity or performing unauthorised encryption attempts.
Ueckermann says AVeS Cyber Security is now working with the company to align its OT policies with its IT policies for the next ISO 27001 audit, done by an external certified auditor. This includes among others, the disaster recovery policy for PLCs, workstations and revivers; failover policies and redundancy; password policies and access control policies for physical OT areas and systems.
“It is now a case of connecting all of the dots so that OT and IT are effectively aligned to ensure success with the next audit. Almost four years in the making, this accreditation will allow the business to finally put their plans to expand into action. Their story is not that uncommon; badly planned OT and poor OT security have put a spanner in the wheels of many companies looking to expand or attract investors. Yet the solutions are there to help get their houses in order,” he concludes.