Critical infrastructures cannot be secure when critical equipment isn’t

Aug. 28, 2022
August 25, 2022, I received a call from an insurance specialty insurer who had received an Operational Technology (OT) Supplemental Application from a global control system supplier to the aerospace industry, industrial operations, and the US Department of Defense. I am personally aware of at least some of the company’s products because of their use in nuclear and fossil power plants, oil and gas facilities, and renewables. The OT Application had twenty-four questions with some having multiple parts. This Application demonstrates the culture and technical gaps between the IT, OT, and and control system communities. The form was signed off by the supplier’s Senior Director of IT Security. How can IT think it is OK not having OT cyber security experts involved? I, and others “in the know”, do not believe this vendor’s approach is unique and that other critical equipment suppliers are taking the same or similar approaches. How could any nuclear power plant with this vendor’s equipment (this is most, if not all, US nuclear plants) pass an NRC cyber security audit?  Even worse, this equipment is out-of-scope for a NERC CIP compliance audit. The responses to the Application raise questions about the validity of CISA’s 100-day approaches when this vendor’s equipment is an integral part of electric, water, oil/gas, pipelines, and chemical facilities.

I spoke at a podcast for Marsh’s Marc Schein July 19, 2022 on control system cyber security to be broadcast later (TBD). Because of the Marc Schein interview, I received a call from an insurance specialty insurer who had received an Operational Technology (OT) Supplemental Application from a global control system supplier to the aerospace industry, industrial operations, and the US Department of Defense. I am personally aware of at least some of the company’s products because of their use in nuclear and fossil power plants, oil and gas facilities, and renewables. When talking to people about this case, those “in the know” asked what’s new? When talking to others who weren’t “in the know”, they were dumbfounded that this could be happening with major equipment suppliers.

The Application had twenty-four questions with some having multiple parts. The form was signed off by the supplier’s Senior Director of IT Security. I am including selected questions and answers that I found most disconcerting as well as the concern expressed by the insurance representative who had contacted me.

The OT Application preamble:

“The purpose of this Application is to assess your OT exposure, security, and controls. For purposes of this Application, we define OT as the practices and technology that monitor and control industrial process assets and manufacturing equipment, as well as those systems that sustain the environment for these systems. OT includes but is not limited to technologies such as supervisory control and data acquisition (SCADA) software, programmable logic controllers (PLCs), physical plant equipment, remote terminal units (RTUs), human-machine interfaces (HMIs), embedded computing technologies, remote industrial software and hardware, and systems for monitoring and controlling any of the foregoing. The Applicant’s responses to this supplemental application apply to all entities to be covered by the insurance sought, including all Subsidiaries as defined under the Policy.”

Selected OT Application questions and responses

Do you have an OT security policy that includes cybersecurity? No

Have you conducted, within the past two years, a cybersecurity incident tabletop exercise that includes cyber threats to OT? No

Do you maintain a complete and up to date centrally held inventory of your OT assets? No

Do you employ individual(s) whose primary responsibility is OT cybersecurity? No

Do you have any OT assets exposed directly to the Internet? Yes

For OT devices with critical cybersecurity vulnerabilities that can’t be patched or updated, please describe other compensating controls that you have in place to prevent exploitation of these devices: “OT devices are segregated from the internal network, and they typically are not connected to the Internet unless critical remote support is required; at which point the support operation is viewed live.”

Does your OT environment contain devices that their manufacturer considers “end of life” or that are no longer supported with security patches or updates? Yes

The vendor made no mention of the ISA62443 series of control system cyber security standards even though several of the standards specifically apply to control system vendors; however, in the vendor’s defense, the Application did not explicitly ask about standards or certification.

Lloyd’s approach

These responses validate Lloyds of London Ltd. concerns identified in https://funancial.news/lloyds-would-exclude-devastating-nation-backed-cyber-attacks-from-insurance-coverage/.

Observations

This Application demonstrates the culture and technical gaps between the IT, OT, and control system communities. How can IT think it is OK not having OT cyber security experts involved?  I, and others “in the know”, do not believe this vendor’s approach is unique and that other critical equipment suppliers are taking the same or similar approaches. I am perplexed to know how any nuclear power plant with this vendor’s equipment (this is most, if not all, US nuclear plants) could pass a Nuclear Regulatory Commission (NRC) cyber security audit. Even worse, this equipment is out-of-scope for a North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance audit. The responses to the Application raise questions about the validity of CISA’s 100-day approaches when this vendor’s equipment is an integral part of electric, water, oil/gas, pipelines, and chemicals facilities.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...