I spoke at a podcast for Marsh’s Marc Schein July 19, 2022 on control system cyber security to be broadcast later (TBD). Because of the Marc Schein interview, I received a call from an insurance specialty insurer who had received an Operational Technology (OT) Supplemental Application from a global control system supplier to the aerospace industry, industrial operations, and the US Department of Defense. I am personally aware of at least some of the company’s products because of their use in nuclear and fossil power plants, oil and gas facilities, and renewables. When talking to people about this case, those “in the know” asked what’s new? When talking to others who weren’t “in the know”, they were dumbfounded that this could be happening with major equipment suppliers.
The Application had twenty-four questions with some having multiple parts. The form was signed off by the supplier’s Senior Director of IT Security. I am including selected questions and answers that I found most disconcerting as well as the concern expressed by the insurance representative who had contacted me.
The OT Application preamble:
“The purpose of this Application is to assess your OT exposure, security, and controls. For purposes of this Application, we define OT as the practices and technology that monitor and control industrial process assets and manufacturing equipment, as well as those systems that sustain the environment for these systems. OT includes but is not limited to technologies such as supervisory control and data acquisition (SCADA) software, programmable logic controllers (PLCs), physical plant equipment, remote terminal units (RTUs), human-machine interfaces (HMIs), embedded computing technologies, remote industrial software and hardware, and systems for monitoring and controlling any of the foregoing. The Applicant’s responses to this supplemental application apply to all entities to be covered by the insurance sought, including all Subsidiaries as defined under the Policy.”
Selected OT Application questions and responses
Do you have an OT security policy that includes cybersecurity? No
Have you conducted, within the past two years, a cybersecurity incident tabletop exercise that includes cyber threats to OT? No
Do you maintain a complete and up to date centrally held inventory of your OT assets? No
Do you employ individual(s) whose primary responsibility is OT cybersecurity? No
Do you have any OT assets exposed directly to the Internet? Yes
For OT devices with critical cybersecurity vulnerabilities that can’t be patched or updated, please describe other compensating controls that you have in place to prevent exploitation of these devices: “OT devices are segregated from the internal network, and they typically are not connected to the Internet unless critical remote support is required; at which point the support operation is viewed live.”
Does your OT environment contain devices that their manufacturer considers “end of life” or that are no longer supported with security patches or updates? Yes
The vendor made no mention of the ISA62443 series of control system cyber security standards even though several of the standards specifically apply to control system vendors; however, in the vendor’s defense, the Application did not explicitly ask about standards or certification.
Lloyd’s approach
These responses validate Lloyds of London Ltd. concerns identified in https://funancial.news/lloyds-would-exclude-devastating-nation-backed-cyber-attacks-from-insurance-coverage/.
Observations
This Application demonstrates the culture and technical gaps between the IT, OT, and control system communities. How can IT think it is OK not having OT cyber security experts involved? I, and others “in the know”, do not believe this vendor’s approach is unique and that other critical equipment suppliers are taking the same or similar approaches. I am perplexed to know how any nuclear power plant with this vendor’s equipment (this is most, if not all, US nuclear plants) could pass a Nuclear Regulatory Commission (NRC) cyber security audit. Even worse, this equipment is out-of-scope for a North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance audit. The responses to the Application raise questions about the validity of CISA’s 100-day approaches when this vendor’s equipment is an integral part of electric, water, oil/gas, pipelines, and chemicals facilities.
Joe Weiss