Large disaster recovery efforts from cyber-attacks in operational technology (OT) environments are much more than restoration from backups. Thay are all-encompassing processes that ultimately must identify loss scenarios and their likelihood of occurrence. In fact, the recovery scope includes addressing automation functions, establishing recovery priorities, identifying dependencies in equipment, and finally, the reconstitution of the production process before the time comes for action.
In short, the disaster recovery process from cyber events is never-ending and entails establishing a protection plan that can keep up with the changing efforts of nefarious actors. “Whereas process security mean protecting humans from equipment, cybersecurity is all about protecting equipment from humans,” explained Saltanat Mashirova, product management lead - ICS/OT cybersecurity, Honeywell, during a breakout session at this week’s Honeywell Users Group conference in Dallas.
Mashirova, who has been through many disaster recovery processes across multiple industries, together with Chris Bennett, technical lead for Honeywell OT cybersecurity operations in the Americas, presented a roadmap of the disaster recovery journey. It all starts with risk assessment conducted long before any recovery effort is needed.
Levels of recovery
Mashirova outlined four levels of recovery scenarios. It starts with the worst case (SD-0) where all essential integrated control system (ICS) functions over multiple locations are affected. Manual operations in this case are not possible. SD-1 involves the loss of all ICS functions within a single location. Here, manual operations are still possible. Lost interconnectedness between locations (SD-2) follows, and SD-3 means an individual essential ICS function/package within a given unit is lost but there is no process downtime.
She also outlined loss scenarios ranging from the destruction of field device firmware to full encryption or disk wipe of all network-connected essential functions. In between, losses can include destruction of network device firmware, destruction of network device operation systems, or loss of network performance or connectivity.
Cyber-physical risks
Cyber-physical risk extends beyond the digital realm, Bennett said. It involves the intersection of process automation systems with physical and chemical processes. Threats can lead to machinery damage, disruptions in operations, impacts on safety, environmental harm, financial instability and regulatory non-compliance.
A comprehensive risk management program can involve different approaches. For example, an integrated approach considers cybersecurity measures, process safety barriers, protection layers and physical safety protocols.
A granular approach to risk assessment is essential due to the complex interplay between digital and physical components. This allows for precise identification, evaluation and mitigation of risks tailored to the specifics of the installation and each unique component within the system.
Meanwhile, cyber-physical risk assessment is scenario driven. It focuses on detailed evaluations and mitigates the risks effectively.
The assessment must also examine the origins and impacts of the disaster on both OT systems and broader elements. OT risks are tangible consequences such as equipment damage, production downtime and safety hazards. However, unlike cyber risks that focus on digital assets, cyber-physical risks include machinery-related concerns essential to process automation.
During the recovery phase, it is vital to use a structured approach, Bennet said. In addition, he and Mashirova implored the audience to follow up with the reconstitution of the production process to ensure a smooth transition back to normal.
When it comes to cybersecurity in OT environments, consistent testing is also required, with the experts on stage recommending every six months. Attentiveness to the whole process and proper planning can help keep your systems running even in the face of inevitable cyber-attacks.
