Safely secure OT networks

When defining the responsibility of managing OT cybersecurity, it is first important for an organization to ensure electrical safety and reliability are not an oversight.

This means employing personnel or trusted third parties who fully understand electrical safety codes and standards in addition to a facility’s technology, connectivity systems, critical processes and cybersecurity risks. In this article, the importance of electrical safety as it relates to OT cybersecurity will be explained by exploring:

• Electrical safety risks of securing OT
• The essential role of qualified workers
• Safely managing OT cybersecurity

An IT security professional who has not completed proper training on handling electrical equipment or been through a facility safety briefing does not have the requisite preparation to make informed decisions when it comes to securing these environments.

Unlike today’s cutting-edge IT networks, OT systems often contain a mix of legacy and modern equipment. In the past, OT equipment was simply cut off or “air-gapped” from all communications networks to minimize vulnerability. Today, operational technology needs to be connected to broader communication networks to support more informed, real-time decisions.

This means cybersecurity professionals can be required to open energized electrical enclosures to capture network traffic or update firmware. Interacting with energized equipment is high risk, requiring a thorough understanding of electrical safety codes and standards outlined by the National Fire Protection Association (NFPA) in the following documents:

• NFPA 70 The National Electrical Code (NEC) — provides installation requirements
• NFPA 70E-2021 — covers the topic of electrical safety in the workplace
• NFPA 70B — covers electrical equipment maintenance
  

NFPA 70E includes requirements for safe work practices to protect personnel by reducing exposure to major electrical hazards, including shock, electrocution, arc flash and arc blast. These requirements rely on proper installation (in accordance with the NEC) and maintenance (performed in accordance with NFPA 70B).

NFPA 70B also covers critical requirements for safely accessing and evaluating many common OT technologies, such as motor controls, automatic transfer switches and more. The code provides guidance on topics such as:

• Required personal protective equipment
• Safety/hazards assessment
• Safety instrumented systems
• Lock-out tag-out and safe work procedures
• Common failure modes for equipment under control

At Eaton, newcomers to the electrical industry must take (at minimum) a three-week training program and pass multiple live demonstration tests before working on energized equipment under the supervision of a seasoned professional. It typically takes upward of a year of in-person training and support before maintenance professionals are prepared to safely work on or around energized equipment on their own. I believe the same stringent training processes and commitment to electrical safety should apply to professionals tasked with securing OT networks and systems.  

Traditionally, trained cybersecurity personnel are well-versed on the system characteristics of confidentiality, integrity and availability — but are not trained to operate with electrical safety and system reliability in mind. This challenge goes both ways. For example, electrical engineers aren’t often taking classes on cybersecurity, and cybersecurity personnel aren’t often trained on electrical safety.

Addressing cybersecurity on OT networks requires comprehensive cross-functional consideration and typically is not the responsibility of any single discipline or entity within an organization, resulting in distributed or ambiguous ownership.

Specific real-time consideration of the availability, performance, safety and other needs of the system should be considered. Often, given the embedded nature of components in these networks, typical IT methods, tools and policies are either not effective or can damage the system. Scanning a system of laptops and workstations with a tool designed for these assets is different than scanning a network of controllers and other embedded devices. The impact of improper interaction with these systems can range from a device failure or process disruption to random data dumped onto a network

So how do you address safety and cybersecurity for OT systems?  

There is an essential need to advance safety, reliability and cybersecurity throughout the entire lifecycle of the facility. The ability to safely assess, interact and harden the equipment found in critical power systems helps minimize risk to personnel and reduces likelihood of downtime. 

For example, a failure in physical processes used to evaluate the cybersecurity of critical power system architecture can result in a direct failure in the critical application. Extreme efforts are made at the design, build and operational phases to ensure continuous operation and reliability in critical environments. Electrical infrastructure is complex and requires highly qualified personnel to secure it. If an individual is not familiar with the basic principles of electrical safety, accidents are more likely and can result in personal injury and downtime.

Therefore, action items for personnel tasked with the OT cybersecurity of any operation should include the ability to:

• Inventory all connected hardware, software and dataflows
• Assess facility OT networks and assets to evaluate the attack surface and discover known vulnerabilities and weaknesses
• Understand critical processes and how cybersecurity processes could negatively impact uptime
• Evaluate the electrical safety codes and requirements associated with lifecycle cybersecurity maintenance to support personnel safety, uptime and compliance

Together, these tasks require comprehensive knowledge of:

• OT and ICS applications and processes
• Electrical safety codes and standards
• Electrical reliability and uptime 
• Industrial network defense
• Cybersecurity regulation and guidance
• Cybersecurity assessment and vulnerability detection
• Defensive technologies and approaches
• Lifecycle cybersecurity maintenance 

Cybersecurity risks to connected systems have never been greater, as malicious threat actors look to exploit system vulnerabilities. These vulnerabilities often exist on electrical system assets with the least cybersecurity oversight.

To address these potential vulnerabilities, critical industries require expertise in power systems engineering and cybersecurity. The goal is to safely assess, interact and secure critical power system networks without risking the safety of personnel or uptime of critical processes. This is complex and requires in-depth training and experience. Sometimes, it is best to bridge this critical knowledge gap by partnering with an experienced third-party organization that understands the risks associated with unique operations. At the end of the day, the most important thing is protecting what matters: your personnel, data and critical processes.