15 Apr 2024
by Suzanne Wharton

Protecting your estate: securing your operational technology

Guest blog by Suzanne Wharton, Cyber Security Consultant at AtkinsRealis #techUKOTSecurity

Protecting your estate: securing your operational technology

Operational technology is at the heart of defence activities, from equipment and munitions manufacturing to fuel delivery and building management. Suzanne Wharton describes some of the work AtkinsRéalis’ has delivered to UK defence suppliers, helping the organisations understand and address their systems’ vulnerabilities, and improving their security posture.

While many organisations’ have strong cybersecurity processes and activities in place to protect their information technology systems, there is often a lack of maturity in the security awareness and culture surrounding companies’ operational technology (OT). Organisational siloes may mean the way the operational/production side works differs from the information technology side, and is not shared across different departments. This results in there being a gap in understanding at board level. Add to this competing stakeholder requirements – with the needs of operational production vying with those of security controls, plus ageing, legacy and obsolete systems which can’t easily be secured, and it can be a real challenge to achieve improvements in industrial control systems’ security.

But the potential outcomes of cyber attacks on operational systems in defence could be extremely damaging. From lengthy shutdowns, to intellectual property risks, to safety problems – by affecting a business’s operations, attackers can have a serious impact. A recent US study on the state of OT security found that of the ~2,000 industry respondents, nearly 70% had experienced cyberattacks during the past year, and one in four said they had to shut down their operations temporarily due to a cyber attack.[1]

To protect its operational systems against these risks, our clients have sought to assess the security of their OT estates, to ensure they comply with UK and US regulations, internal standards, external safety requirements and customer needs. Our AtkinsRéalis experts deliver the security assessments they need to identify the estate and their risks, and then support the activities required to remediate their vulnerabilities.

Understanding the problem, developing the solution

For one defence client, our first step was to assess the security of the systems within the project’s scope. In some areas, the client was able to provide detailed information relatively quickly, but in other areas that level of detail was lacking, or was held by third parties and difficult to obtain. This is a common theme for OT, and something we see frequently across other sectors as well as defence. Using client-provided templated documents, we visited a range of sites identifying, collecting and documenting information relating to assets within the project’s scope and their security.

We used this information, along with feedback from discussions with key stakeholders, to produce an asset register, simple network diagram, solution design document, and risk identification document, as well as a gap analysis showing where systems didn’t align with the controls specified in NIST-800-82 Rev.3. Several security concerns were identified that had not been discovered during the client’s initial review, including issues with security in the supply chain and boundary control issues.

Once we had gained an understanding of the vulnerabilities, in collaboration with the client’s team including the design authority, security, and control engineers, we supported the remediation activities needed to mitigate the identified shortcomings. By giving the client visibility of the security posture of its OT estate for the first time, it was able to understand the business risks associated with the security needs identified in these areas. The additional guidance we offered to support it in remediating these shortcomings, gave management the information needed to secure buy-in and, perhaps more importantly, funding for the required work.

A single source of security truth

In developing the internal governance documents, we ensured the client’s OT systems would be in line with both industry best practice and NIST SP-800-82 wherever possible, or with the client’s own internal security standards. Where this was not possible, this was clearly articulated to ensure the associated risks were appropriately managed. Delivering this full and thorough suite of documentation, covering security risk assessments and solution design, provided the client with a single authoritative source for all security-related information relating to its OT estate.

Created to meet the client’s own internal standards, which were developed to align with NIST SP-800 controls, the new solution will be able to be understood and maintained effectively by in-house teams. This will support ongoing operation and maintenance, benefitting reliability, as well as any future modification of the OT systems. It will also provide ready-made guidance on security measures when new systems are bought by the client. In assuring the cybersecurity of its OT estate, we helped the client protecting its operations, and keep its operational technology heart beating.


techUK’s Operational Technology Security Impact Day 2024 #techUKOTSecurity

techUK’s Cyber Programme is delighted to be holding our first securing Operational Technology (OT) security impact day to showcase how cyber companies are helping organisations to secure their OT and navigate the convergence of IT/OT systems.

Find all the insights here!

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more

Join techUK's Cyber Security SME Forum

Our new group will keep techUK members updated on the latest news and views from across the Cyber security landscape. The group will also spotlight events and engagement opportunities for members to get involved in.

Join here

Upcoming Cyber Security events

Cyber Security updates

Sign-up to get the latest updates and opportunities from our Cyber Security programme.

 

 

 

 

Authors

Suzanne Wharton

Suzanne Wharton

Cyber Security Consultant, AtkinsRealis