HxGN RadioPodcast

Operational Technology (OT) cybersecurity – the vital next step in digitalisation (Part I)

In this special, 3-part series entitled, “Operational Technology (OT) cybersecurity – the vital next step in digitalisation”, we discuss the cyber threats faced by industrial companies around the world.

This first episode is a conversation with Rida El Hajj, Vice President of Sales, and Syed M. Belal, Director of OT Cybersecurity Consulting Services, both joining us from Hexagon’s Asset Lifecycle Intelligence division, and is hosted by Ian Simm, a regular contributor to Petroleum Economist. This podcast series is created in partnership with Petroleum Economist and also broadcasts on PE Live Podcast.

BK: Hello and welcome to this special episode of HxGN Radio. I’m Beth Keener-Dent.

Today, we’re starting a new 3-part series of podcast episodes on cybersecurity – “Operational Technology (OT) cybersecurity – the vital next step in digitalisation”, to help you understand the cyber threats faced by industrial companies around the world. This podcast series is created in partnership with Petroleum Economist and broadcasts on PE Live Podcast.

This first episode is a conversation with Rida El Hajj, Vice President of Sales, and Syed M. Belal, Director of OT Cybersecurity Consulting Services, both joining us from Hexagon’s Asset Lifecycle Intelligence division, and is hosted by Ian Simm, a regular contributor to Petroleum Economist. Thank you for listening and we hope you enjoy.

IS: Hello and welcome to PE Live Podcast. My name is Ian Simm. I’m a regular contributor to Petroleum Economist, and it brings me great pleasure to present a new three-part podcast series titled, “Operational Technology (OT) cybersecurity – The vital next step in digitalisation”, brought to you in association with Hexagon.

Oil and gas, power and utilities, plants and facilities are often key national strategic assets. The digitalisation of this critical infrastructure poses challenging questions around the relationship between data availability, integrity, and confidentiality, as well as safety concerns in an ever-changing operating environment.

This episode is titled, “Reducing the risks of the operational technology assets that matter most”, and it is presented in association with Hexagon’s Asset Lifecycle Intelligence division. The second and third episodes in the series will follow in September and October, respectively.

To navigate this fascinating and complex topic, I’m lucky to be joined today by Rida El Hajj, vice president of sales; and Syed M. Belal, director of OT Cybersecurity Consulting Services, both of whom join us from Hexagon.

Rida joined PAS, now part of Hexagon, in April 2014 and was responsible for sales management and business development for the Middle East. Since November 2021, he has been responsible for OT cybersecurity and strategic initiatives in the Middle East. Rida has a deep knowledge of the Middle East and GCC process industry market, developed over almost 29 years in the sector.

Syed heads up cybersecurity consulting within Hexagon’s asset lifecycle intelligence division. He has more than 15 years of experience in industrial control systems and operational technology, spanning industrial automation, scatter, control, and safety systems applications used in critical infrastructure.

Thank you both for joining me. To kick off this podcast, Rida, I’d like to come to you first.

RH: Hey, Ian.

IS: Hi. How are you doing?

RH: Good, good. How are you?

IS: Very well, thank you. Thank you.

So, firstly, I’d like to ask you. As new digitalisation technologies are introduced, are we effectively assessing cybersecurity and process safety risk?

RH: Sure. As new digitisation technologies are introduced, Ian, we are seeing an expansion in process safety and cyber security risk due to the expanded surface attack. Effectively assessing the new industrial landscape begins with a risk assessment as new interconnectivity, digitisation, automatic control system, and other technology advances are introduced. So, the right approach will be identifying the risks that are introduced as part of digitisation, reducing them to an acceptable level.

Risk management is a continuous process, as you know. Every time you make a change, it requires a risk assessment for either asset segment or OT network. Moreover, talking about cybersecurity, implementing patches, network segmentation are also changes. It is recommended to do risk assessment after cybersecurity measures are implemented to evaluate the effectiveness and risk reduction.

I hope I answered your question, Ian.

IS: Absolutely, absolutely. It seems like a moving target. Thank you very much, Rida.

Syed, I’d like to bring you in here. We’re talking about this—

SB: Hi, Ian.

IS: Hi, there. How are you doing?

SB: Good, good. Good, good.

IS: Syed, what lessons can be learnt from IT cybersecurity efforts? Should we be approaching OT cybersecurity with the same mindset? Or should we be applying a new way of thinking towards it?

SB: Oh, well, in short, you know, IT deals with information and OT operational technology deals with physical processes and machinery. So ultimately, the goal of operational technology is to ensure safe, reliable and profitable production. What you’re seeing is several challenges to that effect. Industrial organisations are at a critical stage. This tremendous increase is there, and to be frank, you know, in fact, pressure to drive digital transformation to run the plant more efficiently.

So as we introduce new technologies into the OT network, we increase connectivity for activities such as moving data from lower levels of IEC 62443 model to the corporate level or a cloud for analysis. Now that we have ideal tectonic connectivity, as a result we’re seeing an expanding attack surface, like you just mentioned, Rida as well. So, the malicious actors or hackers are getting smarter about the industrial environment and control system. The attacks are getting more sophisticated.

If I may take example of SolarWinds that used seven zip codes to hide. We all know SolarWinds attack was not specifically targeting critical infrastructure. However, it provided a playbook that can be used by other malicious hackers to inject code into operational technology. On top of that, there are other toolkits such as 5G that can be used to exploit operational technology.

At the same time, we find that operational technology network has other challenges, such as incomplete asset inventory, human error, and inadequate management of change, meaning changes that took place without effective procedure and documentation. So, if you do not have good management of change and documentation, it really becomes difficult to identify what is an authorised change and what change actually happened or maybe occurred by attackers or hackers.

I hope I answered your question. Thank you.

IS: Absolutely. And just to kind of follow up on that, if we’re facing such a changing environment, how can attacks on OT assets be detected? What’s the first sign of these attacks?

SB: Again, thanks for this question. You know, it is really important to detect the attack at an early stage. As the attack progresses, you know, it often causes more damage. So, there are IT tools implemented in the OT networks such as network or host intrusion detection or prevention systems that can detect attack or intrusions.

However, understanding that OT network communication and packets are different from the IT world. The number of false positives is quite high. So, in my opinion, the most effective approach will be knowing the OT network. No one knows the OT network better than its user, the automation user, the safety system users, and engineers.

So, for example, if you see cursors that are automatically moving on the operators graphics, if you noticed a network device loading is more than 90% that was never above 40%. If the automation engineer who is not present on site lock seen at 3:00 in the morning, if pump pressure or temperature are reaching above high limit or high, high limit and alarms are suppressed, operators are not getting alarms. These are signs that something’s wrong. The right approach will be continuously looking for abnormal behaviour of OT network and calling the investigation team when an abnormality is noticed. Thank you.

IS: Okay. Perfect. Thank you, Syed. So, we’re looking out for abnormal behaviour and looking out for these outliers compared to your regular statistics. Fantastic.

Rida, can I come back to you here?

RH: Sure. Go ahead.

IS: Great. So, if security procedures and protocols are implemented, what impact are these going to have on our digitalisation and process safety efforts?

RH: Frankly speaking, implementing security procedures and protocols may restrict some of the exposure. For example, the firewalls, ports may be open 2 hours instead of 24. Password may not be shared, and operators may have their own complex, different passwords. These practises may be considered detrimental to digitisation and process safety, as some may argue that the benefits of the digitisation and connectivity are not 100% gain from not opening the firewall ports at all. Moreover, having a complex password may cause delay in logging in to critical safety workstations.

On the other hand, if these cybersecurity good practises are not followed, attackers may explore the exposure and break into the network and target the safety systems that are the last line of defense. Security procedures and protocols should always be considered. The goal is to protect critical infrastructure from cyber attackers and improve business continuity and sustainability. The key to effective implementation of any cyber security measures is proper training of personnel.

IS: Yeah, yeah. That’s great. So presumably the starting point in this entire process is mindset so that people are engaged and willing to take perhaps, as you say, a little longer to log in, a little longer to start up and make sure that they’re implementing the correct safety protocols from the beginning.

RH: Absolutely. Awareness like we do operational awareness, personnel awareness and training is key here.

IS: Okay, fantastic.

Syed, I’m going to come back to you here. When we’re implementing new security measures around process safety, what would you say are the major implications for cybersecurity and digitalisation efforts? I mean, I cover the oil and gas industry predominantly, but also renewables and energy more broadly. People talk about digitalisation a lot. And it’s a very broad term that I think has been turned into something that not many people know what it actually is. So maybe you can see here what actually security the implications are of implementing this process safety.

SB: Thanks, Ian. I really like the question, and I liked what Rida said. Safety systems are actually not the last line of defense. So as the business benefits from digitalisation, interconnections, etc., cyber security must be part of this transformation. Interconnectivity has benefits, but not at the cost of compromising good or best cybersecurity practises.

So, all the best cybersecurity practises such as network segmentation, inventory management, vulnerability management, change management, etc. must be applied to protect the safety system, which is again, like you just said, the last line of defense. Considering the criticality of safety system, I would avoid all kind of cyber risk. However, when or if it is not really possible to avoid the cyber risk due to digitalisation or connectivity, all in all, getting to 100% or running the plant 100% efficiently, then I would go for alternative controls. And alternative controls must be implemented to reduce the risk or to ensure the cyber risk is at least, you know, below the acceptable level. So, in case someone exploited them, or at least, you know, we can afford the loss.

Thank you.

IS: Okay. So here we’re kind of we’re going to the point of the cost of progress, I suppose, where we’re looking at, you know, when we implement more and more interconnectivity between assets and operations, the risks therefore grow. Is that correct? Am I correct in thinking that?

SB: Absolutely. That’s correct.

IS: Okay. So, it’s the counter to the progress that we’re seeking to make.

Syed, I’m going to stick with you here because we want to touch on the principle of least privilege, which states that a subject should be given only the privileges that it needs to complete its task. I think this kind of ties really nicely to the last question, because as we’re talking about expanding our portfolios and everything else, we’re going to be adding new assets. How well has this been accounted for in digitalisation so far to date as an industry

SB: Right. Frankly speaking, you know, in some cases it is possible and in some other cases, it is not possible. So, I’m talking about principle of list privilege here. So let me give you examples.

It is possible if the subject is a human. Access to the files and folders can be restricted based on his or her job responsibilities. For example, I can ensure the safety system engineer does not have access to configure industrial DMZ firewall. Similarly, the network security engineer should not be able to log into the safety system or change the mode to programme mode. But unlike IT, you know, auto has a lower level of IEC 62443 assets where everything is interconnected. For example, the sensor communicates with SPI, smart plant instrumentation. This is distributed control system. AMS, asset management solutions, and the control systems communicates with the data historian. So, it is very difficult to limit the access of the object, which is the sensor in this case. So, we may apply the principle of list privilege at higher levels, such as IEC 62443 level 3.5 or 3. However, at lower level such as IEC 62443, level 1 or 2, we need to apply alternative best practises or controls. And they are change management, validating backups. I can think of using automated tools to validate data integrity and control strategies.

IS: Great. Thank you, Syed.

So, we’re really again, looking at a behavioural change to ensure that the security is maximised throughout processes and throughout operations.

Rida, I’d like to come to you on a kind of broader, maybe industry wide question, to kind of run things out a bit. Everyone’s been hit by high utilities prices, which more or less relate to commodity price rises and supply concerns. However, the opposite end of that is that investors are feeling greater confidence about investing in the market. With the energy industry attracting so much more investment and M&A potentially on the rise or probably already is on the rise, how easily can newly acquired assets be integrated into our portfolios to maintain protection across those portfolios? Really, if we’re looking at new plants, new production facilities, new generation facilities, how easily can we knit these in with our existing infrastructure?

RH: Well, thank you, Ian, for the question. I think, you know, I agree with you. The market is really the M&A is really appears on the rise for acquisitions and mergers. But this is really the challenges. This is a real challenge. As a security manager, imagine overnight you now have a responsibility to secure an entirely new network that was acquired, you know, recently. This is a real challenge. And to ease this burden, having an inventory management solution in place that can scale to the newly acquired network is important in this context. This will give you baseline visibility into the new assets and vulnerabilities identified. From there, you will have data and insights needed to build a road map to lower risk and maintain business sustainability and business resilience.

IS: Fantastic.

RH: I hope I answer your question. It’s really—

IS: Yeah, absolutely. It sounds like the key point in this juncture.

RH: Yeah. It’s having the right tools, right inventory solutions. A management solution in this case is the key. So, it’s easy for you to really get on board the newly acquired assets and understand their vulnerabilities and do the right decisions to lower those risk.

IS: Perfect. So, providing management with the tools to make the decisions to keep your assets secure, I guess is the starting point for all as we look at expanding ever outwards with our businesses.

RH: Absolutely, absolutely. It’s about having the right tools and to give the right information to the right people in the right time and make right decisions.

IS: Fantastic, fantastic.

Gents, do you have anything else that you would like to add at this juncture? I mean, Syed, would you like to come in on that point as well?

SB: Yeah. I mean, as a final statement, you know, if I had to leave you with one final thought, you know, I would say the foundation of any operational technology security programme starts with the inventory management and visibility. So, for security managers, you know, this will give a view into what areas of network must be addressed first. So, we have experienced this with the different users and critical infrastructures. So, I’m definitely this will help to pressurise time and resources for the biggest risk reduction. So, I’ll leave with that statement.

IS: Thank you very much for your contributions, both of you, gents.

And thanks also to our listeners for joining in for this episode for PE Live Podcast series, “Operational Technology (OT) cybersecurity — the vital next step in digitalisation”. And we’re very proud to present this in association with Hexagon. Thanks, again.