By Brett Ogilvie, Principal Consultant at Business Aspect
Over the last 12 months, we have seen increasing requests from our clients to assist with the implementation of Essential Eight into their Operational Technology (OT) environments. While the intent is commendable, the application of these controls into OT isn’t always as straightforward as someone from the Information Technology (IT) world may think.
In the world of OT security, the traditional Confidentiality, Integrity, and Availability (CIA) triad takes on a nuanced form, represented as Availability, Integrity, and Confidentiality (AIC). It is sometimes referred to as SAIC, with Safety being a pivotal component.
As organisations seek to improve their cyber security posture, [with some encouragement from the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022], adopting the Essential Eight strategies becomes a key target for many organisations. Yet, applying these strategies in an OT environment is fraught with challenges that demand a tailored or alternative approach.
An Overview of the Essential Eight
- Application Control: This strategy involves restricting the execution of unauthorised applications and scripts to prevent malware from running on systems.
- Patch Applications: Keeping application software up to date with the latest security patches to prevent known vulnerabilities from being exploited.
- Configure Microsoft Office Macro Settings: Microsoft Office macros are used in many cyber-attacks, so we establish settings to prevent malicious macros from running.
- User Application Hardening: Prevent malicious actors from accessing and exploiting vulnerabilities by hardening user applications.
- Restrict Administrative Privileges: Limiting administrative privileges helps prevent malicious actors from gaining access to sensitive data or making significant changes to systems.
- Patch Operating Systems: Maintaining operating systems by updating them with the latest security patches helps prevent known vulnerabilities from being exploited.
- Multi-Factor Authentication: Use multi-factor authentication to prevent unauthorised access to systems.
- Regular Backups: This strategy involves backing up data regularly to limit data loss in the event of a cyber-attack.
In OT security, human safety is always at the forefront, emphasising the unique nature of OT systems, where computers interact with people in the real world. Ensuring the reliability and integrity of critical infrastructure control systems is paramount, requiring a meticulous balance between security and the core function of these systems. It is also key to remember that OT systems once implemented tend to run for many years, it is not unusual to see a 15-year-old system in an OT environment.
Implications of Essential Eight in OT Environments
Application Control Dilemma
The implementation of application control in OT environments necessitates a delicate approach. Striking a balance between securing systems and avoiding interference with critical infrastructure control is challenging. Rigorous scrutiny is essential to ensure that security measures do not inadvertently inhibit the seamless operation of control systems. Achieving a level 1 maturity level for application control involves blocking scripts, executables and compiled HTML from running in a standard user’s profile.
In an OT environment, there is often the requirement for scripts to function and executables to run from the user environment due to the older design of systems. This needs to be carefully considered before the implementation of application control.
Application Patch Management Challenges
Patching applications in OT environments requires a collaborative effort with system vendors. Unlike conventional IT environments, OT systems often operate under stringent operational requirements that may conflict with the proposed schedules of Essential Eight. Customised patching strategies aligned with vendor consultations are imperative to maintain operational integrity.
The applications in use inside the OT environments tend to differ significantly and vendors release patches on an as-required basis, there is no “Patch Tuesday” for OT.
Microsoft Office Macro Settings Irrelevance
In an OT environment, the relevance of configuring Microsoft Office macro settings comes into question. Given the unique functions of OT systems, the conventional expectations of Essential Eight may prove irrelevant as Macros will tend to be completely absent (as will Microsoft Office), or a key element in extracting data from OT information for the business. Either way, the proposed settings in Essential Eight aren’t helpful.
User Application Hardening Challenges
Essential Eight’s expectations around user application hardening may pose challenges for older OT systems where IE11 is a key component. Striking a balance is essential to address the specific requirements of legacy systems without compromising their functionality. Generally, Level 1 maturity of application hardening is recommended where possible and for higher levels be very careful that preventing PowerShell scripts doesn’t compromise anything.
Administrative Privileges Balancing Act
Restricting administrative privileges is a crucial security measure but must be approached judiciously in an OT environment. Careful consideration is required to apply these restrictions without impeding critical processes, recognising the unique demands of operational systems.
Many systems were implemented between 2000 and 2015 with no thought to limiting administrative access and so there has been little or no effort employed to determine what access is required to systems and the default has been to use Administrator privileges. It is recommended that administrative privileges be limited where possible with due care not to impact operational stability.
Patch Operating Systems with Caution
Patching Operating Systems in an OT environment demands a cautious approach. Collaboration with system vendors and adherence to operational schedules are vital to prevent disruptions to critical infrastructure.
One of the most high-risk elements is Operating System patching, both from a failure to perform the task and the potential impact of getting it wrong.
Rule 1 of Operating System Patching in an OT environment is “Only implement vendor-approved patches”. The vendors have tested these patches to avoid impacting operations or safety.
Multi-Factor Authentication Complexity
While multi-factor authentication is essential for securing access points like DMZ and jump boxes, its implementation within the OT environment is intricate. The remote area’s haphazard communications infrastructure and the critical nature of access necessitate a carefully calibrated approach to avoid unintended consequences.
Emphasis on Regular Backups
Acknowledging the critical nature of OT systems, regular backups emerge as a non-negotiable element of Essential Eight. Robust backup strategies should be in place to ensure swift recovery and continuity in the event of a cyber security incident.
Conclusion
Implementing Essential Eight in an OT environment as it is specified in the form of a Microsoft-based IT set of controls is not viable. Implementing the concepts (or intent) in OT approach demands a nuanced and customised risk-based approach. There are dedicated security concepts available for OT such as the “Five Critical Operational Technology (OT) Cyber Security Controls” which may provide a better basis.
By recognising the unique challenges posed by safety-centric Availability, Integrity and Confidentiality principles, and carefully considering how to implement controls that produce the outcomes conceptualised in Essential Eight rather than rigorously attempting to implement the framework organisations can fortify their OT cyber security posture effectively. The path forward lies in a harmonious integration of security measures that safeguard critical infrastructure without compromising operational safety efficiency.
Contact us today to learn more about how we can help you achieve your cyber security goals.