By Brett Ogilvie, Principal Consultant at Business Aspect
Over the last 12 months we are seeing increasing requests from our clients to assist with the implementation of Essential Eight into their Operational Technology (OT) environments, and, while the intent is commendable, the application of these controls into OT isn’t always as straight forward as someone from the Information Technology (IT) world may think.
In the world of OT security, the traditional Confidentiality, Integrity, and Availability (CIA) triad takes on a nuanced form, represented as Availability, Integrity, and Confidentiality (AIC), and is even sometimes referred to as SAIC with Safety being a pivotal component.
As organisations seek to improve their cyber security posture, [with some encouragement from the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022], the adoption of the Essential Eight strategies becomes a key target for many organisations. However, the application of these strategies in an OT environment is fraught with challenges that demand a tailored or alternative approach.
A quick overview of the Essential Eight:
- Application Control: This strategy involves restricting the execution of unauthorised applications and scripts to prevent malware from running on systems.
- Patch Applications: Keeping application software up-to-date with the latest security patches to prevent known vulnerabilities from being exploited.
- Configure Microsoft Office Macro Settings: Microsoft Office macros are used in multiple cyber-attacks, so we establish settings to prevent malicious macros from running.
- User Application Hardening: Prevent malicious actors from accessing and exploiting vulnerabilities in by hardening user applications.
- Restrict Administrative Privileges: Limiting administrative privileges helps prevent malicious actors from gaining access to sensitive data or making significant changes to systems.
- Patch Operating Systems: Maintaining operating systems by updating with the latest security patches helps prevent known vulnerabilities from being exploited.
- Multi-Factor Authentication: Use multi-factor authentication to prevent unauthorised access to systems.
- Regular Backups: This strategy involves backing up data regularly to limit data loss in the event of a cyber-attack.
In OT security, human safety is always at the forefront, emphasising the unique nature of OT systems, where computers are interacting with people in the real world. Ensuring the reliability and integrity of critical infrastructure control systems is paramount, requiring a meticulous balance between security and the core function of these systems. It is also key to remember that OT systems once implemented tend to run for many years, it is not unusual to see a 15-year-old system in an OT environment.
Implications of each element of Essential Eight in the OT environment.
Application Control Dilemma:
The implementation of application control in OT environments necessitates a delicate approach. Striking a balance between securing systems and avoiding interference with critical infrastructure control is challenging. Rigorous scrutiny is essential to ensure that security measures do not inadvertently inhibit the seamless operation of control systems. To achieve a level 1 maturity level for application control involves blocking scripts, executables and compiled html from running in a standard user’s profile.
In an OT environment there is often the requirement for scripts to function and executables to run from the user environment due the older design of systems. This needs to be carefully considered when prior to the implementation of application control.
Application Patch Management Challenges:
Patching applications in OT environments requires a collaborative effort with system vendors. Unlike conventional IT environments, OT systems often operate under stringent operational requirements that may conflict with the proposed schedules of Essential Eight. Customised patching strategies aligned with vendor consultations are imperative to maintain operational integrity.
The applications in use inside the OT environments tend to differ significantly and vendors release patches on an as required basis, there is no “Patch Tuesday” for OT.
Microsoft Office Macro Settings Irrelevance:
In an OT environment, the relevance of configuring Microsoft Office macro settings comes into question. Given the unique functions of OT systems, the conventional expectations of Essential Eight may prove irrelevant as Macros will tend to be completely absent (as will Microsoft Office), or a key element in extracting data from OT information for the business. Either way the proposed settings in Essential Eight aren’t helpful.
User Application Hardening Challenges:
Essential Eight’s expectations around user application hardening may pose challenges for older OT systems where IE11 is a key component. Striking a balance is essential to address the specific requirements of legacy systems without compromising their functionality. Generally, Level 1 maturity of application hardening is recommended where possible and for higher levels be very careful that preventing PowerShell scripts doesn’t compromise anything.
Administrative Privileges Balancing Act:
Restricting administrative privileges is a crucial security measure but must be approached judiciously in an OT environment. Careful consideration is required to apply these restrictions without impeding critical processes, recognising the unique demands of operational systems.
Many systems were implemented between 2000 and 2015 with no thought to limiting administrative access and consequently there has been little or no effort employed to determine just what access is required to systems and the default has been to use Administrator privileges. It is strongly recommended that administrative privileges be limited where possible with due care not to impact operational stability.
Patch Operating Systems with Caution:
Patching Operating Systems in an OT environment demands a cautious approach. Collaboration with system vendors and adherence to operational schedules are vital to prevent disruptions to critical infrastructure.
One of the most high-risk elements is Operating System patching, both from a failing to perform the task, and from the potential impact of getting it wrong.
Rule 1 of Operating System Patching in an OT environment is “Only implement vendor approved patches”. The vendors have tested these patches to avoid impacting operations or safety.
Multi-Factor Authentication Complexity:
While multi-factor authentication is essential for securing access points like DMZ and jump boxes, its implementation within the OT environment is intricate. The remote area haphazard communications infrastructure, and the critical nature of access necessitate a carefully calibrated approach to avoid unintended consequences.
Emphasis on Regular Backups:
Acknowledging the critical nature of OT systems, regular backups emerge as a non-negotiable element of Essential Eight. Robust backup strategies should be in place to ensure swift recovery and continuity in the event of a cyber security incident.
Conclusion:
Implementing Essential Eight in an OT environment as it is specified in the form of a Microsoft based IT set of controls is not viable. To implement the concepts (or intent) in OT approach demands a nuanced and customised risk-based approach. There are dedicated security concepts available for OT such as the “Five Critical Operational Technology (OT) Cyber Security Controls” which may provide a better basis.
By recognising the unique challenges posed by safety-centric Availability, Integrity and Confidentiality principles, carefully considering how to implement controls that produce the outcomes conceptualised in Essential Eight rather than rigorously attempting to implement the framework organisations can fortify their OT cyber security posture effectively. The path forward lies in a harmonious integration of security measures that safeguard critical infrastructure without compromising operational safety efficiency.
Contact us today to learn more about how we can help you achieve your cyber security goals.