OTCSA launched to deliver “comprehensive” cyber security guidelines for operational technology

Cyber attacks on critical and industrial infrastructure are on the rise, duly impacting operational reliability and business risk across all industries, including the utilities, manufacturing and oil and gas. Threats posed to operational technology (OT) – the hardware and software dedicated to monitoring and controlling physical devices – can disrupt operations, negatively impact productivity, cause ecological damage and compromise human safety.

To help mitigate this risk, a new global alliance focused on cyber security has been launched. The Operational Technology Cyber Security Alliance (OTCSA) is designed to help companies address the OT security challenges that continue to put operations (and, consequently, business) at risk.

“One of the driving forces behind IT and OT convergence is the cyber security of operational systems, like SCADA, MES and controllers, etc,” said Kevin Prouty, Group vice-president for IDC Energy Insights and Manufacturing Insights. “OT has typically been managed as individual devices, which has made it very difficult for IT to maintain its cyber security mandate. Senior executives are tasking operations executives to make sure their OT systems are integrated into the overall enterprise cyber security governance. IDC’s IT/OT Convergence Survey from 2018 shows that 65% of manufacturing, mining, oil and gas and utilities companies see cyber security as being the highest priority in IT and OT governance.”

Industry leaders ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAFence, Splunk and Wärtsilä have partnered to establish the OTCSA. The OTCSA’s mission is five-fold:

*Strengthen the cyber-physical risk posture of OT environments and interfaces for OT/IT interconnectivity

*Guide OT operators on how to protect their OT infrastructure based on a risk management process and reference architectures/designs which are demonstrably compliant with regulations and international standards, such as IEC 62443, NERC CIP and NIST 800-53

*Guide OT suppliers on secure OT system architectures, relevant interfaces and security functionalities

*Support the procurement, development, installation, operation, maintenance and implementation of a safer and more secure critical infrastructure

*Accelerate the time to adopt safer and more secure critical infrastructures

Bridging dangerous gaps

“The OTCSA aims to bridge dangerous gaps in security for critical and OT infrastructure and ICS to support and improve the daily lives of citizens and workers in an evolving world,” said Satish Gannu, CSO at ABB and senior vice-president for system architecture and analytics at ABB Ability. “Industry collaboration to establish guidelines is required to quickly advance the posture of OT, which is already a decade behind IT when it comes to security.”

Until now, there has been no industry group focused on improving cyber risk posture by providing tangible architectural, implementation and process guidelines to OT operators so that they can navigate necessary changes, upgrades and integrations to evolving industry standards and regulations. These robust security guidelines will cover the entire lifecycle – procurement, development, deployment, installation, operation, maintenance and decommissioning – and address aspects related to people, processes and technology.

The OTCSA promotes collaboration among leading IT and OT companies, thought leaders in the cyber security community and vendors and OT operators from a variety of industries. Membership is open to any company that operates critical infrastructure or general OT systems to run its business (OT operators) as well as companies providing IT and OT solutions (solution providers).

*To learn more about the OTCSA or to become a member visit: https://www.otcsalliance.org

Securing critical systems

“BlackBerry Cylance is honoured to join this multidisciplinary alliance with the mission to rethink the way in which we secure the world’s most critical systems,” stated Eric Cornelius, CTO at BlackBerry Cylance. “The OTCSA will provide important leadership and guidance for organisations working hard to protect their operational technology from sophisticated threats.”

Avi Rembaum, vice-president of security solutions at Check Point Software Technologies, observed: “Operational technologies represent a key cyber target for multiple threat actors, with potentially devastating economic and physical effects on countries, companies and people. The OTCSA is focused on providing the community with architectural guidelines and Best Practices for implementing advanced operational technologies in a secure way. Check Point’s Infinity Architecture and Fifth Generation threat prevention strategy align with the goals of the OTCSA, and we’re proud to be a founding member of this important initiative.”

Damiano Bolzoni, vice-president of industrial and OT business at Forescout, commented: “Critical infrastructures and industrial control systems are essential to organisations’ revenue and profits and the global economy. Forescout is committed to collaborating with the industry to establish architectural, implementation and process guidelines that further strengthen the cyber security risk posture and resiliency of operational technology.”

Phil Quade, CISO for Fortinet, outlined: “The negative consequences of compromised critical infrastructures are as severe as ever, while the complexity and urgency in securing them continues to escalate. The coming together of an action-oriented group of stakeholders who share a common vision of more secure and resilient critical infrastructure is an important step in meaningful collaboration. The OTCSA will address the unique challenges of securing OT environments, which is fundamental to maintaining economic competitiveness, national and personal security and public safety.”

Dean Weber, CTO at Mocana, informed Risk Xtra: “We’re in a pivotal moment for critical infrastructure protection. As the nature of the threats we face becomes increasingly sophisticated, the OTCSA will provide an essential forum to bring together those who protect operational technology and those who own and deploy it. Through listening to each other, we believe the entire OT sector can come together to make the world a safer place.”

Level of security preparedness

“Our primary mission at the NCC Group is to enable the strongest security possible from the very beginning of every project,” asserted Kevin Dunn, the Group’s senior vice-president. “As a service provider, we have the freedom to implement vendor-neutral solutions that are most appropriate in each particular installation. We see every day the need for greater protection in many critical infrastructures, and we look forward to working with other industry leaders within the OTCSA to raise the level of security preparedness in operational technologies and industrial control systems.”

Philippe Courtot, chairman and CEO of Qualys, said: “We’re proud to be a member of the OTCSA and to work with other industry leaders to further the goal of bridging gaps in security for OT and critical infrastructures and industrial control systems. The time where individual companies provided security solutions that customers and operators had to ‘bolt on’ has passed. It’s now about ‘building security in,’ which can only be achieved if we all work together, drastically reducing the growing cyber security risks as a result.”

Elad Ben-Meir, CEO of SCADAfence, highlighted: “As threats to OT networks continue to expand and evolve and the need for securing OT networks becomes more pressing than ever, we’re honoured to be part of the OTCSA in an effort to define tools and frameworks for securing them.”

Haiyan Song, senior vice-president and general manager of security markets at Splunk, explained: “As the volume of data grows around the world, it’s critical that organisations should not only leverage analytics to gain insights, but also take action on that data to drive digital transformation and become more competitive businesses. We’re proud to work with the OTCSA to help accelerate this shift globally. Security is a business enabler and we believe the OTCSA’s mission provides an important opportunity to share and exchange Best-in-Class enterprise security practices to help businesses thrive.”

Mark Milford, vice-president of cyber security at Wärtsilä, concluded: “The compromise of operational technology used in production facilities is becoming a preferred stepping stone for cyber criminals looking to find a way into a company’s network. There’s a strong need to collaborate within our ecosystems of suppliers, customers and other partners, even competitors, in order to fight the common enemy of cyber crime. The game is changing an, that being the case, so must we.”

*Read the White Paper on vulnerability management for operational technologies: https://otcsalliance.org/wp-content/uploads/2019/10/Vulnerability_Management.pdf

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts