Electricity + Control December 2017

CONTROL SYSTEMS + AUTOMATION

Integrating IT and OT security requires under- standing the differences between them and their approaches to evaluating and protecting systems. Security, regulations and standards must evolve in both worlds and together to be effective. They can no longer focus separately and organisations need to implement a cybersecurity framework to bal- ance the security-relevant considerations of these two different cultures, OT and IT. As each culture has a goal to create trustworthy systems that deal with their functional needs, environment, possible disruptions, system faults, human errors and at- tacks, the considerations need to be made explicit so that members of each culture can understand and appreciate the needs and motivations of the other. Everything needs to work in tandem. Many nations and businesses globally have been putting resources − including technology, people and funds − into protecting themselves from cy- bersecurity threats. As a result, they have become a more difficult target for malicious attacks from hackers and cyber criminals. Consequently, hack- ers and cyber criminals are successfully focusing more of their unwanted attention on less secure countries and businesses. Because smaller businesses in South Africa (or Africa) typically do not have the resources to invest in information security the way larger busi- nesses can, many cyber criminals view them as soft targets. Your business may have money or in- formation that can be valuable to a criminal. How- ever, it is important to remember that malicious hackers and criminals are not always after profit. Why Africa and your business could be targets

Take Note!

Convergence of IT and OT brings different drivers and attitudes to industry. IT and OT prioritise system characteristics differently. The highest priority of OT systems is safety; the important character- istics of most IT systems are security, privacy and reliability.

1

2

3

Convergence of IT and OT Convergence of IT and OT brings different drivers and attitudes to industry. Only in some cases does IT consider safety in their designs, while safety is not optional in OT. IT generally focuses on cost re- duction once quality requirements of the system are met and may not have the resources to im- prove the safety quality of the system. Generally speaking, key system characteristics and their as- surance have different priorities in the two worlds that must be reconciled. The use of sensors and actuators in an industrial environment is not the typical IT experience. IT and OT prioritise system characteristics quite differently. The highest priority of many OT sys- tems is safety: Do not cause injury or death, do not put public at risk and protect the environment from harm.The second and third priorities are often qual- ity of production and meeting production targets, which depend on the reliability and resilience of the system. Reliability and resilience are required to prevent the interruption of critical processes. On the other hand, security and privacy are important characteristics for most IT systems, as well as reliability. Safety is rarely an issue, and re- silience is reserved for specialised systems where business continuity is a motivating factor.

Some may attack your business out of revenge (e.g. for firing them or somebody they know), or for the thrill of causing havoc. Similarly, not all events that affect the ICS are caused by criminals. One study claims that employees make up 85% of cy-

If you are connected, you have to be protected.

ber-threats. Furthermore, environmental events such as fires or floods can severely damage critical infrastructure. Your organisation can be a test labo- ratory or ‘Guinea pig’ where someone will perform a cyber-attack and test their cyber weapons.

Electricity + Control

DECEMBER 2017

5