The importance of solid OT-side security in data centers

Although the IT side of data centers is well secured, this is less obvious on the OT side. And that while the Operational Technology is crucial to make data centers run reliably. The ISA/IEC 62443 standard should help OT'ers to increase cyber security. During the IT Infra knowledge event Willy Leuvering on behalf of ISA Netherlands tells us more about this standard and the specific problems that arise on the OT side.

By: Dimitri Reijerman

ISA has been developing standards for years. The organization also certifies industry professionals and provides training and education. Cyber security is playing an increasingly important role in this, with the ISA/IEC 62443 standard increasingly coming to the fore. “It is a standard that is very much needed,” says Leuvering. “ISA is a professional association of and for people in the process control world. From that angle, we create all kinds of standards to provide answers to questions such as: how do I integrate my process system with my control systems. To develop these standards, we, as an American association, work closely with the ANSI, but when you are talking about standards, it is useful to have an IEC version of them internationally.”

He continues: “In the field of cyber security, it was decided at an early stage to develop this standard together. Various bodies are working together to develop structured and substantively identical standards. In response to recent developments in the field of process industry and the consequences of not having cyber security in order, companies are paying more attention to this. Cyber security is crucial, especially in the field of critical infrastructure. These are national utilities that are of great importance and must therefore be completely cyber secure. Every country has these utilities, which makes it wiser to work together and develop an international standard than to develop national rules.

Literally vital

Leuvering states that good security is now literally a matter of life and death: “What you should especially keep in mind is that cyber threats are very real,” says Leuvering. “People are now dying from cyber attacks. An example of this is a ransomware attack on the emergency room of a hospital in Germany. The data was encrypted by the attack, which meant that a patient in critical condition could not be treated and was transferred to a hospital half an hour away. The patient in question unfortunately died as a result.”

The approach to the theme of cyber security is different in the OT and in the IT world. As Leuvering explains: “In the IT world, people have been working on cyber security and setting standards for a long time. In the OT, we have different requirements and wishes than on the IT side. The most important difference is that in the IT world, the 'CIA models' are adhered to in the field of cyber security: confidentiality, integrity and availability. On the OT side, you also have to deal with physical safety and the safety of people and the environment.”

“Moreover, in IT environments you can often install patches and reboot systems on a Sunday. In the OT world, that is usually not possible: unlike the monthly patch tuesday sometimes only two days in August per year on which we are allowed to install patches, because the machines run 24/7. So many requirements in the ISA/IEC 62443 standard are formulated differently than the IT variants.”

Defence-in-depth

Leuvering emphasizes that cyber security in data centers requires attention at multiple levels: “We also say in this standard: it is not just a matter of buying very expensive firewalls. That often does not get you there. You have to defence-in-depth have, and for example also look at the physical access to systems and infrastructure. Because if someone with malicious intentions can enter a control room and plug a hacking device into the network, he can also gain access to the system, but this is not seen as a classic cyber security attack. Another example is the NotPetya malware, which has caused millions of euros in damage to a number of companies and also possibly unnoticed corporate espionage. Companies that do not pay specific attention to the cyber security of the OT often use the argument that hackers do not understand PLCs and SCADA systems, but the opposite is true. Just look on YouTube.”

The benefits of cyber security are sometimes difficult to quantify. Nevertheless, Leuvering continues to emphasise its importance: “Many people see cyber security as an inconvenience: 'Then I have to enter passwords and change them again'. I don't think that's the case. Working safely with data is a way of working that will ultimately result in greater efficiency. The costs of improving cyber security are often in the purchase of hardware such as firewalls. However, the optimisation lies in improving processes and side processes. This makes it difficult to calculate a full ROI. An example of these side processes is the recovery option. Because have you practised restoring your backups? And are they the latest versions? Fire drills are commonplace, but you also have to do recovery exercises to rebuild systems after an incident, cyber or not.”

Do you want the attend lecture by Willy Leuvering? Register for free participation to this webinar.