Suzanne Wharton describes some of the work we’ve delivered to UK defence suppliers, helping them to understand and address their systems’ vulnerabilities, and to improve their security posture.
Operational technology is at the heart of defence activities, from equipment and munitions manufacturing to fuel delivery and building management.
While many organisations’ have strong cybersecurity processes and activities in place to protect their information technology systems, there is often a lack of maturity in the security awareness and culture surrounding companies’ operational technology (OT). Organisational siloes may mean the way the operational/production side works differs from the information technology side, and is not shared across different departments. This results in there being a gap in understanding at board level. Add to this competing stakeholder requirements – with the needs of operational production vying with those of security controls, plus ageing, legacy and obsolete systems which can’t easily be secured, and it can be a real challenge to achieve improvements in industrial control systems’ security.
But the potential outcomes of cyber attacks on operational systems in defence could be extremely damaging. From lengthy shutdowns, to intellectual property risks, to safety problems – by affecting a business’s operations, attackers can have a serious impact. A recent US study on the state of OT security found that of the ~2,000 industry respondents, nearly 70% had experienced cyberattacks during the past year, and one in four said they had to shut down their operations temporarily due to a cyber attack.[1]
To protect its operational systems against these risks, our clients have sought to assess the security of their OT estates, to ensure they comply with UK and US regulations, internal standards, external safety requirements and customer needs. Our AtkinsRéalis experts deliver the security assessments they need to identify the estate and their risks, and then support the activities required to remediate their vulnerabilities.
Understanding the problem, developing the solution
For one defence client, our first step was to assess the security of the systems within the project’s scope. In some areas, the client was able to provide detailed information relatively quickly, but in other areas that level of detail was lacking, or was held by third parties and difficult to obtain. This is a common theme for OT, and something we see frequently across other sectors as well as defence. Using client-provided templated documents, we visited a range of sites identifying, collecting and documenting information relating to assets within the project’s scope and their security.
We used this information, along with feedback from discussions with key stakeholders, to produce an asset register, simple network diagram, solution design document, and risk identification document, as well as a gap analysis showing where systems didn’t align with the controls specified in NIST-800-82 Rev.3. Several security concerns were identified that had not been discovered during the client’s initial review, including issues with security in the supply chain and boundary control issues.
Once we had gained an understanding of the vulnerabilities, in collaboration with the client’s team including the design authority, security, and control engineers, we supported the remediation activities needed to mitigate the identified shortcomings. By giving the client visibility of the security posture of its OT estate for the first time, it was able to understand the business risks associated with the security needs identified in these areas. The additional guidance we offered to support it in remediating these shortcomings, gave management the information needed to secure buy-in and, perhaps more importantly, funding for the required work.
A single source of security truth
In developing the internal governance documents, we ensured the client’s OT systems would be in line with both industry best practice and NIST SP-800-82 wherever possible, or with the client’s own internal security standards. Where this was not possible, this was clearly articulated to ensure the associated risks were appropriately managed. Delivering this full and thorough suite of documentation, covering security risk assessments and solution design, provided the client with a single authoritative source for all security-related information relating to its OT estate.
Created to meet the client’s own internal standards, which were developed to align with NIST SP-800 controls, the new solution will be able to be understood and maintained effectively by in-house teams. This will support ongoing operation and maintenance, benefitting reliability, as well as any future modification of the OT systems. It will also provide ready-made guidance on security measures when new systems are bought by the client. In assuring the cybersecurity of its OT estate, we helped the client protecting its operations, and keep its operational technology heart beating.
[1] Palo Alto Networks Surveys the State of OT Security - Palo Alto Networks Blog
This article was previously published by techUK.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.