**4.1 OT threats and vulnerabilities**

To identify the main threats and vulnerabilities for the OT environment, a structured approach will be used in distinguishing multiple layers. Threats to OT may occur at multiple layers as defined by [41]:

• The governance layer.


According to [42], a threat to OT is the "*potential cause of an unwanted incident through the use of one of more OT, which may result in harm to individuals, a system, an organization, critical infrastructure and vital societal services, the environment or the society at large"*.

*The governance layer*. At the governance layer, the first threat stems from the fact that OT is technically embedded in functionality. The management focusses on the functionality, e.g. provide drinking water. Therefore, many chief information security officers (CISOs) or equivalent executive level responsibilities largely neglect the cyber risk to OT which at the same time is a major risk to the functioning of the whole CI.

Moreover, there is major cultural difference between the IT department and other departments which use OT as part of the 24/7 functionality of their CI services. In addition, the IT department often has the cyber security mandate for the whole organization. "IT" develops the organization-wide cyber security policies (e.g. authentication and password policy, patch and anti-malware policies). Protection of the integrity, confidentiality, and privacy of information is a high priority. Therefore, "IT" may disrupt its operational services when required to install urgent patches. In their mindset, "IT" is key to the business of the whole organization; "*OT is just the department of grease, pumps, and valves, isn't it?*"

The OT department on the other hand optimizes the control of the physical processes and are less concerned with cyber security. Most often, "OT" has to use of the networks managed by "IT" for wide area connectivity and remote access. "IT" even may state the company-wide cyber security policy to comply with specific cyber security management standards such as the ISO/IEC 27000-series [28]. "OT" has to adhere to those policies while such cyber security standards and good practices have not been developed for a 24/7 operational environment. For example, blocking an account after three subsequent login errors is of no help when an operator needs to change production settings in the middle of the night during an operational crisis. Such dissimilar needs, policies, and service expectations between "IT" and "OT" can be a source of conflicts. Governance of OT security therefore requires efforts by all involved to bridge the gap between the ICT and OT domains.

Another governance level threat is that the economic depreciation of OT is often equal to that of the OT-controlled system, e.g. a water purification unit. Therefore, very aged control system components such as a 486 Windows/XP system still operate hidden in cabinets. They still control metros, sewage systems, and so on.

In other situations, the renewal of OT will be a long-term process where the upgrade will be performed (sub)process by (sub)process. This means that the central system control must cooperate with both new and legacy OT. Mixed configurations mean that cyber security measures cannot be activated at all or can only be effective on and between the new OT-systems and applications.

"*No worry about cyber security of OT, the processes still can be controlled manually*". At least management holds that view neglecting that the same management considerably reduced the experienced workforce able to manually operate the CI system. Therefore, an OT-disruption for longer than a couple of hours inevitably brings down the OT-controlled CI/CII services to society.

**177**

in CI sectors is high.

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

training is part of their curricula.

OT-specific threats including:

attractive to cyber attackers.

effects in the physical environment.

*The socio-technical layer*. At the socio-technical layer, [42] identifies a number of threats to the undisturbed functioning of OT-controlled CI processes, and therefore

• Lack of cyber-security awareness of operators and other people operating and maintaining OT-controlled processes. No specific cyber-security education and

• In the process control environment, it is not unusual that employees have been employed for many years. The risk of sabotage activities by disgruntled and dismissed employees is large. Many cases can be found in the media, e.g. the Maroochy water breach, and a sabotaged leak detection system of the Pacific Oil platforms and pipelines near Huntington Beach, USA. A risk which is not

*The operational-technical layer*. At the operational-technical layer, [42] identifies

• The SCADA (and similar) protocols were designed in the 60's with a no threat, benign, closed operating environment in mind. Such protocols are not robust against any serious cyberattack. Applying such protocols now on top of TCP/IP increases the risk even more. A malformed packet may crash or lead to a demen-

new: insider OT sabotage occurred already in the 90's, see e.g. [43].

tia paralytica of process logic controllers as was shown by [44].

• The use of old technology and legacy OT, for reasons mentioned above,

• In standard "IT" communications, temporary blocking of transmissions is accepted. In the OT-environment, however, not timely received status information from a process or a delayed control command may cause irreversible

• OT systems may directly or indirectly be connected via remote operations or maintenance with the internet. Shodan [45] and similar search engine tools show ample OT-equipment that are directly accessible via the internet.

• System maintenance of OT in CI requires a lot of efforts due to the sheer size of the number of components. Password management policies, e.g. replacing passwords regularly, conflicts with the 24/7 operational continuity. CI sectors have agreed to good practices for patching and anti-malware signature updates but struggle with applying them, e.g. to apply security critical patches within a week after publication; all other patches to be applied during the next scheduled maintenance slot [46, 47]. In practice, patches are applied some threequarter years after they became available and anti-malware signature files are updated after weeks if not months. "*If the controlled process works, do not break it*" is used as an excuse. Therefore, the risk of unauthorized exploitation of OT

requires the need for personnel still knowing all ins and outs of twenty year or older OT as well as current technology. The old OT has no security-by-design. Moreover, old OT has too limited CPU and memory resources to run a malware protection package or encryption; the addition may break the critical process monitoring and control cycle. Moreover, a new plug-compatible board to replace a defective one may introduce new vulnerable functionality that is

to the continuity, integrity and safety of physical processes. For example:

*Issues on Risk Analysis for Critical Infrastructure Protection*

networking, and human factors.

*society at large"*.

whole CI.

and OT domains.

and so on.

• The socio-technical layer comprising the OT/ICT architecture, the technology,

According to [42], a threat to OT is the "*potential cause of an unwanted incident through the use of one of more OT, which may result in harm to individuals, a system, an organization, critical infrastructure and vital societal services, the environment or the* 

*The governance layer*. At the governance layer, the first threat stems from the fact that OT is technically embedded in functionality. The management focusses on the functionality, e.g. provide drinking water. Therefore, many chief information security officers (CISOs) or equivalent executive level responsibilities largely neglect the cyber risk to OT which at the same time is a major risk to the functioning of the

Moreover, there is major cultural difference between the IT department and other departments which use OT as part of the 24/7 functionality of their CI services. In addition, the IT department often has the cyber security mandate for the whole organization. "IT" develops the organization-wide cyber security policies (e.g. authentication and password policy, patch and anti-malware policies). Protection of the integrity, confidentiality, and privacy of information is a high priority. Therefore, "IT" may disrupt its operational services when required to install urgent patches. In their mindset, "IT" is key to the business of the whole organization; "*OT is just the department of grease, pumps, and valves, isn't it?*" The OT department on the other hand optimizes the control of the physical processes and are less concerned with cyber security. Most often, "OT" has to use of the networks managed by "IT" for wide area connectivity and remote access. "IT" even may state the company-wide cyber security policy to comply with specific cyber security management standards such as the ISO/IEC 27000-series [28]. "OT" has to adhere to those policies while such cyber security standards and good practices have not been developed for a 24/7 operational environment. For example, blocking an account after three subsequent login errors is of no help when an operator needs to change production settings in the middle of the night during an operational crisis. Such dissimilar needs, policies, and service expectations between "IT" and "OT" can be a source of conflicts. Governance of OT security therefore requires efforts by all involved to bridge the gap between the ICT

Another governance level threat is that the economic depreciation of OT is often equal to that of the OT-controlled system, e.g. a water purification unit. Therefore, very aged control system components such as a 486 Windows/XP system still operate hidden in cabinets. They still control metros, sewage systems,

In other situations, the renewal of OT will be a long-term process where the upgrade will be performed (sub)process by (sub)process. This means that the central system control must cooperate with both new and legacy OT. Mixed configurations mean that cyber security measures cannot be activated at all or can only

"*No worry about cyber security of OT, the processes still can be controlled manually*". At least management holds that view neglecting that the same management considerably reduced the experienced workforce able to manually operate the CI system. Therefore, an OT-disruption for longer than a couple of hours inevitably brings

be effective on and between the new OT-systems and applications.

down the OT-controlled CI/CII services to society.

• The operational-technical layer including (3rd party) maintenance.

**176**

*The socio-technical layer*. At the socio-technical layer, [42] identifies a number of threats to the undisturbed functioning of OT-controlled CI processes, and therefore to the continuity, integrity and safety of physical processes. For example:


*The operational-technical layer*. At the operational-technical layer, [42] identifies OT-specific threats including:


• Third party maintenance engineers are often given unrestricted and unmonitored access to key processes 24/7. Incidents have shown that third party employees cannot always be trusted.

## **4.2 Assessing the assurance of equipment and applications**

A complex element in identifying the cyber risk in CII operations is assessing the risk in the wide variety of hardware and software CI operators use. Most CI/CII operators use ICT and OT from a multitude of suppliers, partly being global players. The hardware and software may contain hidden vulnerabilities. A CI/CII operator should try to ensure a high level of security of their own hardware, software, and services, and of those that are procured from suppliers. Organizations should adopt a security lifecycle approach to enhance the safe and secure functioning of their ICT elements. The security lifecycle comprises the acquisition, installation, system integration, operations, maintenance, upgrading, and decommissioning phases. When CI/CII operators are dependent on ICT and OT suppliers, system integrators, and third-party maintenance companies, they should have contractual agreements and measures in place to ensure that the resilience is up to par with the security requirements of the CI/CII organization. Based on the efforts of each organization, the use of cyber security standards and frameworks may increase the level of resilience across the chain. Examples of this approach are the third-party security requirements included in cyber security standards and frameworks [25, 29, 30, 32].

Assessing the level of assurance of each ICT/OT element, proves to be a challenge for an individual organization. Therefore, many organizations require support from their government, e.g. in certification of certain equipment. Recently, the EU Cyber Security Act [48] provides a framework structure for certifications, which is being taken up by ENISA and several of the European states although a number of challenges is perceived [49, 50].

#### **4.3 Assessing the risk for the OT environment**

The above-mentioned characteristics of OT systems, makes it necessary to include the following steps as part of the RA process:


**179**

**Figure 4.**

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

in applying such methods as is shown in Section 5.2.

**5.1 Methods to assess the cyber risk across chains**

by mapping the identified risk at the higher level [38].

*Visualization of the Dutch supply chain risk management method (from [39]).*

**5. Assessing cyber security risk across CI/CII chains**

the cyber-security risk across chains of CI/CII operations [38, 39].

Section 3.4 discussed the challenges for risk analysis across organizations in CI/CII chains. There exist several methods that support risk analysis across a chain of organizations which provide critical or essential services. There are, however, many challenges

Due to the specific characteristics, there is a need to perform RM not only at the company level but also perform a collaborative assessment across CI/CII service chains. There have been some studies that aim to establish a method for assessing

The Dutch chain analysis method [39] has been developed by a set of CI operators in the energy sector. It was their believe that organizations in a supply chain together are in the best position to define and deploy appropriate controls and initiatives to reduce any cyber security risk themselves. The method aims to provide insight into the cyber security risk within a supply chain. It uses a layered approach to provide insight into the risk that arise from the ICT/OT systems and their interconnections as well as the potential risk that may pose to the chain of business processes of organizations. The identified risk in the business processes can ultimately disrupt the continuity of the entire supply chain of one or more critical or essential CI/CII services. By combining and merging the identified risk in business processes per organization, which should include their own third-party risk to these

processes, the overall risk to the supply chain can be assessed (see **Figure 4**).

The aforementioned EURAM/EURACOM method uses a similar approach by combining three components to assess risk at an aggregated level, based on RAs by the individual organizations and is based on embedding lower level RA results

Note that due to the hidden nature of ICT and OT within CI and CII, RM across the chain requires a large effort and a combination of expertise by all stakeholders


*Issues on Risk Analysis for Critical Infrastructure Protection*

employees cannot always be trusted.

challenges is perceived [49, 50].

**4.3 Assessing the risk for the OT environment**

include the following steps as part of the RA process:

resources (e.g. personnel security and safety).

operational processes of the CI operator.

• Identify the connections with outside networks.

**4.2 Assessing the assurance of equipment and applications**

• Third party maintenance engineers are often given unrestricted and unmonitored access to key processes 24/7. Incidents have shown that third party

A complex element in identifying the cyber risk in CII operations is assessing the risk in the wide variety of hardware and software CI operators use. Most CI/CII operators use ICT and OT from a multitude of suppliers, partly being global players. The hardware and software may contain hidden vulnerabilities. A CI/CII operator should try to ensure a high level of security of their own hardware, software, and services, and of those that are procured from suppliers. Organizations should adopt a security lifecycle approach to enhance the safe and secure functioning of their ICT elements. The security lifecycle comprises the acquisition, installation, system integration, operations, maintenance, upgrading, and decommissioning phases. When CI/CII operators are dependent on ICT and OT suppliers, system integrators, and third-party maintenance companies, they should have contractual agreements and measures in place to ensure that the resilience is up to par with the security requirements of the CI/CII organization. Based on the efforts of each organization, the use of cyber security standards and frameworks may increase the level of resilience across the chain. Examples of this approach are the third-party security requirements included in cyber security standards and frameworks [25, 29, 30, 32]. Assessing the level of assurance of each ICT/OT element, proves to be a challenge for an individual organization. Therefore, many organizations require support from their government, e.g. in certification of certain equipment. Recently, the EU Cyber Security Act [48] provides a framework structure for certifications, which is being taken up by ENISA and several of the European states although a number of

The above-mentioned characteristics of OT systems, makes it necessary to

• Use a multi-disciplinary team to assess the holistic risk to cyber. The team shall include those involved with general IT security, OT security, physical security, electronic security, security of services and supplies by utilities and third parties (e.g. power, external telecommunications, cooling), human

• Collaborate with government organizations and relevant computer incident response teams (CSIRTs) on threat information and on assessing the risk to

• Identify the ICT and OT systems and networks that are critical to the key

• Assess the impact of a disruption of ICT and OT to the CI service(s).

OT-equipment, software, and (tele)communication means.

• Identify the external dependencies including third parties.

• Identify legacy systems that may pose additional vulnerabilities.

**178**
