Introducing: Security FAT and SAT as a Service – A Game-Changer in Industrial Control Systems

In today’s rapidly evolving digital landscape, cybersecurity is not just a buzzword; it’s a necessity. As businesses invest heavily in Industrial Control Systems (ICS), ensuring these systems are secure from potential threats is paramount. That’s where Applied Integrated Technologies (AIT) steps in with its groundbreaking service: Security FAT and SAT as a Service. 

What is Security FAT and SAT?

For those unfamiliar with the terms, FAT (Factory Acceptance Testing) and SAT (Site Acceptance Testing) are crucial phases in the deployment of ICS. These tests ensure that the systems function as intended and meet the specified requirements. Integrating cybersecurity measures during these phases is a proactive approach to safeguarding these systems against potential cyber threats.

Why is it Important?

1. Enhanced Process Safety and Reliability: By building cybersecurity into the acceptance testing phases, businesses can significantly enhance the safety and reliability of their processes. This not only ensures smooth operations but also protects substantial business investments.

2. Expertise Matters: The world of ICS cybersecurity is intricate and requires specialized knowledge. Many organizations find themselves ill-equipped to handle the complexities of these tests. AIT’s OT Cyber team, backed by global experience and top-tier certifications, offers the expertise needed to navigate these challenges seamlessly.

3. Comprehensive Security Testing: From penetration tests and vulnerability scans to detailed security reviews, AIT provides an all-encompassing suite of services to ensure robust and secure systems.

Dive Deeper with Our Detailed Document

For those keen on understanding the nitty-gritty of our service, we’ve released a comprehensive document detailing the various aspects of Security FAT and SAT as a Service. Authored by Isiah Jones, a renowned Cyber Engineer, this document provides an in-depth look into the importance of integrating cybersecurity measures during the FAT and SAT phases.

Download the full document here to delve deeper into the world of ICS cybersecurity.

Click the Image to Download the Whitepaper
Facebook
Twitter
LinkedIn
Email
Print

Up Your Product Security Game

With a resurgence on the secure design of components and devices, as well as enabling security features out of the box by default, it has become increasingly apparent to AIT that several product creators, installers, integrators, maintainers, and users do not know how to implement product security. To complicate matters, they also lack the tools and in-house personnel to enable these features. Regarding secure by design for industrial control systems (ICS), automation systems, operational technologies (OT), embedded systems, components and devices, firmware, software, applications, internet of things (IoT), safety systems, and industrial IoT (IIoT) there are the “haves” and the “have nots.” Our Product Security as a Service will help you become one of the “haves”
Click the Image to Download the Whitepaper
Facebook
Twitter
LinkedIn
Email
Print

AIT Applies ISA/IEC 62443 to ICS OT Cyber Engineering Services

Increasingly more industries and countries have recognized the need to harmonize with international standards rather than continuing to create competitive sector specific or country specific standards. The global economy and supply chains have increasingly become homogenous. The old days of many disparate choices with no integration still exist at some level in field operations but increasingly common protocols like MQTT, OPC UA, BACnet, PROFINET, Modbus, CIP ENIP, and web protocols with APIs are closing the gap between once siloed solutions.

AIT OT cyber engineers have contributed to ISA/IEC 62443 standards for several years across many sectors. We leverage part 2-1 and 3-3 to review customer policies, procedures, and system requirements. We use part 4-2 technical component requirements reviews and testing during assessments and factory/site acceptance testing. Additionally, AIT has been one of the contributors to ISA84.00.09 integrating 62443 security practices with traditional functional safety standards and practices.

AIT is happy to see now that governments, communities of vendors, asset owners, and now ISA standards conformance groups like ISA Secure and ISA Global Cyber Alliance have announced an effort for 2023 to create a conformance scheme for operational assessments. AIT OT cyber engineers have already done this in practice throughout their careers and are happy to hear that more people understand that parts of 62443 including 4-1, 4-2, and 3-3 are useful for more than just certifying vendor products. Those parts of the standard, especially the technical parts, should be leveraged, as AIT has always done, to assess, evaluate, and test that operational components, systems, and practices are properly configured, programmed, used, and maintained. Doing so closes the loop between the product lifecycle and the automation solution lifecycle from inception and design all the way to decommissioning.

AIT stands ready to help the community globally with ensuring their operations as well as their services and products conform to the requirements in the various parts of ISA/IEC 62443.

To learn more contact AIT’s CMAC ICS OT cyber engineering services group at otcyber@ait-i.com. Also see our other blog posts about security testing and reviews during factory and or site acceptance testing, continuous red teaming as a service, and binary reverse engineering and mapping services to ISA/IEC 62443.

Facebook
Twitter
LinkedIn
Email
Print

Continuous Consequence, Hazard, & Threat-Based Red Team as-a-Service

“Train how you fight, fight how you train.” Limited annual penetration testing and occasional red team engagements will not help you against continuous attackers. It is time to do offense more frequently and comprehensively.

Click the Image to Download the Whitepaper
Facebook
Twitter
LinkedIn
Email
Print

Reverse Engineering OT Devices with ATT&CK and ISA/IEC 62443 Part 4-2 Mapping as a Service

It’s long past time to move reverse engineering of embedded devices for the OT community towards a more actionable and scalable direction.

Construction, engineering, and system integration firms; asset owners and operators; and even product vendors have struggled under the existing CVE focused regime. The regime of reporting yet another product vulnerability and coming out with the same old “patching and network segmentation” as the panacea to mitigating everything. We all know this has not worked.

At AIT we’re constantly looking at how we in the community do things today and what gaps we believe should be addressed to move the ball forward. That’s why we believe reverse engineering should move towards an actionable analysis and mapping of vulnerabilities and weaknesses to the specific related ATT&CK tactics and techniques that could be used to exploit them. That then should be directly mapped to which ISA/IEC 62443 part 4-2 component security requirements could be securely designed into the product. Doing these things, we could mitigate those specific ATT&CK tactics and techniques for the discovered weaknesses and/or vulnerabilities.

Join AIT as we begin to address the gap we see in the status quo.

Click the Image to Download the Whitepaper
Facebook
Twitter
LinkedIn
Email
Print

Why Fund Smaller Cybersecurity Firms to Support Co-ops

Why funding small security firms to provide nationwide support to all cooperatives and small asset owner operators makes sense for critical infrastructure security

America faces a national security challenge with its smaller critical infrastructure owners and operators such as farmers, electric cooperatives, and water or wastewater cooperatives. While their footprint, staff and number of customers individually are smaller than a larger industrial commercial company or utility, their numbers across each county and state nationwide reaches the thousands. Often, these small owners and operators are a staff of 5 full-time employees managing everything from control systems to billing and ERP systems. They have no in-house full-time security or technical trained staff to do the following:

  • Ongoing security assessments
  • Annual or quarterly penetration testing
  • Threat and attack mapping
  • Configuration, change, and vulnerability management
  • Factory or site acceptance testing (FAT/SAT)
  • Systems security engineering
  • Threat intelligence and active continuous monitoring
  • Incident response and system or equipment recovery
  • Day to day systems administration

Cost is another hurdle these companies face. They usually cannot afford to pay larger security firms or Managed Service Providers (MSP)s to ensure ongoing, year-round support. Even larger owners and operators can usually only afford a security team of 1 to 3 people in most cases. Those 1 to 3 people are typically limited on specialized security experiences focused on embedded devices and control systems, along with their components, protocols, conduit types and applications. Budget to get that limited 1 to 3 person staff professionally certified and trained in specific security skills for specialized digital and electromechanical equipment is also often out of reach.

The solution then becomes allocating much of the funding from EPA, DOE, USDA, state, local and county governments to a central, small, and specialized security firm. The firm would staff well trained, certified, and sometimes lower cost staff, and tools to service all the small asset owners and operators nationwide. This enables mutual critical infrastructure cyber assistance between each of the small owners and operators. This especially applies to cooperatives because the dedicated small firm would have experienced staff who has done some of the following:

  • Walkdowns and boots on the ground technical assessments
  • Managed and configured devices
  • Provided the regular monitoring and collaboration with government
  • Offensive penetration testing
  • Factory and site acceptance testing
  • Systems security engineering

This work would be completed across each region using open source and lower cost, smaller footprint, tools. These could be securely linked back to a read only security operations hub that provides an interface to government (e.g. CISA JCDC, EPA, DOE, USDA), state fusion centers, and community ISACs (Water-ISAC, E-ISAC).

AIT has the national security, mission assurance, intelligence, engineering, critical infrastructure, IT, and ICS OT experienced and certified staff to take on such a mission. At AIT, we would use the funding from federal, state, and local government to:

  • Customize, deploy, and maintain security testing, configuration, administration, and monitoring tools
  • Provide regular quarterly and annual boots on the ground penetration testing and assessments
  • Threat and attack mapping, and road maps for improving not just individual small cooperatives but entire regions across states nationwide
  • Help better inform investments from a boots on the ground perspective
  • Hire, train, and certify new, lower cost talent. These individuals would reside within and be willing to travel across each state to protect the farms, water cooperatives, electric cooperatives, and adjacent interdependent infrastructures within smaller rural areas throughout all 50 states of America and applicable territories.

Rather than scatter shot approaches that have yet to scale across the country we believe a new approach to the funding should be taken. Incorporating a greater leverage of lower cost, customization of existing and new open-source tools, and a heavy focus on new dedicated staffing should receive a significant investment from federal, state, and local funding programs.

AIT stands ready to provide such services to our communities nationwide for an often-underserved area of America’s critical infrastructure. We believe we are uniquely the right size and well positioned to scale to support the mission much more than larger firms or product vendors. We encourage both government and small asset owners and operators to reach out to AIT’s Cyber Mission Assurance Capabilities (CMAC) ICS OT security team at otcyber@ait-i.com to learn more about how AIT can help. We are always happy to share our ideas and offer our services in the fight to protect America’s most vital resources and infrastructures no matter how small they may seem. We encourage you to share these ideas with your legislators, regulators, sector administrators, peers, and other stakeholders.

LinkedIn
Twitter
Facebook
Email
Print

Taking OT Cyber to the Next Level 

For this week’s cyber tip, we recommend creating an OperationalTechnology (OT) Cybersecurity support unit within your engineering organization to oversee and be responsible for the cybersecurity of your OT infrastructure. It is typically not possible for a maintenance personnel or IT personnel to maintain cybersecurity on OT equipment and networks in medium to large scale OT infrastructures. IT personnel are not trained on cybersecurity of the backbone technologies such as the dozens of embedded operating systems, industrial protocols, and physical level interfaces. OT Technicians know the maintenance of such systems but not the cybersecurity integrations nor the industry cybersecurity policy and regulations.

Our latest whitepaper, Setting up an OT Cybersecurity Program describes the components of such a program and the people, process, and technologies needed to succeed.

AIT’s staff of engineers, analysts, and cybersecurity professionals have knowledge, experience, and skills to assist companies and organizations to mature their OT support units to full operation. We can assist with training needs, tools, and capabilities. AIT provides a strong leg up to establishing an enduring OT cybersecurity program. Contact us at OTCyber@ait-i.com.

Facebook
Twitter
LinkedIn
Email
Print

Combating Modern Threats to Critical Infrastructure

The word “security” is derived from the 15th century word “securite”, which means “a state or condition of being safe from danger or harm.”  For this week’s cyber tip, we will discuss security in terms of the state and condition of being safe from danger or harm caused by #cyberattacks.  In cybersecurity, the threat surface caused by interconnectivity and interdependency can come from anywhere. Second and third order effects extend across civilizations around the globe. To cope with such modern threats to #criticalinfrastructure it requires a constant vigil. The term constant is extremely important to achieve security.  This implies continuously monitoring for intrusion in the networks requiring security.   

Implementing a system that continuously monitors for intrusion is essential to combat attacks that can occur in the millisecond time frames.  This is beyond human ability to address and demands #automated systems to solve.  There are a growing number of solutions such as Dragos, Claroty, Indegy and others that focus on detecting, securing, and controlling your networks to reduce cyber threats.  Implementing automated systems to provide continuous monitoring also demands talent and skill to properly implement within networks and maximize its effectiveness.  AIT CMAC can help you select the best solution and integrate them into your control networks. Contact us at OTCyber@ait-i.com for help choosing a continuous monitoring solution.

Facebook
Twitter
LinkedIn
Email
Print

OT Cybersecurity Includes Your Supply Chain

As a part of integrating cybersecurity into the daily operations of a plant it is important to ensure that your contractors are held responsible to the same standard of cybersecurity as your employees. This starts with ensuring cybersecurity language is included in your operations and maintenance contracts. Luckily, DHS has plenty of guidance on this matter.

It may take a while to negotiate these clauses into your existing contracts, but they should absolutely be a part of any new contracts going forward. This helps to protect your control systems from attacks that might otherwise come through your supply chain.

Contact us at OTCyber@ait-i.com for help holding your contractors responsible for OT Cybersecurity.

 

Facebook
Twitter
LinkedIn
Email
Print