The Cyber Resilience Review (CRR) is an interview-based assessment that evaluates an organization’s operational resilience and cybersecurity practices. This assessment is derived from the CERT Resilience Management Model (CERT-RMM), a process improvement model developed by Carnegie Mellon University’s Software Engineering Institute for managing operational resilience. The Cyber Resilience Review evaluates that maturity of an organization’s capacities and capabilities in performing, planning, managing, measuring, and defining cybersecurity capabilities across the following 10 domains:
- 01 Asset Management focuses on the processes used to identify, document, and manage the organization’s assets.
- 02 Controls Management focuses on the processes used to define, analyze, assess, and manage the organization’s controls.
- 03 Configuration and Change Management focuses on the processes used to ensure the integrity of an organization’s assets.
- 04 Vulnerability Management focuses on the processes used to identify, analyze, and manage vulnerabilities within the organization’s operating environment.
- 05 Incident Management focuses on the processes used to identify and analyze events, declare incidents, determine a response, and improve an organization’s incident management capability.
- 06 Service Continuity Management focuses on processes used to ensure the continuity of an organization’s essential services.
- 07 Risk Management focuses on process used to identify, analyze, and manage risks to an organization’s critical services.
- 08 External Dependency Management focuses on processes used to establish an appropriate level of controls to manage the risks that are related to the critical service’s dependence on the actions of external entities.
- 09 Training and Awareness focuses on processes used to develop skills and promote awareness for people with roles that support the critical service.
- 10 Situational Awareness focuses on processes used to discover and analyze information related to the immediate operational stability of the organization’s critical services and to coordinate such information across the enterprise.
Oil and gas companies have two options in conducting a CRR: 1) a self-assessment or 2) a facilitated session involving on-site DHS representatives. For most companies, it may be beneficial to contact a qualified third-party to assist your IT and OT teams with a self-assessment before involving representatives from the DHS. Using a trusted outside organization to perform a cybersecurity assessment of the industrial network environment can help identify the many variables at work and guide you toward how to reduce risks based upon your business objectives.
The Professional Services Team at SunView Software has nearly 20 years’ experience working with clients in many industries, including the Energy sector. After assessing your current state of organizational resilience, we will provide you with a gap analysis and recommendations for improvements based on recognized best practices. While SunView Software’s ChangeGear platform with Tripwire integration is fully equipped to handle all ten of the requirements listed above, the purpose of this newsletter is touch on just a few examples.
It goes without saying, but one of the most basic steps to securing any environment is knowing what you have in it. How can you secure something unknown? If you do not already have one, an accurate asset inventory that includes hardware and software should be your first objective. Maintaining this inventory over time is critical for your cybersecurity program. The technology capabilities in your automation systems will continue to evolve—as will the threats targeted against them. This inventory is a cornerstone of your cybersecurity program so you can then effectively implement the other foundational controls for those assets.
One quick way to achieve a high-fidelity level of inventory is to use a tool that passively collects data on every connected device within your Industrial Control System (ICS). ChangeGear Asset Manager with Tripwire integration can tell you what is on your network, in addition to providing you with a baseline of your normal network, so you can see when deviations occur and pinpoint the deviations from normal operations. This baseline monitoring also provides you with a change control process, so you can effectively and efficiently monitor and manage changes in your configuration.
For example, an engineer overseeing an oil refinery may know that their most sensitive asset is the system that maintains oil temperatures. A hacker enters an email server via a device connected to the Internet. How does the hacker get from the email server to their target? They need to follow a path to their target from IT to OT using vulnerable devices as steppingstones. ICS operators need to have an accurate network map that details each device’s configuration and its known vulnerabilities. Your team can use this information to make sure there is a defense mechanism in place to block the hacker’s path to your most sensitive zones and assets.
Configuration and Change Management
According to the Cybersecurity and Infrastructure Security Agency (CISA), configuration and change management (CCM) is the process of maintaining the integrity of hardware, software, firmware, and documentation related to the configuration and change management process. CCM is a continuous process of controlling and approving changes to information or technology assets or related infrastructure that support the critical services of an organization. This process includes the addition of new assets, changes to assets, and the elimination of assets.
The main difference between configuration and change management is that configuration management focuses on managing the configuration items (CI) and the state of the system, while change management focuses on managing the changes that affect the CIs and the system. ChangeGear Change Manager makes it easy to capture all the information necessary to process change approvals and establish auditable records. Unfortunately, organizational change is not the easiest thing to accomplish. In many companies, it seems like certain employees would rather “face death” than change the way they do things—or maybe not?
Think about a “burning platform” for a moment. Although that is probably the last thing that anyone in the oil and gas industry would ever want to see, this image is a powerful tool for implementing organizational change. The term “burning platform” originated from the Piper Alpha disaster of 1988, in which an explosion triggered an oil and gas fire that destroyed the Piper Alpha platform on July 6, 1988, killing 167 men. The primary cause of the accident was ruled to be maintenance work simultaneously carried out on one of the high-pressure condensate pumps and a safety valve, which led to a leak in condensates. After the removal of one of the gas condensate pump pressure safety valves for maintenance, the condensate pipe remained temporarily sealed with a blind flange as the work was not completed during the day shift. Unaware of the maintenance being carried out on one of the pumps, a night crew turned on the alternate pump. Following this, the blind flange and the firewalls around it failed to handle the pressure, leading to several explosions. The fire at the platform intensified due to a failure in closing the flow of gas from the Tartan platform. The automatic fire-fighting system remained deactivated as divers worked underwater just before the incident.
Had a Change Management system, like ChangeGear Change Manager, been available at that time, this accident might have never happened because change windows and blackout periods would have been used to control when maintenance work could be done and a calendar of events would have kept everyone informed. Unfortunately, hindsight is 20/20 and the concept of Change Management was still in its infancy back then. However, history has proven that people do learn from their mistakes. So, cultivating a climate where a “life and death” scenario is in the front of everyone’s mind can be a powerful tool for creating a climate of convincing and all-encompassing change. As the story goes, an oil worker is awakened by an explosion and a roaring fire engulfing the platform. Realizing the impending peril, he needs to use split-second decision making to choose his fate. The man has two options: jump 100 feet down into the icy waters of the North Sea or stay where he is and face certain death in the raging inferno. Of course, if the fall does not kill the man, the freezing waters will likely take his life in a matter of minutes. In this story, the man chooses to jump into the ocean and, with fate on his side, he defies death and is rescued. In the heat of the moment, he made the only rational decision available to him at the time: it is better to face probable death than certain death. In addition to his willingness to accept change, this man obviously understood the concept of risk management too.
Closely tied to the operation of a Service Desk, Incident Management is the practice of minimizing the negative impact of incidents by restoring normal service operation as quickly as possible. Any condition that has the potential to result in a breach or degradation of service triggers a response that prevents the actual disruption from occurring.
An effective incident management system, like ChangeGear Service Manager, provides the ability to establish command and control. In other words, ChangeGear moves the management of the response from the initial reactive mode to one where the scope of the incident is understood, appropriate response actions are being taken in alignment with response strategies, and where the outcome of the incident is being driven by a clear set of objectives to protect people and the environment.
Incident responders face many challenges in responding effectively to major incidents. Factors such as weather, site access, resource constraints, poor coordination, lack of preapprovals for response strategies, or poor communications can delay response times or hinder incident response efficiency. A delayed or ineffective response can result in unnecessary impacts which may present risks to people, the environment and property.
ChangeGear Service Manager is an essential tool for overcoming many of these challenges as it provides clarity in command and control, improves resource coordination and communications, and facilitates the cooperation and integration of responding organizations. ChangeGear is a scalable, systematic method for coordinating and controlling the wide variety of important activities, resources, and response organizations from your central command station.
Well-known vulnerabilities are behind 99% of breaches. You can prevent most breaches by fixing vulnerabilities before they are exploited using an enterprise solution like ChangeGear with Tripwire integration that integrates vulnerability management with service desk and asset management tools. Tripwire gives you complete network visibility, both on-premises and in the cloud, using up-to-date, accurate, and non-intrusive discovery signatures. Tripwires unique application-centric approach to vulnerability scanning and assessment searches for specific vulnerabilities based on operating systems, applications, and services, which ensures only the required signatures are run to limit any negative application interactions. Rather than providing a seemingly endless list of “high risk” vulnerabilities, Tripwire utilizes risk scoring on limitless, time-based scale, making it clear where your highest risks are located so you can focus on mitigating them first.
Managing the Convergence of IT and OT
Traditionally, Operational Technology (OT) was an “air-gapped” environment, which means it was not connected to any external Information Technology (IT) networks or digital devices. In recent years, however, “traditional OT” began to evolve along with the rise of the Fourth Industrial Revolution—also known as “Industry 4.0.” Companies taking part in this change have begun implementing new digital solutions in their networks looking to stay ahead of their competition. These solutions strive to increase automation, add “smart” devices, make data more efficient and available, and interconnect networks for convenience.
The problem, however, lies in the velocity, scope, and impact associated with these changes. The speed of current breakthroughs is faster than society has ever witnessed before. When compared with previous industrial revolutions, the Fourth is evolving at an exponential rather than linear pace. Moreover, it is disrupting almost every industry in every country that it reaches. The breadth and depth of these changes are requiring the transformation of entire systems of production, management, and governance. As the air gap between OT and IT continues to discharge, OT components are becoming more accessible thereby enabling employees to collect and analyze data about them. This movement is referred to as “IT-OT Convergence.” While connecting operational and information technology opens a great door to new opportunities, it also introduces a vast landscape of cybersecurity threats to what was once an air-gapped network.
From an OT point of view, availability, reliability, and safety of the industrial process are the top priorities for industrial networks. Cybersecurity is a relatively new discipline and responsibility for OT teams, so they are less knowledgeable and less inclined to participate in this effort. Implementing cybersecurity controls may only be possible during maintenance windows that happen once or twice a year, when there is a line upgrade, or a new green-field plant is being constructed. New requests to exchange data between OT and corporate IT environments open new cybersecurity risk profiles that need to be mitigated, where new DMZs create invisible boundaries between the IT and OT departments. Traditionally, OT has managed their own networks outside of IT assistance, which opens an entirely new gray area where trust must be earned before collaboration can begin.
As networks continue to drive new connectivity and the lines between IT and OT begin to blur, collaboration between these two teams becomes a critical element. Workers on the OT side need to think about what the IT cybersecurity team needs in terms of systems, processes, and access. Workers on the IT side should find ways to noninvasively layer an appropriate level of cybersecurity in OT without compromising their goals for reliability and availability of the industrial network. Both teams need to invest the time to understand each other’s business goals and help each other achieve them.
IT and OT teams work differently, are used differently, and face different risks and objectives. However, as digital systems continue to connect to industrial systems, the oil and gas industry will enjoy greater efficiencies and improved productivity but at the same time, expose itself to more cyberthreats. Industry experts predict that IT/OT will only continue to converge. This means that OT administrators should do their best to understand the IT environment—and vice versa. Gartner’s Strategic Roadmap recommends that organizations align their standards, policies, tools, processes, and staff between the IT and the business to the changing OT systems. The approach to dealing with the organizational changes in response to IT/OT convergence is called “IT/OT alignment.”
 “Assessments: Cyber Resilience Review (CRR).” Cybersecurity & Infrastructure Security Agency. https://us-cert.cisa.gov/resources/assessments#ten-domains. Accessed 28 May 2021.