Purdue Model: Intelligently Segregating Your OT Networks
The modern OT threat landscape is growing due to the significant rise of interconnected network devices. OT is particularly vulnerable given the need for high availability and integrity, at the expense of confidentiality (which is at odds with the priorities in an IT environment). Following the Purdue model helps mitigate the risk of compromise by not allowing different types of devices to operate on the same subnet (eg: manufacturing devices and databases). Consequently, it is referenced in key compliance standards such as IEC62443 and OG86 as a practice to be implemented.
Case Study: Vortex - Continuous Urban Scanner (CURBS)
Awen and Vortex have known each other for a while. We are both small but growing enterprises in South Wales. Vortex approached us at the beginning of 2022 to help reduce the risk of cyber attacks to the devices that they were developing as part of a 5G applied project called Continuous Urban Scanner (CURBS) in collaboration with National Express, BT and Thales NDEC. The project was part-funded by Innovate UK and used the West Midlands 5G test facility which is supported by UK Government DCMS.
OG86 - The Health and Safety Executive's Guidance for Industrial Network Security
OG86 is Operational Guidance issued by the Health & Safety Executive (the UK government agency tasked with regulating and enforcing health and safety in the workplace) to mitigate the risk of cyber-attacks that could result in health and safety incidents, major accidents and/or the loss of essential services.
CyberUK 2022 - Awen Collective Recap
Operational Technology (OT) and the Log4Shell vulnerability
On the 24th November 2021, the Alibaba Cloud Security team privately notified Apache about a new vulnerability in a very popular Java programming language library called Log4j. The vulnerability became public knowledge on the 9th December 2021 and officially published in CVE databases during the 11th & 12th December 2021.
Awen Collective & Arcanum Cyber Security Relaunch Cyber Wales Operational Technology Cluster
Awen Collective and Arcanum Cyber Security have joined forces to relaunch the Cyber Wales Operational Technology Cluster - cluster managers Jules (CTO at Awen Collective) and Marie (Sales & Marketing Manager at Arcanum) will be welcoming anyone with an interest in OT Cyber Security to join them on the 30th November at 2-4pm.
The aim of this Cluster is to provide a platform to share intelligence and explore ideas on the specific cyber security challenges being faced by organisations working in Operational Technology (OT), Critical National Infrastructure (CNI) and Industrial Control Systems (ICS).
For our first meeting, our two speakers, Kat Abercrombie (Senior Pen-Tester at Arcanum Cyber) and Jules Farrow (CTO at Awen Collective) will introduce topics on the difference between IT and OT and why each needs its own security focus, and why asset and vulnerability discovery is vital to producing an effective OT cyber security programme. We'd also love to hear from you - a brief introduction on who you are, your interest in OT cyber, and what future topics we can focus on within our OT cluster meetings.
If you work in, or have an interest in, cyber security in the industrial sectors then we'd love for you to join us.
This event will be hosted by the wonderfully accommodating University of South Wales National Cyber Security Academy at their Newport City Campus and simultaneously virtually via Zoom. If you can't join us in person, we'd still love for you to join via Zoom where you'll be just as much part of the action (although you will need to provide your own Welsh Cakes!).
Arcanum is a NCSC Certified Cyber Security Consultancy, supporting clients across multiple sectors, ranging from CNI, Manufacturing and Defence to SMEs. Marie Caruso, Sales & Marketing Manager at Arcanum is a manager of the OT Cluster at Cyber Wales.
Awen Collective makes society safer by reducing the impact of cyber attacks on the services we all rely upon on a daily basis through innovative software solutions tailored for OT organisations across CNI, Manufacturing, Defence and Smart Cities. Jules Farrow, CTO at Awen Collective is a manager of the OT Cluster at Cyber Wales.
Purpose-built OT Software Trumps Repurposed IT Software
#AwenAsks
For the next 5 weeks, we will be releasing questions on LinkedIn about a whole variety of things including cyber security, software, industry 4.0 and much more. We are tagging it with #AwenAsks, or you can view the questions directly via our Awen Collective LinkedIn company page.
Week Commencing 16th November 2020
In the week commencing the 16th of November 2020 we asked two questions on LinkedIn:
Would you be comfortable using repurposed IT tools on your OT / ICS / SCADA / IIoT system?
Do people in engineering departments think differently to those in IT departments?
The purpose of asking these two questions was to understand more about how software in both IT and OT worlds are treated.
These were our first two LinkedIn polls, so we were not expecting to receive a large number of responses. Question 1 of this week received 10 votes within 1 week. Question 2 received 11 votes within 1 week. The questions for the following week have already been released, and have received more votes than our first week.
What were the results?
Question 1
With a 0% for yes, and a 50% as no, this indicates to us that people (at least those who we are well connected with) recognise that there are differences between Information Technology (IT) and Operational Technology (OT). As such, our requirements for software which interacts with these systems should be treated differently.
The 40% who voted “Maybe” and 10% that voted “I don’t know” most likely either have particular scenarios in mind (e.g. there may be particular OT devices which are directly controlled by IT software), or are unfamiliar with the differences between IT and OT.
Question 2
The result for “do people in engineering departments think differently to those in IT departments” - posed more as a process-thinking, rather than a belief-thinking question, shows a resounding yes response at 82%. Within this small sample, people do believe that engineers think differently from a process perspective to IT staff.
This most likely hints towards user experience (and also data dashboard) requirements of IT software and software that handles OT, are very much different. The approach to these members of staff should also be different.
Summary and Why are we interested?
In summary it seems that for Operational Technologies (OT), software developed specifically for OT trumps repurposed IT software. This software should not only be built from the ground up for OT, but should be tailored to the specific needs of engineering.
When we started Awen Collective in 2017, we discovered anecdotal evidence of this, and it shaped the way that we developed our software products Profile and Dot. We therefore strongly believe that purpose-built OT software trumps repurposed IT software.
However, while we believe that OT should have OT-specific tools, there is a place for IT involvement in the OT (especially in OT cyber security). The IT world has a lot more experience with, and mature products for, cyber security. So, at Awen we like to speak to people from across an industrial business - OT, IT, Cyber, Risk and the executives - just so that we can get a deeper understanding in how we can best support now and in the future.
If this sounds interesting, then please do feel free to contact us.
Questions released during week of 23rd November 2020
Does the geographic origin of software matter to you? [Opened 24th November 2020] [Closes 1st December 2020]
How much do you think politics plays a role in cyber security? [Opened 26th November 2020] [Closes 3rd December 2020]
The results were analysed by Daniel Lewis, CEO & Cofounder of Awen Collective.