segregate the OT systems from the corporate network environment, making it easier for potential hackers to exploit vulnerabilities across the organization. While network connections
increase the availability of production data from the OT environment, they also increase risk of internet-connected systems
interacting with OT. Many organizations have critical vulnerabilities that provide access into the corporate network from
the internet, further leveraged to access OT systems due to
physical network connections that lack appropriate segmentation and isolation.
Obviously, O T systems with any of these shortcomings present
significant cybersecurity risks for energy and utility companies.
The threat is multiplied by the fact that certain energy and
utilities operations are deemed critical infrastructure, whose
exploitation can have devastating effects to broad geographic
regions affecting multitudes of people.
More and more ICS/SCADA technologies utilize Internet
Protocol-enabled systems that can connect to the broader
corporate network infrastructure. While this provides for certain
efficiencies, it can also expose oil and gas systems to unprecedented risks that occur when the previously isolated (air-gapped)
O T systems are linked to sophisticated I T networks so data can
be shared, managed and analyzed.
Despite this newfound connectivity, for fear of creating interruptions or process errors, the industry has remained stubbornly reluctant to challenge legacy OT systems from a vulnerability-management perspective. Typically, reliability and
continuity of technology utilized to manage and monitor operations are the priorities, with any downtime requiring advanced scheduling. Security control testing is often perceived
as intrusive, and therefore the potential to inadvertently impact
production systems is considered unacceptably high risk.
This reluctance often leads to a failure to adequately test or
update systems to optimize security and minimize cybersecurity
risks. It’s not uncommon to have unapplied operating system
patches stretching back years, or none applied at all, out of
concerns about impacting applications and connections to
human-machine interfaces (HMI), programmable logic controllers and other OT systems.
The concerns are legitimate, but only up to a point. There
isn’t sufficient justification to hold OT systems off-limits for
cybersecurity evaluation and upgrades, given the high potential
for targeting by sophisticated opponents and the extent of
potential exposure. To this end, assessments should still be
performed, but they must incorporate a series of precautions
designed to ensure both operational continuity and a complete
threat risk review. These precautions include:
• Collaboration with both engineering and I T security person-
nel to define the scope of the review engagement. Engineers
can often obtain detailed technical information through
nonintrusive interactions with OT systems.
• Establishment of clear lines of communications so any net-
work or system irregularities are reported and evaluated
during testing. All activities can be performed in conjunction
with OT engineers to ensure full transparency of test activities
• Well-defined rules of engagement, including identification
of high-risk systems and networks prior to conducting a
vulnerability assessment. Automated scanning can be tailored
to perform nonintrusive tests on a limited sample of
• Performing security evaluations in a test, rather than production, environment. While comprehensive test environments are typically not available, clones of some systems
and applications on isolated networks can be used to test
• Reasonable limitations on initial tests so sensitive systems
can be excluded if needed to allow for the development of
Working within these parameters, the end goal of testing the
security control environment of the ICS/SCADA environments
should be to achieve the following:
• Evaluate the key security risks prevalent in the ICS/SCADA
• Identify network vulnerabilities and test connectivity to the
• Assist with development of a vulnerability-management
program specific to the ICS/SCADA infrastructure.
Ideally, energy and utilities companies want to ensure that
they have an ICS/SCADA environment that can function in a
secure and effective manner and to be highly efficient in detecting and responding to breaches and attacks. This requires
technical expertise, collaboration between departments, appropriate planning and leveraging vulnerability assessments to
periodically test security.
Testing these systems requires more work, but it is not impossible, and most certainly should not be considered off lim-its. In fact, testing is an essential practice for preserving the
integrity of any critical system.
ABOUT THE AUTHORS
Michael Porier is a Managing Director in Protiviti’s
Houston office specializing in information technology risk consulting engagements. His expertise
includes evaluating the risks and controls related
to managing enterprise-wide technical processes,
performing detail security assessments, and implementing business continuity solutions.
Joe Marcum is an Associate Director in Protiviti’s
Houston office specializing in execution of I T projects, including information security reviews, implementation of IT controls, development and
review of disaster recovery and business continuity
management programs, reviews of network architecture and physical/logical controls for Process Control