The Act on the National Cybersecurity System (KSC) significantly changes the liability of the Critical Service Operator (OUK) and differently defines the requirements for the services it should launch. OUK should, in particular, have tools that will enable it to identify a situation in which the continuity of service provision was interrupted or its quality significantly decreased.
Each of the people listed below has different priorities. Automation specialists focus on the continuity of the production process, defend access to the OT network, CFO focuses on tax risks, CISO on procedures, audits, compliance with procedures, CIO on technical solutions supporting security, including more and more often, recently taking into account the OT area, but has difficulty interfering with the OT network.
The ideal solution in preparing to meet the requirements of the KSC Act seems to be the creation of a multidisciplinary response team within the company with supervision on the part of the CIO, but it may work differently in each company.
It is very important that such a team also includes technical people with high decision-making powers, who will ensure that security remains not only at the procedural level, but also at the technical level, influencing investment budgets in terms of tools, systems or technologies. Often the implementation of the KSC Act stops at the procedural and documentation part.
Automation engineers’ priorities
• Focus on the current removal of failures, supervision over the work of external companies
• Assigning responsibility for OT security to IT teams
• Opposition to interference with the OT network
CFO priorities
• “For me, the risks are primarily taxes …”
• “If production stops – this is the problem of the production director / COO”
CIO Priorities
• IT strategy, more and more often taking into account the OT area (connecting two worlds)
• Business continuity – including OT network configuration, event monitoring, incident handling management
• Risk management (including asset discovery)
CISO priorities
• Risk management
• Audits of security, compliance, vulnerability assessment
• Usually implements SOC
The method of implementing the requirements of the KSC Act is not precisely defined in the regulations, companies have a lot of freedom in creating the scope of the audit, the type of technical and organizational measures implemented – the revision of the NIS Directive showed that there is a lack of clarity in many aspects as to the scope of mandatory activities, companies are often lost, they settle for the documentation part. Below is a well-known list of obligations for UKSC entities, well-known from governmental parties, with an indication of the areas in which our ICsec company supports their implementation. A large SCADvance logo means that the system performs these functions directly, and a small one means that the system only supports these processes.
The main areas of support for UKSC entities by the SCADvance XP system:
1) SCADvance XP supports the OT network audit – it professionalises it and makes it accurate (passive network scanning) – the OT network audit is extremely difficult due to resistance to interference in the OT network, therefore it is often carried out in an inaccurate, manual manner;
2) SCADvance XP ensures ongoing monitoring of the network in terms of potential threats, including cyber threats (whitelist-based analysis, rule-based methods, anomaly detection);
3) SCADvance XP allows you to check the vulnerability to cyber attacks of the OT infrastructure, which allows for proactive activities aimed at the protection of critical resources;
4) SCADvance XP can be an important element of both internal and external Security Operating Centers (SOC), it integrates with SIEM systems, which are often implemented in SOCs, providing valuable data for analysis.
Referring directly to the key UKSC provisions, the following should be indicated:
01. OT audit (art. 15) – compliance with the UKSC and effectiveness
• Inventory of infrastructure in terms of hardware configuration in the field of computer systems and automation systems
02. Implementation of adequate technical measures (Article 8 (2))
• Continuous monitoring system (Art.8.2 e)
• Collecting information on cybersecurity threats and vulnerabilities (Article 8 (3))
• Incident management (Art. 8 (4))
03. SOC support and integration with SIEM systems
• Data source for analysis in SIEM systems
• Documenting events (forensic)
According to forecasts by Gartner, by 2024, the responsibility for incidents related to cyber physical systems (CPS) (affecting the safety of people or the environment) will shift towards the personal responsibility of CEOs – to the level of 75%.
Perhaps this change will pay off in higher cybersecurity budgets.
The main task of the SCADvance system is to monitor the industrial automation network (OT), detect potential threats and anomalies in traffic between devices in this network, indicate the possibility of incorrect operation of these devices, as well as monitor the correctness of processes based on the transmitted physical data. This action is based on detecting unlikely or undesirable events on this network and, if such events are detected, informing the user of them indicating where they occurred, the target of the attack and the probable cause. The system is also equipped with mechanisms to verify OT infrastructure elements in terms of known vulnerabilities to cyber attacks.
One of the most important innovations of SCADvance XP is that it monitors and secures industrial networks not on their edges as standard IT systems do, but directly from their inside – analyzing all transmitted packet (data) traffic. The hardware interfaces used (Ethernet, RS-485, RS-232, RS-422, CAN) allow you to connect and monitor all industrial automation networks (OT).
• Situational awareness – the ability to carry out an almost immediate inventory giving information on what devices are connected to the network, what they communicate with, on what protocols, creating a connection map
• Risk assessment and recommendations – thanks to the early detection of anomalies, we obtain knowledge on the basis of which we can build a security system as well as assess and mitigate risks, and as a result maintain the supply chain and business continuity. We obtain information on how to secure the network, how to increase its resistance, whether it should be segmented, introduce a DMZ, introduce regular audits
• Asset management – management of identified industrial assets (e.g. identification of devices, approval of their presence in the network)
• Possibility of real-time monitoring of industrial networks in real time on many levels and detection of any changes within these areas and appropriate quick addressing of these risks. Real-time monitoring is based on both artificial intelligence and rule-based methods, whitelists, etc. The system immediately identifies events deviating from the standard behavior of the industrial network (automatic detection of anomalies, attacks, including Zero-day cyberattack and failures)
• Support for the so-called predictive maintenance – the ability to monitor key physical parameters of the most important industrial processes and detect incorrect values (e.g. excessive increase in temperature in the boiler, too high rotor speed, too high concentration of a chemical substance in the liquid, etc.)
• Significant support in fulfilling the obligations resulting from the act on the national cybersecurity system
To meet the requirements of the KSC Act, it is not enough to have SOC type tools and implement the procedural part. The need for consciously planned, effective and safe architecture of the critical infrastructure, minimizing the effects of a possible attack. The need for tools working on industrial processes and OT network facilities, such as: controllers, dispatcher stations, SCADA servers – analyzing processes and indicating potential incidents or anomalies at work, determining their level and impact on the critical service provided. Such tools are solutions similar to the SCADvance XP system, i.e. passive probes for monitoring and protection of infrastructure in real time.
Fill in the form. Our experts will contact you to arrange individual tests.