INDUSTRIAL CYBERSECURITY

GUIDELINE
FOR
GNPOWER KAUSWAGAN

Prepared by: Engr. George Pio Aclan

1. TECHNICAL BACKGROUND

Information Technology (IT) is defined as hardware, software and communications technologies that
focus on the storage, recovery, transmission, manipulation, and protection of data. Operations
Technology (OT) is defined as hardware and software that detects or causes a change through the
direct monitoring and control of physical devices, processes and events. Key differences in the
purpose and functionality of IT and OT are reflected in table 1.

Information Technology (IT) Operations Technology (OT)

Primary Function Process transactions, provide
information, support people
Focus Programming, adjusting,
augmenting, and re-
programming to fit the
evolving needs of networks,
applications, and users.
Architecture Enterprise-wide infrastructure
and applications; generic.
Examples of Systems Office PC’s, printers,
web/app/data/email servers,
TCP networks
Examples of Devices IoT-enabled: tablets, smart
phones, etc.
Connectivity Corporate network, IP based
Data Traffic Converged network of data,
voice and video.
Communication User-centric
Performance requirements High bandwidth, delay-
tolerant, rebooting, retrieval,
backup acceptable
Update Frequency High
Interfaces and Networks GUI, web browser, terminal,
keyboard,
Control or monitor physical
processes and equipment
24/7, continuous, precise
control and monitoring of
machines and processes.
Event-driven, real time,
embedded hardware and
software; custom.
Industrial controllers (PLC,
DCS, SCADA) and I/O hardened
PC’s and Servers, Industrial
networks.
IIoT-enabled: sensors,
cameras, embedded systems,
robots, analyzers, etc.
Control networks, hardwired
and IP-based.
Converged network of data,
control, information, safety
and motion.
Machine to machine
Low bandwidth, real-time,
outages unacceptable,
redundancy is required.
Low
Electromechanical, sensors,
actuators, coded displays,
hand held devices.

Table 1. IT vs OT

Prepared by: Engr. George Pio Aclan

 IT and OT has different security priorities and approaches. IT’s focus is on protecting intellectual
property and company assets, prioritizing confidentiality above integrity and availability. OT’s focus
is on productivity, maintaining 24/7 operations, and achieving high overall equipment effectiveness,
prioritizing availability and control over integrity and confidentiality. In simpler terms, IT strives to
protect data first while OT strives to protect assets first. IT networks usually feature strict
authentication protocols and access policies, while OT networks are simple to access but the
physical machines are more closely guarded. A comparison of security-related priorities and
approaches is shown in table 2.

Information Technology (IT) Operations Technology (OT)

Cybersecurity Concerns Data confidentiality is the
primary concern, followed by
integrity of data and system
availability.
Access Control Strict network authentication
and access policies
Cyber Criminal Motivation Monetization
Threat Protection Shut down access
Management of Change Change-control processes are
largely contained within the IT
function
Maintenance Multiple support sources; 3–5-
year component life; modular,
accessible components; IT
staff or contracted service in
place
Upgrades Frequent patches and
updates; automatically pushed
during uptime
Primary Players IT and CIO
Other Factors It is becoming more common
for employees to use their
own devices, especially mobile
technology, to access business
systems. Also, new
technologies are being
System availability is the
primary concern, followed by
integrity of data and finally
data confidentiality. In OT,
data integrity and
confidentiality are particularly
important for device logic or
configuration files used in
control applications.
Strict physical access but
simple network device access.
Disruption
Isolate but keep operating
Technological changes are
part of the overall
Management of Change
process. IT can be difficult to
take equipment out of service
to update.
Single vendor support; 15-20
years component life; remote
components, hidden access;
No full-time dedicated IT staff.
Carefully planned and tested;
scheduled during downtime or
not done at all
Engineers, technicians,
operators, managers
Equipment and
communications protocols
tend to be proprietary, and it
can be difficult to implement
typical cybersecurity controls.
Also, underlying technology

Prepared by: Engr. George Pio Aclan

 adopted with insufficient
concern for security.
can be antiquated and
therefore more vulnerable to
basic cybersecurity incidents.
Lastly, the equipment
environment is almost always
heterogenous, with devices of
various ages and sources.

Table 2. IT and OT security priorities.

Today’s OT environments are leveraging IT systems to manage complex physical processes. As a

result, industries are safer, more efficient, and more reliable than ever before but these
technologies bring more security risks to facilities and operations. Attempts to disrupt operations,
steal intellectual property, and affect the quality or safety of production are steadily increasing as
more cyberattacks target critical infrastructure and industrial assets. Threat actors are using IT
techniques to access OT systems.

Effective cybersecurity management is essential for all organizations, regardless of size. This
document is intended to provide a starting point for GNPower Kauswagan Ltd. Co. This document
provides guidance based in well-established frameworks and standards.

2. TECHNICAL APPROACH

2.1. Objectives

The following are the essential cybersecurity activities that should be undertaken by GNPower
Kauswagan Ltd. Co.:

•Identify
Step 1

•Protect
Step 2

•Detect
Step 3

•Respond
Step 4

•Recover
Step 5

Prepared by: Engr. George Pio Aclan

 2.2. Identify

The identify function focuses on understanding the nature of the systems inventory owned by
GNPK and what risks are associated with this inventory. A summary of the identify function
activities is illustrated in diagram.

Define a
Create an inventory of all Assess the risk of cybersecurity Awareness and
IT and OT assests cyber incident management training
policy

Diagram 2. Identify Activities

2.2.1. Create and Inventory of IT and OT Assets.

This step is essential for the organization. Proper cybersecurity management is impossible
without a definitive understanding of the assets involved. Failure to identify equipment or
systems makes the organization vulnerable to cyber incidents due to lack of protection or
monitoring.

As minimum, the inventory of assets must include:

- Make and model of hardware

- Version number of all operating system and application software.
- Equipment location and owner.

2.2.2. Assess the Risk of a Cyber Incident

Once the organization understands what it is protecting from a cyber incident, GNPK must
conduct a risk assessment to identify what risks exist.

Risk assessments require the involvement of all key stakeholders and should identify the
likely threats and the vulnerabilities in the asset base. GNPK should then identify the
potential consequences.

GNPK should rank the risks using a common methodology to allow the identification of risk
in priority order.

Prepared by: Engr. George Pio Aclan

 Identify Potential
Consequences of
Identify Common Identify Vulnerabilities
Inadequate
Threats and its Key Mitigations
Cybersecurity
Management

2.2.3. Define a Cybersecurity Management Policy

GNPK should establish a cybersecurity management policy to define:

- Those responsible for cybersecurity management activities

- The processes and procedures required for operational activities and to reduce
cybersecurity risks.
- The expectations of employees

2.3. Protect

The protect function is a core cybersecurity management activity that the organization must
undertake on an ongoing basis.

Protect Manage access

Secure Network and Awareness and
Sensitive to systems and
Equipment training
Information equipment

2.3.1. Secure Network and Equipment

Securing a network and equipment involves such action as:

- Physically locking or disabling all equipment inputs to prevent unauthorized use

- Using only dedicated devices that are kept secure, with anti-virus software scanning
before and after use.
- Using a quarantine area to check incoming removable devices of unknown provenance
and transfer files to dedicated known device.
- Only allowing a transfer of files from removable devices under strict supervision and in
compliance with antivirus checks.
- Applying recommended patches to operating system and application software in a timely
manner
- Testing patches before applying to live equipment
- Keeping antivirus software up to date
- Performing an antivirus scan regularly and frequently

Prepared by: Engr. George Pio Aclan

 - Maintaining a record of all updates applied to allow for identification of issues
- Limiting external access to equipment and networks to only those authorized to access
them.

2.3.2. Protect Sensitive Information

Protecting sensitive information involves the following actions:

- Keeping confidential information secure and disposing confidential information in a

secure manner
- Being aware of who is around and taking care to avoid disclosing sensitive information
- Being suspicious of emails if you do not recognize the sender
- Making sure you don’t click on links or open attachments unless it is certain the sender is
trustworthy
- Making sure not to download or install anything after following a link in a suspicious
email.
- Making sure not to provide confidential information via email unless it is certain that the
recipient is appropriate/authorized
- Making sure a supervisor or trained expert is available for advice before individuals take
any action.

2.3.3. Manage Access To Systems and Equipment

Managing access to systems and equipment involves the following actions:

- Maintaining physical and electronic security to ensure that only authorized persons have
access to the equipment they require in performing their roles.
- Securing equipment in locked rooms or cabinets and monitoring access.
- Performing background checks on all users before approving access.
- Maintaining a register of approved users.
- Preventing sharing of login credentials between users.
- Removing or changing credentials when a user moves to a new role or leaves
- Removing or changing default accounts
- Enforcing strong passwords and changing regularly
- Providing temporary external access as required, supervise during use, and remove once
complete.

2.4. Detect

Having established an understanding of its asset base and the risks to it, the organization must
then have methods to monitor for incidents, so that it is able to respond promptly and
effectively to minimize the impact.

Prepared by: Engr. George Pio Aclan

 Define
Define Methods for Identify Awareness and
Responsibilities
Monitoring Improvements training
for Monitoring

2.4.1.Define Methods for Monitoring

The monitoring methods will be based on the particular asset base and risk assessment.
Automated tools may be needed in GNPK.

2.4.2. Define Responsibilities for Monitoring

Having defined the methods for monitoring, the organization must assign responsibilities
for the monitoring activities. In addition, all employees should receive awareness training,
be instructed to be vigilant for signs of a cyber incident and be trained to report any type
of cyber incident.

2.4.3. Identify Improvements

The organization must regularly review the monitoring methods and adjust them to suit
changing circumstances and according to incident experiences.

2.5. Respond

The respond function comes into effect when an incident occurs. Preparation is essential to a
successful response, and so the organization must take actions well in advance of any incident.

Practice
Maintain an Incident Identify Awareness
Response
Response Plan Improvements and training
Processes

2.5.1. Maintain an Incident Response Plan

Key to a successful response, with minimal impact, is an effective cybersecurity incident

management plan. The plan needs to identify the possible cybersecurity incidents that
may occur within the organization and document the step-by-step procedures that should
be followed in the event of each one. All employees should be aware of the risks of
cybersecurity incidents and their role in avoiding them.

Prepared by: Engr. George Pio Aclan

 2.5.2. Practice Response Processes

The organization must test their cybersecurity incident management plan on a periodic
basis. The test must be realistic and exercise as many of the elements as possible, so as to
be certain that established procedures will work when required.

2.5.3. Identify Improvements

The organization will need to update the incident management plans in response to
changes in the cybersecurity landscape and also as a result of their incident response tests.

2.6. Recover

The recover function comes into effect once the respond function is completed.

Maintain Backups of Practice

Identify Awareness
All Systems and Recovery
Improvements and training
Equipment Processes

2.6.1. Maintain Backups of All Systems and Equipment

Key to a successful recovery from a cybersecurity incident is having the right backups in
place. The organization is required to:

- Identify what needs to backed up

- Determine backup frequency based on operational requirements
- Store clearly labeled backups securely on-site and off-site, preferably in fireproof safe.

2.6.2. Practice Recovery Processes

The organization must test the cybersecurity incident recovery processes on a periodic
basis. The test must be realistic and exercise as many of the elements as possible, so as to
be certain that established procedures will work when required.

2.6.3. Identify Improvements

GNPK will need to update the recovery processes in response to changes in the
cybersecurity landscape and also as a result of the incident recovery tests.

Prepared by: Engr. George Pio Aclan

 2.7. Awareness and Training

The importance of awareness and training can not be understated. No amount of technical and
procedural mitigations will help if an employee takes an insecure action due to lack of training
and awareness.

External and online training courses are recommended for GNPK to give the employees a clear
understanding. Internal resources such as assessment and awareness tools should be used to
complement external courses and provide a constant reminder to employees.

Effective cybersecurity management should be a high profile business objective that is reported
on by management so that employees are constantly reminded of its importance.

Prepared by: Engr. George Pio Aclan