Select Page

OT Security is key to bringing expansion plans to fruition

OT Security is key to bringing expansion plans to fruition

Effective control and security of operational technology (OT) and industrial control systems are inextricably linked with good corporate governance.

Companies could use compliance with legislation and corporate governance requirements to overcome key growth barriers when looking to expand into new territories and to attract outside investors. This is according to Charl Ueckermann, CEO at AVeS Cyber Security.

AVeS Cyber Security has recently completed a six-month project to secure the first of four industrial control system (ICS) environments for a large mining company.

The company – headquartered in London, with operations in Africahas plans to open a large mine in South Africa but to get government approval it needs an ISO 27001 certification. The company had undergone ISO 27001 audits annually between 2014 to 2016 but failed on essential OT security requirements.

ISO 27001 (formally known as ISO/IEC 27001:2013) is an internationally-recognised standard for managing information security management systems (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.1

“Industrial control system networks also form part of ISO 27001 assessments. When these are not adequately secured, it impacts compliance with ISO 27001 standards. Critical findings on the audit reports for the mining company showed that the security vulnerabilities of their Supervisory Control and Data Acquisition (SCADA) architecture were significant and severe. Unless they addressed these vulnerabilities to achieve ISO 27001-certification, their plans to expand into South Africa were not going to come to fruition,” said Ueckermann.

A full site survey, penetration testing on the infrastructure, and an assessment of the company’s industrial control system by a team from AVeS Cyber Security and Kaspersky Lab revealed over 500 vulnerabilities that could allow a cyber criminal to obtain full control over the system, steal sensitive information and impact data integrity.

To remedy the vulnerabilities and better equip the company to go forth with its ISO 27001 accreditation journey, the team implemented Kaspersky Industrial CyberSecurity (KICS). This made the client the first in Africa to implement KICS.

Kaspersky Industrial CyberSecurity is a portfolio of technologies and services designed to secure truly industrial layers and elements of an organisation – including SCADA servers, HMI panels, engineering workstations, Programmable Logic Controllers (PLCs), network connections and engineering workstations – without impacting on operational continuity and consistency of the technological process.2

The solution deployed at the mining company, KICS for Nodes, is a specialised product for protecting industrial control systems’ endpoints, called Human_Machine Interfaces (HMIs).. It is designed to specifically address threats at operator level to protect against the various types of cyber threats that can result from human factors, generic malware, targeted attacks or sabotage.

Some of the functionalities include: PLC Integrity Check that enables additional control over PLC configurations; Application Launch Control that allows control of application from installation to start-up, access and updates according to whitelisting or blacklisting policies; Device Control that allows administrators to define and specify whitelisted devices that can be connected to the protected industrial hosts; Wi-Fi Control that enables the monitoring of any attempt to connect to unauthorised Wi-Fi networks. The Wi-Fi Control task is based on Default Deny technology, which implies automatically blocking connections to any Wi-Fi network ‘not allowed’ in the task settings; File Integrity Monitor that enforces and tracks file and folder changes based on predefined task settings to protect SCADA projects; Advanced Anti-Malware Protection that detects malicious software to protect Windows workstations against known, unknown and complex threats and host-Based Firewall that provides the ability to block access from network nodes showing suspicious activity or performing unauthorised encryption attempts.

Ueckermann said AVeS Cyber Security is now working with the company to align its OT policies with its IT policies for the next ISO 27001 audit, done by an external certified auditor. This includes among others, the disaster recovery policy for PLCs, workstations and revivers; failover policies and redundancy; password policies and access control policies for physical OT areas and systems.

“It is now a case of connecting all of the dots so that OT and IT are effectively aligned to ensure success with the next audit. Almost four years in the making, this accreditation will allow the business to finally put their plans to expand into action. Their story is not that uncommon; badly planned OT and poor OT security have put a spanner in the wheels of many companies looking to expand or attract investors. Yet the solutions are there to help get their houses in order,” he concluded.


About The Author

Guest Contributor

A Guest Contributor is any of a number of experts who contribute articles and columns under their own respective names. They are regarded as authorities in their disciplines, and their work is usually published with limited editing only. They may also contribute to other publications. - Ed.

Following reverse listing, public can now acquire shareholding in Paratus Namibia

Promotion

20 February 2020, Windhoek, Namibia: Paratus Namibia Holdings (PNH) was founded as Nimbus Infrastructure Limited (“Nimbus”), Namibia’s first Capital Pool Company listed on the Namibian Stock Exchange (“NSX”).

Although targeting an initial capital raising of N$300 million, Nimbus nonetheless managed to secure funding to the value of N$98 million through its CPC listing. With a mandate to invest in ICT infrastructure in sub-Sahara Africa, it concluded management agreements with financial partner Cirrus and technology partner, Paratus Telecommunications (Pty) Ltd (“Paratus Namibia”).

Paratus Namibia Managing Director, Andrew Hall

Its first investment was placed in Paratus Namibia, a fully licensed communications operator in Namibia under regulation of the Communications Regulatory Authority of Namibia (CRAN). Nimbus has since been able to increase its capital asset base to close to N$500 million over the past two years.

In order to streamline further investment and to avoid duplicating potential ICT projects in the market between Nimbus and Paratus Namibia, it was decided to consolidate the operations.

Publishing various circulars to shareholders, Nimbus took up a 100% shareholding stake in Paratus Namibia in 2019 and proceeded to apply to have its name changed to Paratus Namibia Holdings with a consolidated board structure to ensure streamlined operations between the capital holdings and the operational arm of the business.

This transaction was approved by the Competitions Commission as well as CRAN, following all the relevant regulatory approvals as well as the necessary requirements in terms of corporate governance structures.

Paratus Namibia has evolved as a fully comprehensive communications operator in Namibia and operates as the head office of the Paratus Group in Africa. Paratus has established a pan-African footprint with operations in six African countries, being: Angola, Botswana, Mozambique, Namibia, South Africa and Zambia.

The group has achieved many successes over the years of which more recently includes the building of the Trans-Kalahari Fibre (TKF) project, which connects from the West Africa Cable System (WACS) eastward through Namibia to Botswana and onward to Johannesburg. The TKF also extends northward through Zambia to connect to Dar es Salaam in Tanzania, which made Paratus the first operator to connect the west and east coast of Africa under one Autonomous System Number (ASN).

This means that Paratus is now “exporting” internet capacity to landlocked countries such as Zambia, Botswana, the DRC with more countries to be targeted, and through its extensive African network, Paratus is well-positioned to expand the network even further into emerging ICT territories.

PNH as a fully-listed entity on the NSX, is therefore now the 100% shareholder of Paratus Namibia thereby becoming a public company. PNH is ready to invest in the future of the ICT environment in Namibia. The public is therefore invited and welcome to acquire shares in Paratus Namibia Holdings by speaking to a local stockbroker registered with the NSX. The future is bright, and the opportunities are endless.