Thursday, December 8, 2016

Bridging the IT/OT Gap: Bring IT into Your Acceptance Testing

By Dirk Sweigart, CISSP, PMP, Cybersecurity Working Group Member

A key part of starting up a new industrial control system or manufacturing application is the acceptance test.  If IT resources are not already involved, the acceptance test presents an excellent opportunity to bring them into your project. A successful implementation may solicit IT input on acceptance testing criteria and enlist their aid in performing the cybersecurity portions of the acceptance test.

An industrial control system should have cyber security requirements that can be addressed by IT resources during acceptance testing. These requirements could include guidelines for the changing of default passwords, disabling of unnecessary ports or DVD drives, and segmenting of the network (perhaps with firewalls or switches). Also, cybersecurity requirements should specify the access control for the various operating and managing users. 

Additional requirements that might be beneficial for your IT resources to address could be checking the proper assignment of IP addresses versus the documentation, looking at the proper configuration of any workstations (such as Windows configuration), confirming that the latest (or appropriate) versions of software are being used, confirming that proper event logging is occurring, and confirming the proper operation of anti-virus software.

Your IT team will be familiar with these requirements and testing procedures to verify the implementation. Further, it is likely that there are other requirements and tests that automation engineers and operations may not consider. For example, IT resources may be able to complete intrusion testing, during which your IT team attempts to defeat security mitigation steps using default accounts and passwords.  They can also try connecting unauthorized devices to the network to test what access they are granted.  

IT and OT are clearly converging.  The critical steps of the acceptance testing process should be a great environment to bring members from both backgrounds together to confirm that the system meets the requirements that were specified.  Cybersecurity requirements can represent a common ground where both IT and OT can see and understand the requirements, perform the tests, confirm that the system is ready for operation in a production environment, and develop a shared understanding of systems, methods, and priorities.  

About the Author

Dirk Sweigart, CISSP, PMP (Applied Control Engineering, Inc.) is an MES Solutions Manager and Cybersecurity Expert at Applied Control Engineering, Inc in Newark, DE.  He has over thirty years experience developing systems for process control, SCADA, MES and business applications with DuPont, INVISTA, Koch Industries and ACE.  Dirk also teaches cybersecurity and SCADA at the Wilmington University graduate school.  He is an information member of the ISA-95 Committee and a member of the MESA Cybersecurity Working Group.  You can reach him at

No comments: