The origin of the term OPSEC is in the security process of military operations and its aim is to make missions carried out by the army secure. In industrial control systems, an OPSEC programme somewhat resembles an information security management process, ISMS, performed in the corporate environment. The difference is that an ISMS is in charge of designing, implementing and maintaining a set of processes to efficiently manage information system security, while OPSEC focuses on avoiding the disclosure of secrets, in the form of critical information, to the enemy. In both cases it is a continuous process of analysis and revision.
OPSEC and critical information
When we talk about developing an OPSEC programme, it is necessary to clearly define the critical information that is managed in each organisation. Within the industrial control systems there are some doubts over the use of critical information, since some employees do not know exactly whether or not they are managing sensitive information in their jobs. To continue talking about OPSEC, it is very important to bear in mind what information is classified as critical and its definition.
By definition, we mean critical information such as that which, in the event of being published, whether intentionally or accidentally, would have a negative impact on an organisation. Critical information is considered to be, not only secret or highly technical documentation with specifications about products (such as passwords, production recipes and formulas), but also the activity of dealing with sensitive information, such as processes used in an industrial system (commands and access points), financial data, personal recordings, medical information, etc.
The loss or non-intentional disclosure of critical information within industrial control systems would cause, amongst other situations: financial loss, image problems with customers, a lack of resources, etc.; and much more importantly, loss of life and accidents or catastrophes caused by unauthorised access to critical systems.
To avoid these types of problems, the use of a good OPSEC programme, along with adequate awareness-raising amongst employees will provide any business with an extra level of security in its systems.
Design and functioning of an OPSEC programme
To develop a good OPSEC programme it is necessary to undergo a continuous process through which all kinds of weaknesses will be detected once the critical information within the organisation has been defined, as well as the potential vectors of attack that it may have.
- OPSEC process -
Each stage that can be observed in the OPSEC process in the image above is important. Below we explain the implications of each stage in the development of the process:
- Identification of critical information:Initial phase of the process, in which information is detected that could be interesting for an attacker in their endeavour to achieve their goal.
- Threat analysis Identification of potential attackers. Who are they? What motivates them to carry out certain acts? In this stage adopting the role and mode of an attacker is very helpful.
- Vulnerability analysis The objective of this phase is to detect weaknesses that may be exploited by an attacker:
- Inadequate training of employees.
- Lack of security in communications.
- Systems built without taking security into account.
- Risk assessment: this phase consists of determining the degree of protection existing in the organisation, assessing potential risks to its assets and determining the acceptable threshold impact.
In this risk assessment, the following factors must be taken into account:
- Threat: Any person, circumstance or event with sufficient potential to cause losses or danger.
- Vulnerability: Any weakness that can be exploited by an attacker or accidentally.
- Consequence: Negative impact on the organisation (losses or danger) that would occur if an attack is effective.
In industrial control systems, as in other information systems, determining risk is directly proportional to the impact or consequences that the exploitation of a threat may bring: loss of life, system recovery time, impact on the surrounding environment, etc.
- Apply countermeasures: Countermeasures are implemented in order of priority to protect the organisation from weaknesses that cause the most significant consequences for activity, operations and objectives. The objective of these countermeasures will be to decrease the impact to an acceptable threshold level.
Analysis and monitoring in the OPSEC process
This occurs after discovering the type of attacker that can be found and their motivations for carrying out attacks. It is interesting to know the attacks that they may carry out as they search for information.
- Social engineering: One of the most effective techniques if it is carried out subtly. It is a deception technique whose objective is to compile information.
- Phishing: E-mail or pop-ups whose aim is theft of information through deception. This could also be a special case of social engineering.
- Carelessness (data leaks): Talking about tasks carried out at work in public (having a coffee beside work, smoking outside the workplace entrance, etc.), leaving sensitive information on servers, throwing out important documents or those that contain sensitive information without having previously destroyed them, use of mobile devices in public places (airports, hotels, stations, etc.), access to company documentation externally without firewall rules with access control, not locking the door when leaving the workplace when sensitive company information is there and, lastly, another potential case of carelessness could be not protecting computer access with a password.
- Dumpster Diving: Some attackers may use this resource to obtain information through notes on paper, CDs, documents, etc. that are thrown in the bin. They may not be useful from the point of view of some, but they may be taken advantage of by others. All of this information should be destroyed appropriately.
To avoid being deceived and being careless, as discussed above, it is important to follow certain guidelines that provide an extra degree of security:
- Creation of strong passwords. Use complex passwords (minimum of 8 characters; include capital letters, small letters, numbers and even special characters; change them at certain time intervals) and do not write them on post-it notes in the workplace.
- Use of additional protection for access. Extra security can be added through session tokens or key documents when allowing access to the organisation’s assets, both internally and externally, covering both logical and physical access.
- Taking care when publishing information about the company on the intranet or the internet. It is possible that when publishing certain information, more is included than intended. It is therefore good practice to take time to read over the information published so as to avoid including sensitive information that may in some way compromise the organisation’s security.
- Destruction of information or restructuring of all computers that contain critical information. When computers have ceased to be used or change owner within the company, it is important to use specific software to completely delete the sensitive data contained on the device. This will avoid information being leaked and it will control access to sensitive documents if there is document access control.
It is very appropriate to create a procedure that indicates the steps that should be taken to destroy documents that contain sensitive information that an attacker could use.
- Means of communication to the company of suspicious or anomalous behaviour. Receiving calls or e-mails within the company, in which sensitive information is requested, is common. For this reason, we must be sure who is on the other side making the request. If you are not sure, it is advisable to find out from the company if the information provided will be used only by its members and not by outsiders.
- OPSEC in environments outside the company. When travelling, in hotels, at home or at another location outside the work environment, it is important to bear in mind that we are surrounded by people outside the company who would have no reason to have access to certain information. Having controlled mobile devices or not using public or suspicious wireless networks is good practice if we want to keep intact the information stored in devices.
OPSEC is applicable in many environments and situations, both in industrial control systems and in other types of environments. The use of OPSEC provides an extra level of security, both at the physical and logical levels. As such, following the guidelines above and raising awareness within companies should be sufficient to keep sensitive documentation safe and avoid problems in the organisation due to different information leaks.