A Comprehensive Cybersecurity Plan
ACE and Charter Steel Partner to Develop a Comprehensive, Multi-Phased Cybersecurity Plan
As more critical operational technology (OT) assets depend on networking capabilities, manufacturer’s PLCs, HMIs, and industrial servers are becoming increasingly vulnerable to a variety of cybersecurity threats. Since OT networks have a lot of unique requirements versus enterprise networks managed by IT, Charter Steel knew it needed to bring in third-party assistance to facilitate a holistic approach to its OT cybersecurity risk-reduction efforts and disaster recovery preparedness.
Charter Steel hired Applied Control Engineering (ACE) to perform an assessment of its industrial automation and control system (IACS) assets to first establish the organization’s current cyber posture. ACE then helped Charter Steel assemble a cross-functional OT/IT cybersecurity team to drive solutions for closing the identified OT cybersecurity gaps through a new sustainable and effective OT cybersecurity program.
Charter Steel is an American supplier of special bar quality (SBQ) steel products and is one of five family-owned companies that make up Charter Manufacturing, which also includes Charter Wire, Charter Automotive, Charter Dura-Bar, and Charter Aarrowcast. Headquartered in Saukville, Wisconsin, Charter Steel also operates a mini mill in Cleveland, Ohio and a processing and distribution facility in Fostoria, Ohio.
An aerial view of Charter Steel’s Cleveland facility.
Just like most manufacturing facilities, throughout the years, the plant floor at Charter Steel has become more connected, both among devices on the floor and between the industrial and enterprise networks. While these changes have been instrumental to enhancing production, having a more connected plant floor exposes the facility to a number of potential cyber vulnerabilities that are quite different than what IT teams are experienced with on the enterprise side.
Identifying the Cybersecurity Needs at Charter Steel
Unlike IT cybersecurity incidents, an OT cyber incident can lead to damage in the physical world and put human safety at risk. Also, since Charter Steel produces materials that are critical components for a variety of products, any plant floor issue leading to extended downtime may have a significant impact on the supply chain. Therefore, as more high-profile industrial cyberattacks were making headlines, it became apparent to the automation management team at Charter Steel that they needed to invest time and resources into evaluating the potential cybersecurity risks across their facilities so that a mitigation plan could be put in place.
After spending more than 20 years with Charter Steel’s IT team, the organization’s Director of Automation and Technology knew this effort would require OT network and cybersecurity expertise and resources that extended beyond what the organization’s IT team could provide. He knew it would be more cost and time effective to bring in a third-party partner with extensive OT cybersecurity experience. At this point, the team contacted ACE to discuss a manageable approach to how they should proceed.
Phase 1: Performing a Cybersecurity and Cyber Posture Assessment of the Cleveland Facility
ACE and Charter Steel decided together that the first step they needed to take was to evaluate a single facility’s current state, including assembling an asset inventory and ranking each asset based on its criticality to the production process. In March 2020, ACE planned to perform an in-person evaluation to assemble the asset inventory for the Cleveland facility, but the start of the global COVID-19 pandemic required ACE and Charter Steel to quickly pivot and put a process in place for performing assessment virtually instead.
ACE engaged with the plant team remotely to learn about each IACS asset. While this approach resulted in multiple data sources for ACE to filter through, they ultimately produced a list of about 1,500 IACS assets. ACE then qualified each asset and created a spreadsheet of the facility’s inventory. From here, ACE assessed the facility’s cyber posture to determine its current state. To do this, ACE first looked at how critical each IACS asset was to the production process by asking, “If this asset goes down, how long would it be before the mill must stop.” ACE determined that around 75 percent of the IACS devices used in the facility were critical assets that fell into the top two tiers, where a 10 means the device is safety critical and a 9 means the device is operationally critical.
After creating a basis of understanding of the site’s OT environment, ACE assessed the cyber posture and presented a report with findings and recommendations to address the current gaps. This report included identifying where certain uncoordinated protection efforts were in place that need to be documented as well as areas where new processes needed to be developed and implemented.
Charter Steel then asked ACE to put its findings into a format that could easily convey the facility’s biggest cybersecurity risks to IT and management teams. Using the standardized NIST Cybersecurity Framework (CSF), ACE created a quantitative assessment and radial chart that visually highlights the facility’s current state in the core functions of identify, protect, detect, respond, and recover. Using this framework, ACE also determined where certain ad hoc protection efforts were not meeting targets, reinforcing the need for the report's recommendations.
While putting together the NIST-based assessment, it was brought to ACE’s attention that the Charter Manufacturing IT team had previously performed a similar NIST-based assessment for IT assets. ACE and Charter Steel worked together to synchronize these results so there was a common baseline. ACE then created documentation and other materials to present the findings from the Cleveland facility assessment to the Charter Steel executive committee.
Phase 2: Assessing the Saukville and Fostoria Facilities and Pivoting Plans Again
After completion of the Cleveland facility assessment, Charter Steel contracted ACE to conduct the same assessment for its other two sites in Saukville, Wisconsin and Fostoria, Ohio. ACE completed the asset inventories at these sites, but once they were about halfway through the assessment portion, their engineers realized the results were nearly identical to what they had found at the Cleveland facility. Instead of pushing forward with duplicate work, ACE suggested to Charter Steel’s Director of Technology and Automation that their remaining budget would be better spent if they changed the scope of the project to focus on creating a cybersecurity plan and program to address the common risks they were finding across facilities.
Phase 3: Developing a Plan for an OT Cybersecurity Program
While ACE’s initial assessments did show there were a variety of ad-hoc and uncoordinated cybersecurity efforts happening at the three facilities, Charter Steel knew it needed to formalize and accelerate these efforts. Because of the unique characteristics of OT networks and IACS assets, Charter Steel and ACE collectively determined that a separate program outside of the IT organization, that still involved IT, should exist. Together, Charter Steel and ACE determined that the cybersecurity plan and the OT cybersecurity program would be structured around the NIST Framework for Improving Critical Infrastructure Cybersecurity.
ACE initially started to develop a plan that had a long list of tactics they felt Charter Steel could benefit from implementing, but their Director of Automation and Technology decided meaningful progress would be more attainable if they could think big, but start small, so they could deliver results quickly. Therefore, at the direction of Charter Steel, in its plan, ACE focused on the following top recommendations:
- Defining accountabilities by forming an OT cybersecurity team and establishing metrics to measure the on-going functions of identifying, protecting from, detecting, responding to, and recovering from cybersecurity risks.
- Dividing responsibilities for OT assets between IT and OT teams as appropriate.
- Building on and maintaining the preliminary asset inventory ACE and the respective plant teams created by defining how to include data from automatic tools (for entry and audit) and the update process (continuous, periodic, etc).
- Creating a written (and for the most important systems, tested) disaster recovery plan for critical systems including developing a template for what should be in the plan and running a hypothetical scenario as a test of the plan(s).
Phase 4: Forming an OT Cybersecurity Team
The key to a successful OT cybersecurity program is defined accountabilities. Charter Steel and ACE felt that the best way to assemble a highly effective team would be to breakdown the traditional wall between OT and IT to assemble an internal OT cybersecurity team that converged the two groups. Charter Steel’s Director of Automation and Technology championed this effort as he knew that getting the right people involved to lead these initiatives would make a huge difference to establishing an effective program.
Not only was the director able to identify and assemble the right people, but he was also able to bring a few more people from IT onboard than they initially had planned for. The new Charter Steel OT cybersecurity team was able to take over ownership of more pieces of the program than they initially thought they could. ACE will continue to serve as a critical consulting resource on this team and will assist with the ever-evolving process of reducing OT cybersecurity risks. In general, the team is making their efforts manageable by working to improve the cyber posture of one facility and cascading these changes across the division.
Phase 5: Improving Disaster Recovery, Incident Response, and Back-Up Procedures
Once the team was in place, they decided to first tackle an area where the NIST CSF analysis revealed improvement was needed – recovery and respond. In the OT cybersecurity program plan, ACE suggested this initiative start by evaluating the systems that are PC or server-based that have a high criticality rating as defined on the master asset inventory. ACE worked with the Charter Steel team to run a number of mock disaster scenarios for the identified assets and then helped develop standardized disaster recovery procedures and back-up techniques for these major systems. Charter Steel is now working to develop robust back-up solutions using equipment the IT team will take ownership of.
Expanding on A Solid Cybersecurity Foundation
Since ACE values its customer relationships, their goal is for clients to learn from their experts and get to a point where they eventually feel they do not need the ACE team involved on a daily basis. This is exactly the point Charter Steel reached as it assembled an excellent team from OT and IT to lead its current initiatives. Additionally, since the work done during this assessment highlighted the risks of not having a thoroughly planned cybersecurity strategy in place, the cybersecurity efforts at Charter Steel have become highly visible to the entire Charter Manufacturing organization.
“ACE helped facilitate what we wanted to achieve as an organization in terms of IT/OT convergence and managing our cyber risks,” said Joel Multerer, Charter Steel’s Director of Automation and Technology. “ACE was instrumental in making the IT and OT relationship work by partnering with us to build trust and collaboration across our teams and remove traditional IT/OT barriers. Today, we have an excellent team, including ACE, that is focused on current and future cybersecurity initiatives.”