We use our own and third-party cookies to provide a smooth and secure website. Some are necessary for our website to function and are set by default. Others are optional and are only set with your consent to enhance your browsing experience. You may accept all, none, or some of these cookies. Learn more on our cookie policy page.
At CGI, we respect your privacy and implement appropriate security measures to protect your data. Please use the buttons below to signal your consent to the use of functional, statistical and marketing cookies. Enabling these cookies, allows us to remember your preferences, display our webpages more efficiently and gather usage statistics to help continually improve our website.
Some cookies on our website are provided by third-party companies, such as LinkedIn, YouTube, Twitter and Facebook. Personal data collected through these cookies are processed on behalf of CGI. However, aggregated form of the personal data may be used by third-party cookie providers for their own purposes. You can always change your cookie preferences in this cookie management center or by clicking the "cookie management center" link in our cookie policy page or in our website's footer. Learn more about your rights by visiting our Web Privacy Notice or go to our Cookie Policy page for more information on cookies.
These cookies are strictly necessary to deliver the services you have specifically requested and enable core features of our websites, including security and sessions management to function properly.
| Name | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
| JSESSIONID | NewRelic | General purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server. | Session | First party |
| __cfruid | HubSpot | This cookie is set by HubSpot’s CDN provider because of their rate limiting policies. | Session | First party |
| hs-membership-csrf | HubSpot | This cookie is used to ensure that content membership logins cannot be forged. It contains a random string of letters and numbers used to verify that a membership login is authentic. | Session | First party |
| __cf_bm | CloudFlare | This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website. | 30 Minutes | First party |
| cookie-agreed | www.cgi.com | Stores the user's cookie consent state for the current domain | 23 Days | First party |
| AKA_A2 | Akamai | This cookie is generally provided by Akamai and is used for the Advanced Acceleration feature, which enables DNS Prefetch and HTTP2 Push. | 1 Hour | First party |
These cookies allow us to enhance your browsing experience, provide personalized features and remember your choices on our websites (including log-in information, accessibility configurations and language preferences). We do not use these cookies to track or profile you.
| Name | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
| hs-messages-is-open | HubSpot | This cookie is used to determine and save whether the chat widget is open for future visits. It is set in your visitor's browser when they start a new chat, and resets to re-close the widget after 30 minutes of inactivity. If your visitor manually closes the chat widget, it will prevent the widget from re-opening on subsequent page loads in that browser session for 30 minutes. It contains a boolean value of True if present. | 30 Mins | Third party |
| __hsmem | HubSpot | This cookie is set when visitors log in to a HubSpot-hosted site. It contains encrypted data that identifies the membership user when they are currently logged in. | 7 Days | Third party |
| starlight | www.cgi.com | In specific parts of our website, we have disclaimer flags with buttons to accept or reject the disclaimer. If user accepts the disclaimer, then this cookie stores the information about the fact that a visitor has accepted the disclaimer | 365 Days | First party |
| player | Vimeo | This cookie saves your settings before you play an embedded Vimeo video. This means that the next time you watch a Vimeo video, you will get your preferred settings back. | 365 Days | Third party |
| hs_ab_test | HubSpot | This cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before. It contains the id of the A/B test page and the id of the variation that was chosen for the visitor. | Session | Third party |
| _cfuvid | CloudFlare | This cookie is a part of the services provided by Cloudflare - Including load-balancing, deliverance of website content and serving DNS connection for website operators | Session | Third party |
| lang | This domain is owned by LinkedIn, the business networking platform. It typically acts as a third party host where website owners have placed one of its content sharing buttons in their pages, although its content and services can be embedded in other ways. Although such buttons add functionality to the website they are on, cookies are set regardless of whether or not the visitor has an active LinkedIn profile, or agreed to their terms and conditions. For this reason it is classified as a primarily tracking/targeting domain. | Session | Third party | |
| WFESessionId | Microsoft Azure | This cookie is necessary to enable a Power BI session, a Microsoft tool that helps visualize data. | Session | Third party |
| YSC | Youtube | YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. | Session | Third party |
| <id>_key | HubSpot | When visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again. The cookie name is unique for each password-protected page. It contains an encrypted version of the password so future visits to the page will not require the password again. | 14 Days | Third party |
| s_cc | Adobe Analytics | Used to determine if cookies are enabled for Adobe Analytics | Session | Third party |
| __hs_opt_out | HubSpot | This cookie is used by the opt-in privacy policy to remember not to ask the visitor to accept cookies again. This cookie is set when you give visitors the choice to opt out of cookies. It contains the string "yes" or "no". | 6 Months | Third party |
| __hs_do_not_track | HubSpot | This cookie can be set to prevent the tracking code from sending any information to HubSpot. It contains the string "yes". | 6 Months | Third party |
| _GRECAPTCHA | Google reCAPTCHA | This cookie is set by Google reCAPTCHA, which protects our site against spam enquiries on contact forms. | 6 Months | Third party |
| hs_langswitcher_choice | HubSpot | This cookie is used to save a visitor’s selected language choice when viewing pages in multiple languages. It is set when a visitor selects a language from the language switcher and is used as a language preference to redirect them to sites in their chosen language in the future if they are available. It contains a colon delimited string with the ISO639 language code choice on the left and the top level private domain it applies to on the right. An example will be "EN-US:hubspot.com". | 2 Years | Third party |
| cookieValue | www.cgi.com | This cookie used for the disclaimer acceptance flag. | 1 Day | First party |
| __hs_cookie_cat_pref | HubSpot | This cookie is used to record the categories a visitor consented to. It contains data on the consented categories. | 6 Months | Third party |
| ARRAffinitySameSite | Microsoft Azure | ARRAffinitySameSite is for Azure Web Sites for load balancing our application. This cookie is used to distribute traffic to the website on several servers in order to optimize response times. | Session | Third party |
| __hs_initial_opt_in | HubSpot | This cookie is used to prevent the banner from always displaying when visitors are browsing in strict mode. It contains the string "yes" or "no". | 7 Days | Third party |
| language | www.cgi.com | This cookie remembers your preferred language based on your previous selections, allowing the website to present content in your chosen language without you having to manually select it each time you visit. | 365 Days | First party |
| VISITOR_INFO1_LIVE | Youtube | This cookie is used as a unique identifier to track viewing of videos | 365 Days | Third party |
| cookie-agreed-categories | www.cgi.com | Save the user's cookie consent category states for the current domain | 23 Days | First party |
| hs-messages-hide-welcome-message | HubSpot | This cookie is used to prevent the chat widget welcome message from appearing again for one day after it is dismissed. It contains a boolean value of True or False. | 1 Day | Third party |
Also known as “performance cookies” on our websites, these cookies are used to gather statistical information (such as pages visited and links clicked on), which we use to improve how our websites function. Reports generated from these cookies help us, for instance, to make the most popular pages or requested features easier to find. The information collected through these cookies may be used to distinguish you from other visitors to our websites, but the information is not used to identify you as a named individual.
| Name | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
| _tr | Meta | This cookie is used to track your interactions with ads that are powered by Meta. It is stored for 30 days. | 30 Days | Third party |
| tiktok_ads_id | Tiktok | This cookie is used to track your interactions with ads that are powered by TikTok. It is stored for 13 months. | 13 Months | Third party |
| VID | A visitor-related identifier for a LinkedIn microsite used to determine conversions for lead gen purposes. | 1 Year | Third party | |
| li_c_user | This cookie is used to track your activity on websites that have the LinkedIn Pixel installed. It is stored for 1 year. | 1 Year | Third party | |
| _ga | Google Analytics | This cookie enables Google Analytics to distinguish one visitor from another in order to generate statistical website usage data. Each ‘_ga’ cookie is unique to the specific property, so it cannot be used to track a given user or browser across unrelated websites. | 365 Days | First and third party |
| ms_ta* | Bing | These cookies are used to track your interactions with ads that are powered by Bing. They are stored for 1 year. | 1 Year | Third party |
| __utmb | Google Analytics | This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. This cookie determines new sessions and visits and expires after 30 minutes. The cookie is updated every time data is sent to Google Analytics. Any activity by a user within the 30 minute life span will count as a single visit, even if the user leaves and then returns to the site. A return after 30 minutes will count as a new visit, but a returning visitor. | 365 Days | First party |
| s_ppv | Adobe | Used by Adobe Analytics to retain and fetch what percentage of a page was viewed | Session | Third party |
| tiktok_pixel | Tiktok | This cookie is used to track your activity on websites that have the TikTok Pixel installed. It is stored for 13 months. | 13 Months | Third party |
| __hssc | HubSpot | This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp. | 30 Minutes | First party |
| gpy_pn | Adobe | Used to store and retrieve the previous page in Adobe Analytics. | 6 Months | Third party |
| __utmc | Google Analytics | This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. It is not used in most sites but is set to enable interoperability with the older version of Google Analytics code known as Urchin. In this older versions this was used in combination with the __utmb cookie to identify new sessions/visits for returning visitors. When used by Google Analytics this is always a Session cookie which is destroyed when the user closes their browser. Where it is seen as a Persistent cookie it is therefore likely to be a different technology setting the cookie. | 365 Days | First party |
| s_tslv | Adobe | Used to retain and fetch time since the last visit in Adobe Analytics | 6 Months | Third party |
| _ga_LC0YVRL587 | Google Analytics | This is a pattern-type cookie set by Google Analytics, where the name element contains the unique identifier of the account or website to which it is associated. Used to store and count pageviews. | 1 Year | First party |
| _gat | Google Analytics | This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 1 minute. | 365 Days | First party |
| fr | Contains browser and user unique ID combination, used for targeted advertising. | 365 Days | Third party | |
| sc_hit | SnapChat | This cookie is used to track your activity on websites that have the Snapchat Pixel installed. It is stored for 1 year. | 13 Months | Third party |
| mf_[website-id] | Mouseflow | 1st party cookie, session lifetime: A cookie for identifying the current session on a website | Session | First party |
| simpli.fi_visit | Simpli.fi | This cookie is used to track your visits to websites that have the Simpli.fi Pixel installed. It is stored for 30 days. | 30 Days | Third party |
| s_pltp | Adobe | Provides page name value (URL) for use by Adobe Analytics | Session | Third party |
| s_tp | Adobe | Tracks percent of page viewed | 2 Years | Third party |
| mf_user | Mouseflow | This cookie establishes whether the user is a returning or first-time visitor. This is done simply by a yes/no toggle and no further information about the user is stored. This cookie has a lifetime of 90 days. | 3 Months | First party |
| __utmz | Google Analytics | This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour measure of site performance. This cookie identifies the source of traffic to the site - so Google Analytics can tell site owners where visitors came from when arriving on the site. The cookie has a life span of 6 months and is updated every time data is sent to Google Analytics. | 365 Days | First party |
| s_plt | Adobe | Tracks the time that the previous page took to load | Session | Third party |
| vuid | Vimeo | This domain is owned by Vimeo. The main business activities are: Video Hosting / Sharing | 365 Days | Third party |
| _fbp | Meta | This cookie is used to track your activity on websites that have the Meta Pixel installed. It is stored for 30 days. | 30 Days | Third party |
| _gid | Google Analytics | Registers a unique ID that is used to generate statistical data on how the visitor uses the website. This cookie expires after 1 day. | 1 Day | Third party |
| _hjid | Hotjar | This is a pattern-type cookie set by Google Analytics, where the name element contains the unique identifier of the account or website to which it is associated. It is a variation of the _gat cookie that is used to limit the amount of data that Google stores on high-traffic websites. | 365 Days | First party |
| simpli.fi_id | Simpli.fi | This cookie is used to track your activity on websites that have the Simpli.fi Pixel installed. It is stored for 30 days. | 30 Days | Third party |
| gpv_pn | Adobe | This cookie gathers data for analyzing the visitor's use of the website including activity tracking, page visits and links clicked | 2 Hours | Third party |
| _gat_UA-114077998-1 | Google Analytics | This is a pattern-type cookie set by Google Analytics, where the name element contains the unique identifier of the account or website to which it is associated. It is a variation of the _gat cookie that is used to limit the amount of data that Google stores on high-traffic websites. | 365 Days | First party |
| appcast_job_ad | Appcast | This cookie is used to track your interactions with job ads that are powered by Appcast. It is stored for 30 days. | 30 Days | Third party |
| appcast_visitor | Appcast | This cookie is used to track your visits to the Appcast website. It is stored for 30 days. | 30 Days | Third party |
| li_cs | This cookie is used to track your interactions with ads that are powered by LinkedIn. It is stored for 1 year. | 1 Year | Third party | |
| RT | Boomerang | It measures page load time, or other timers associated with the page. | 365 Days | First party |
| _ga | HubSpot | This cookie records a unique identification which is used to generate statistical data about how the visitor uses the Website. | Session | First party |
| AnalyticsSyncHistory | Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries | 30 Days | Third party | |
| ai_session | Microsoft Azure | This cookie name is associated with the Microsoft Application Insights software, which collects statistical usage and telemetry information for apps built on the Azure cloud platform. This is a unique anonymous session identifier cookie. The main purpose of this cookie is: Performance | Session | First party |
| __utma | Google Analytics | This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. This cookie lasts for 2 years by default and distinguishes between users and sessions. It it used to calculate new and returning visitor statistics. The cookie is updated every time data is sent to Google Analytics. The lifespan of the cookie can be customised by website owners. | 365 Days | First party |
| __hstc | HubSpot | The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). | 6 Months | First party |
| ai_user | Microsoft Azure | This cookie name is associated with the Microsoft Application Insights software, which collects statistical usage and telemetry information for apps built on the Azure cloud platform. This is a unique user identifier cookie enabling counting of the number of users accessing the application over time. The main purpose of this cookie is: Performance | 1 Year | First party |
| _gclxxxx | Google Analytics | This is the Google conversion tracking cookie. It allows to count visits and traffic sources, so we can measure and improve the performance of our site. | 365 Days | First party |
| aam_uuid | Adobe | Set for ID sync for Adobe Audience Manager | 30 Days | Third party |
| _gid | Google Analytics | This cookie name is associated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. | 365 Days | First and third party |
| ms_u* | Bing | These cookies are used to track your activity on websites that have the Bing Pixel installed. They are stored for 1 year. | 1 Year | Third party |
| lms_analytics | Used to identify LinkedIn Members in the Designated Countries for analytics | 30 Days | Third party | |
| __utmt | Google Analytics | This cookie is set by Google Analytics. According to their documentation it is used to throttle the request rate for the service - limiting the collection of data on high traffic sites. It expires after 10 minutes | 365 Days | First party |
| appcast_session | Appcast | This cookie is used to track your session on the Appcast website. It is deleted when you close your browser. | 30 Days | Third party |
| __hssrc | HubSpot | Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session. It contains the value "1" when present. | Session | First party |
| hubspotutk | HubSpot | This cookie enables us to deliver the service and or response that individuals needs and expects from us, in a seamless manner | 6 Months | First party |
| mf_user | Mouseflow | 1st party cookie, persistent: A cookie for checking if the user is new or returning | 90 Days | First party |
| s_ips | Adobe | Tracks percent of page viewed | Session | Third party |
| __hjSessionUser_204526 | HubSpot | Hotjar cookie that is set when a user first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. | Session | First party |
| _gat_UA-nnnnnnn-nn | Google Analytics | This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites. | 365 Days | First party |
| _gat_UA-399437-1 | Google Analytics | This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites. | 365 Days | First party |
| sc_gpt | SnapChat | This cookie is used to track your interactions with ads that are powered by Snapchat. It is stored for 1 year. | 13 Months | Third party |
These cookies are from third-party partners. They collect browser and user information to (a) deliver relevant content (b) limit users’ exposure to certain advertisements and (c) determine whether a user is logged into a social media platform where the user desires to share our content. The information collected through these cookies may be used to distinguish you from other visitors to our websites, but the information is not used to identify you as a named individual.
| Name | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
| sp_t | Spotify | The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content. | 364 Days | Third party |
| bcookie | Browser Identifier cookie to uniquely identify devices accessing LinkedIn to detect abuse on the platform. | 365 Days | Third party | |
| dpm | Adobe marketing cloud | The cookie is used for targeted advertising and marketing. Domain is owned by Adobe Audience Manager. | 365 Days | Third party |
| NID | Google Ads Optimization | This is a Google cookie that allows a company, such as CGI, to target advertising to users who have signed out of their service. A cookie allows CGI to show you useful content on Google services. By accepting marketing cookies, you authorize Google to process your information. You can also influence your own information or withdraw your consent in the Google services settings or by modifying your cookie settings from this cookie manager (link at the bottom of the page). Learn more: https://policies.google.com/technologies/cookies | 365 Days | Third party |
| lissc | Used by the social networking service LinkedIn for tracking the use of embedded services. | 365 Days | Third party | |
| UserMatchHistory | This domain is owned by LinkedIn, the business networking platform. It typically acts as a third party host where website owners have placed one of its content sharing buttons in their pages, although its content and services can be embedded in other ways. Although such buttons add functionality to the website they are on, cookies are set regardless of whether or not the visitor has an active LinkedIn profile, or agreed to their terms and conditions. For this reason it is classified as a primarily tracking/targeting domain. | 365 Days | Third party | |
| _gcl_au | HubSpot | Google Adsense to store and track conversions. | 89 Days | Third party |
| c | Cision | This domain is owned by IPONWEB and is used to provide a real time bidding platform for online advertising. | 184 Days | Third party |
| _gcl_au | Google Adsense | Used through Google Analytics to understand user interaction with the site and advertising | 3 Months | Third party |
| _fbp | Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers | 365 Days | Third party | |
| IDE | Google DoubleClick | This cookie, used by Google DoubleClick, helps measure the effectiveness of ads and delivers targeted ads to users. It tracks actions after viewing or clicking an ad to improve user experience, with a focus on ad preferences. | 2 Years | Third party |
| lidc | This domain is owned by LinkedIn, the business networking platform. This cookies is used to facilitate data center selection. | 365 Days | Third party | |
| ln_or | Used to determine if Oribi analytics can be carried out on a specific domain | 1 Day | Third party | |
| uuid | MediaMath | MediaMath uses cookies to help recognize a computer or device so that they can deliver relevant advertising to you, measure the impact of that advertising and better understand and recognize digital media usage patterns. | 13 Months | Third party |
| _cc_aud | Lotame | We use this cookie to target advertising that is appropriate for you through the Adform service. This domain is owned by Lotame. The cookie can be used to collect the following information: Cookie ID, Mobile Advertising ID, Partner ID, browser and device information, IP address and analytics information about the functionality of advertising. By accepting cookies, you allow Adform and Lotame to process your cookie information. You can influence the processing of your information by contacting dpo@adform.com or modifying your cookie settings. | 365 Days | Third party |
| AMCVS_* | Adobe experience cloud | Indicates the start of a session for Adobe Experience Cloud | Session | Third party |
| c_user | The c_user cookie contains the user ID of the currently logged in user. The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox. If the ‘keep me logged in’ checkbox is set, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie and will therefore be cleared when the browser exits. | 3 Months | Third party | |
| bscookie | This cookie is used for remembering that a logged in user is verified by two factor authentication and has previously logged in. | 365 Days | Third party | |
| _fbp | HubSpot | Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers | 3 Months | Third party |
| lms_ads | Used to identify LinkedIn Members off LinkedIn in the Designated Countries for advertising | 30 Days | Third party | |
| AMCV_* | Adobe experience cloud | Unique Identifier for Adobe Experience Cloud | 180 Days | Third party |
| datr | The purpose of the Datr cookie is to identify the web browser used to connect to Facebook, regardless of the logged in user. This cookie plays a key role in Facebook's security and site integrity functions. | 2 Years | Third party | |
| sb | Facebook – Allows Facebook to recover your account in the event that you forget your password, or to require additional authentication if you tell us that your account has been hacked.”sb” and “dbln” cookies enable Facebook to identify your browser securely. | 2 Years | Third party | |
| RUL | Google DoubleClick | Used by Google DoubleClick to determine whether website advertisement has been properly displayed. | 1 Year | Third party |
| personalization_id | X | This cookie is set due to X integration and sharing capabilities for the social media. | 2 Years | Third party |
| GPS | Youtube | YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. | 365 Days | Third party |
| liap | This cookie locates LinkedIn functionalities in the page and share the Website information on social networks. | 1 Year | Third party | |
| demdex | Adobe marketing cloud | This cookie helps Adobe Audience Manger perform basic functions such as visitor identification, ID synchronization, segmentation, modeling and reporting | 365 Days | Third party |
| A3 | Yahoo | This domain is owned by Yahoo, whose principal business is Search and Advertising Services. | 365 Days | Third party |
| _gcl_aw | Google Adsense | to provide ad delivery or retargeting. | 90 Days | Third party |
| sp_landing | Spotify | The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content. | 23 Days | Third party |
| li_sugr | Used to make a probabilistic match of a user's identity outside the Designated Countries | 90 Days | Third party | |
| _kuid_ | Salesforce.com | We use this cookie to target advertising that is appropriate for you online. This domain is owned by the Krux Digital. | 365 Days | Third party |
| xs | Session cookies are c_user and xs. c_user stores the username and the xs session secret, these two cookies together determine whether the user is logged in or not. | 3 Months | Third party | |
| _guid | Used to identify a LinkedIn Member for advertising through Google Ads | 90 Days | Third party |
Successful implementation of cybersecurity into an operational technology (OT) environment demands recognition of its unique physical, cultural and organizational challenges. Only by acknowledging these can you craft a practical, effective approach that OT teams will buy into.
Overcoming these hurdles is especially crucial in the utilities and manufacturing sectors, where a cyber-attack-induced operational halt can affect critical national infrastructure and global supply chains.
Based on our global experience introducing our cybersecurity expertise into OT environments, this article shares our recommendations for operations, IT and security professionals wanting a straightforward implementation process that meets OT defense requirements and makes sense to OT teams.
Organizations with OT functions have often, over many years, developed organizational structures where IT and OT operate separately, creating silos of accountability.
A key reason for integrating IT and OT is the volume and richness of data within OT environments. This data fuels advanced analytics, leading to valuable insights and better business decisions. For example, digital twins and other technologies are enabling organizations to generate operational efficiencies and/or cost savings through predictive maintenance or other scenario-based strategies.
Aside from missing out on valuable business intelligence, the traditional siloed approach can also lead to gaps in overall cybersecurity, leaving business-critical OT infrastructure potentially vulnerable to cyber-attacks. It’s essential to recognize that such incidents are increasingly inevitable. A unified approach means consistent cybersecurity measures across both domains, protecting both OT critical infrastructure and IT business-critical infrastructure from cyber threats.
While it is important to protect both domains, IT has benefited from years of combatting cyber-attacks, consequently developing many effective techniques to mitigate the threat and impact of a malicious attack. Meanwhile, OT is working to close the gap with IT advancements, adapting IT principles to fit the unique requirements and perspectives of OT environments.
There’s widespread agreement that robust defenses depend upon:
- Discovering and mapping assets
- Assessing their vulnerability to breach to understand where breach opportunities exist
- Prioritizing remediation
- Having a plan for when a critical incident occurs
Standards exist to guide the implementation of these security controls, such as NIST SP 800–82 R2 and IEC62443. These standards discuss the methods to secure an OT infrastructure environment and include:
- Restricting logical access to the network and network activity through ‘demilitarized zones’ (DMZ) and firewall environments
- Enforcing valid permissions and installing antivirus software
- Developing the capability to restore systems should an incident occur
The journey to OT cybersecurity begins with a comprehensive understanding of your environment. Without this base knowledge, you can’t be entirely confident that any cybersecurity you apply will be sufficiently robust to protect your critical OT systems.
This process of discovery can be broken down into five stages:
This can be as simple as adding a sensor to listen passively to your environment. Activating passive listening means spanning the switch port on the local network, allowing the sensor to detect the different types of addresses coming across your environment and correlating the Media Access Control (MAC) IDs.
Active discovery can be more effective in some cases but poses a potential risk where devices do not respond well to interrogation. The benefits of active scanning need to be compared to the risks in the development of an accurate asset inventory. The logistics of passive scanning across a large number of sites needs to be considered.
Passive network scanning can provide a starting point, but it's crucial to complement this with a physical walkthrough to capture all your physical assets. You can only be confident you understand your environment by reconciling your digital and physical asset inventories and comparing them to what the sensor has discovered.
The challenging part of this process is learning how to compare what’s ‘on the wire’ versus ‘what’s on the floor’. Identifying network blind spots, this action will reveal:
- Items on the floor that aren’t connected to any local network
- Items on the floor that aren’t connected to a local network that you’re aware of
- Networks and devices that existing sensors are monitoring
- Networks that aren’t currently covered by sensors
This involves working through your discovered list to identify products that don’t necessarily have a reported MAC address. It also involves sorting all devices into categories, such as industrial devices, printers, access points, workstations and under-identified devices which need to be called out for further investigation. If you’re unlucky, you might find somebody has installed an unapproved device, such as a Raspberry Pi or a Wi-Fi extender/repeater.
At this point, your monitoring device will start reporting potential security concerns, such as devices that can connect to the internet. It’s standard to find that many devices are connected to the internet without anyone realizing it. The next question is, do these devices need internet access, and if they do, how do you mitigate the risk without impacting production requirements?
Another option is to perform an external scan of your environment to identify those devices that are seen by the Internet, and therefore by malicious actors. There’s little reason to expose industrial assets to the Internet, but if they are there then a bad actor can find them easily.
History has shown that these OT systems are frequently not as isolated as expected. For example, USB drives are plugged into systems, laptops connected to the IT systems are carried into the control rooms and plugged into the OT network, and undocumented networks are connected for convenience.
Showing the organization examples of other OT cyber-attacks such as the Stuxnet attack, the Sandworm attack targeting and disabling the Ukraine electrical infrastructure, the Oldmar’s treatment plant attack, and the ongoing attacks relating to the current Russian and Ukraine war is a good way of starting a conversation about your own vulnerabilities.
To close the IT/OT organizational gap, it’s important to acknowledge and address how different areas of expertise will work together and establish common terminologies between your OT and cyber engineers to make looking at the technology easier.
However, this isn’t the most significant factor in building OT defenses. A strong, trustworthy and mutually respectful relationship between OT and cyber experts is critical so that cybersecurity can be discussed in an open and appropriate manner.
The best way to build this relationship is to have continuous meetings, making sure that any OT cyber experts play a prominent role in sitting with OT teams and helping them take the cybersecurity journey.
Effective cybersecurity is a balancing act. Understanding your assets is key to defending those same assets, but you should consider the mantra of “assume breach.” Knowing how to react to a cyber incident is key to surviving in such a scenario, knowing who needs to be involved, knowing where your backups are, knowing your backups are secure, knowing how you should react--these are the ways in which you mitigate the impact of a cyber-attack.
Planning for the possibility of an incident, rather than assuming it won't happen to you, is the best way to ensure a swift and effective response.
