introducing the operational technology cyber security alliance · that’s because the...
TRANSCRIPT
Introducing the Operational Technology Cyber Security Alliance
OTCSA White Paper October 2019
2
Table of content Executive summary .................................................................................................................... 3
OT environments are at risk ....................................................................................................... 3
OTCSA vision and mission .......................................................................................................... 5
Why the OTCSA? ........................................................................................................................ 6
Today's dangerous OT threat landscape: how’d we get here? ..................................................... 7
OT protection: the time has come .............................................................................................. 8
OTCSA Working Groups ........................................................................................................... 10
Securing OT environments: OTCSA Work Products ................................................................... 11
Conclusion ............................................................................................................................... 12
Appendix ................................................................................................................................. 13
Acknowledgements ................................................................................................................. 15
Use of information ................................................................................................................... 15
3
Executive summary As cyber attacks increase in severity and frequency, the threat to critical infrastructure and industrial automation has never been greater. The Operational Technology Cyber Security Alliance (OTCSA) is a new industry alliance dedicated to ensuring that operational technology (OT) environments and the interfaces enabling OT/IT interconnectivity are protected and secure. To accomplish its mission, the OTCSA promotes collaboration among leading OT and IT companies with the goal of developing end-to-end cyber security guidelines and best practices.
This introduction to the OTCSA puts forth the OTCSA’s vision, mission, and value proposition. We look at the historical underpinnings of the modern OT landscape, including the evolution of Industrial Control Systems (ICS) and their associated threats. We outline how the evolution of technology and business—in particular the convergence of OT and IT—has resulted in today’s threat-rich environments. Finally, we discuss the first three OTCSA technical Working Groups (WG) and the guidance they provide to enable businesses to enhance their OT cyber security postures.
OT environments are at risk The threats to critical infrastructure and industrial automation are increasing in severity and frequency. That’s because the digitalization driving the Industrial Internet of Things (IIoT) is also opening up potent new attack vectors.
Smart sensors, robots, motors, electrical-power frequency converters, and other connected devices throughout modern OT environments are generating immense quantities of data. Analysis of data is delivering immeasurable benefits by enabling the highly flexible, optimized operation of factories, process plants, and other facilities.
At the same time, data is being utilized in ways that have blurred the boundaries between OT and IT (e.g., routing data from a factory’s network edge to the cloud). As the historical isolation, or “air gap,” that previously protected OT disappears, the increased convergence of IT and OT networks—along with the adoption of IT technologies into process control and automation systems—is making OT increasingly vulnerable to cyber attacks.
The upshot is that, more and more, hackers are selecting industrial targets, including ICS used by power plants and factories. The resulting disruption affects not only businesses and their customers but also daily life in a society that is dependent on the uninterrupted functioning of infrastructure and the modern, global supply chain.
Indeed, in recent years the severity, frequency, and sophistication of OT cyber attacks have risen (Figure 1), while the state of cyber security readiness languishes.
• A cyber attack in 2017 wreaked havoc at several cargo facilities of shipping giant A.P. Moller-Maersk, costing the company $300M1.
• WannaCry and NotPetya Ransomware attacks in 2017 hit numerous companies across the globe, causing operational disruptions in automotive, food, pharmaceutical, and other manufacturing and process plants1,2.
1 The Untold Story of NotPetya, the Most Devastating Cyberattack in History, WIRED, August 22, 2018 2 Ransomware cyber-attack: Who has been hardest hit?, BBC, May 15, 2017
4
• In 2018, a WannaCry variant forced TSMC to shut down several of its chip-fabrication facilities, resulting in an estimated 3 percent impact to the 2018 third quarter revenue (around $250M in lost revenue)3.
• The 2019 LockerGoga Ransomware attack temporarily halted production at aluminum manufacturer Norsk Hydro4.
The evidence extends beyond the anecdotal. According to a 2018 survey by the Ponemon Institute, 67 percent of organizations responding believe cyber extortion will increase in frequency and payout5. Some 82 percent of respondents predict unsecured Internet of Things (IoT) devices will likely cause a data breach in their organization, and 80 percent say such a breach could be catastrophic5.
OT infrastructures are also at risk. 90 percent of companies responding to a survey reported at least one security compromise to their infrastructure in the previous two years resulting in the loss of confidential information or disruption to operations6. Troublingly, preparedness is not growing commensurately. Some 80% percent of those same organizations say they have insufficient visibility into their assets and hence on their attack surface.
Readiness is not the only challenge; the ability to respond is, too. Some 61 percent of organizations in the Oil and Gas industry believe it’s unlikely they would be able to detect a sophisticated attack7. Yet, in a separate survey, some 77 percent of companies say they are likely to become a target of a cyber security incident involving ICS8.
Figure 1. Threats to critical infrastructure and industrial automation are increasing in severity and frequency
3 TSMC Details Impact of Computer Virus Incident, TSMC, August 5, 2018 4 Aluminum maker Hydro battles to contain ransomware attack, Reuters, March 19, 2019 5 2018 Study on Global Megatrends in Cybersecurity, Ponemon Institute, February 2018 6 Cybersecurity in Operational Technology: 7 Insights You Need to Know, Tenable and Ponemon Institute, March 2019 7 Oil and Gas Cyber Security: Time for a Seismic Shift, EY, 2015 8 The State of Industrial Cyber Security 2018, Kaspersky Lab, June 2018
5
OTCSA vision and mission The dynamic of escalating threats has incentivized a group of leading companies to form the Operational Technology Cyber Security Alliance (OTCSA) with the mission of developing accelerated approaches to securing OT infrastructure. The OTCSA was announced in October 2019 with the aim of improving the overall cyber security posture in OT. It envisions safer and more secure OT in critical infrastructures and industrial automation, which will support and improve daily life in our evolving world.
Working together, OTCSA members from both the OT and IT arenas will leverage their collective knowledge—comprising technical and operational expertise, customer focus, and solution-driven findings—to deliver better and more effective OT cyber security guidelines than have heretofore been available.
At its announcement, the OTCSA membership consists of a dozen top-flight organizations, with a mix of device manufacturers, technology companies, consulting firms, and operators of industrial production environments. Current members of the OTCSA are: ABB, BlackBerry Cylance, Check Point Software Technologies, Forescout Technologies, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAfence, Splunk Technology, and Wärtsilä. Membership is open to any company that operates critical infrastructure or general OT systems to run its business (OT operators) as well as companies providing IT and OT solutions (solution providers) with a desire to contribute to the OTCSA’s goals.
To learn more about the OTCSA and the requirements and benefits of membership, visit https://otcsalliance.org.
The mission statement of the OTCSA enumerates goals that will significantly enhance the ability of organizations to strengthen and improve their OT security postures. Specifically, to:
• Strengthen cyber-physical risk posture in OT environments and for interfaces enabling OT/IT interconnectivity.
• Guide OT operators on how to protect their OT infrastructure based on a risk management process and reference architectures/designs which are demonstrably compliant with regulations and international standards, such as IEC 62443, NERC CIP, and NIST 800-53.
• Guide OT suppliers on secure OT system architectures, relevant interfaces, and security functionalities.
• Support the procurement, development, installation, operation, maintenance, and implementation of a safer, more secure critical infrastructure.
• Accelerate the time to adoption of safer, more secure critical infrastructures.
To realize its vision and accomplish its mission, the OTCSA promotes collaboration between leading OT and IT companies to establish Technology, Process, and Compliance guidelines. The guidelines will constitute a complete set of end-to-end best practices and provide a template of the most current and thorough guidance for how to approach OT cyber security in actionable ways missing in existing frameworks.
Importantly, access to OTCSA guidance will not be restricted to members. The guidelines will be made publicly available to help industry at large feel safer and more secure OT operations. Guidance will be vendor agnostic and achievable using a mix of available products, solutions, and services.
To fulfill the broad scope of the OTCSA’s remit, targeted guidelines will be developed to address the needs of a wide range of industries, including but not limited to: automotive and transportation;
6
buildings and infrastructure; energy and utilities; food and beverage; life sciences; marine and ports; metals and mining; oil, gas, and chemicals; and pulp and paper.
Figure 2. OTCSA members
The purview of the guidelines will extend across the entire operational lifecycle. They will cover the OT spectrum, including ICS equipment, software, and networks, as well as IT equipment and networks used in or providing functionality to OT systems. They will apply to both brown- and green-field installations and a wide variety of use cases in discrete manufacturing and process industries and utilities, among others. They’ll also address important but often-underemphasized domains, such as building management and facility access systems, control rooms, and medical equipment.
The OTCSA's guidelines will align with existing industry-standard reference architectures, process frameworks, and protocols to ensure interoperability. They will also be crafted to take into account the key criteria of reliability, manageability, resiliency, and auditability.
In addition to providing valuable assistance to technical professionals on the front lines, OTCSA guidance will be presented clearly and concisely so that non-technical executives can use it to make better informed, management-level decisions. Note as well that guidance and guidelines will be part of an ongoing effort, which will result in regular updates to ensure that the latest knowledge and best practices are incorporated as new and emerging areas are addressed.
Why the OTCSA? Observers may wonder: Is there a need for another industry organization focused on OT cyber security? Yes, because while existing groups concentrate their efforts on the development of standards, they don’t address the real-world implementation challenges that organizations face. That’s where the OTCSA comes in—with prescriptive and effective “how-to” guidelines that facilitate stronger OT risk postures.
For OTCSA members, many benefits will accrue from being part of the process of defining and developing those guidelines. Being part of the core group defining best-in-class OT security guidelines
7
will showcase leadership to customers, which can be leveraged to expand the appeal and reach of existing products and even unlock new markets.
Involvement will demonstrate that members have made a major commitment to provide and support comprehensive OT cyber security today and into the future. Members will also benefit by being involved with the development of guidelines that promise to be used widely throughout industry.
OT operators that are OTCSA members have the opportunity to steer the OTCSA with focus on actual needs and requirements to result in actionable OT cyber security guidelines and ultimately to accelerate the implementation of solutions to their OT cyber security challenges.
Guidelines will be more effective as the result of the comprehensive, collaborative process through which they were developed. Longer term, broad adoption of the guidelines should reduce the compliance burden. And, of course, interaction with a rich, diverse group of thought leaders is its own reward.
Today's dangerous OT threat landscape: how’d we get here? As citations of devastating cyber attacks indicate, OT environments today present target-rich opportunities for bad actors. The rapid disappearance of the perimeter between IT and OT is a major contributor, allowing hackers who’ve cut their teeth on corporate and government computer networks to easily segue across the vanishing divide and apply their tradecraft to critical infrastructure and industrial automation. Their malicious activities are made easier by the fact that security in the OT space is roughly a decade behind the more robust protections that have been widely implemented, of necessity, throughout the IT world.
So, how did we get here?
Modern OT controls emerged in the 1950s, when the first Computer Numerical Control (CNC) systems automated the operation of machine tools, replacing earlier systems that relied on analog switches and relays. That launched an evolution in the world of industrial controls. Since the introduction of the first Programmable Logical Controller (PLC) in late 1960s, Industrial Control Systems (ICS) have steadily become more capable.
Early ICS were designed under the assumption that they would not be exposed to external networks, particularly the Internet. Until a decade ago, physical security was the major consideration, with the biggest risks being internal sabotage and human error. However, as control systems have become increasingly networked across the “air gap” to enterprise networks, they are exposed to a larger number of attack surfaces
The major attack vectors faced by ICS include:
• Enterprise networks Many damaging denial-of-service (DDoS) attacks have been caused by Ransomware spread from the enterprise side into ICS networks on the shop floor. Once spear phishing, watering hole, and related techniques have compromised an enterprise network, malware can pivot into the ICS network where it will typically impact the supervisory and control layers.
• Portable media USB and other removable media can easily bypass all network-based security controls implemented across ICS trust zones.
8
• Internet connected systems and services All Internet-facing systems and services, including control systems directly exposed to the public Internet, are highly vulnerable and therefore at high risk of being compromised, even by fairly trivial attack techniques.
• Remote access Poorly secured external access for outside vendors performing maintenance activities are another entry point for malware and unauthorized access into ICS environments.
• Insider attacks In-house or external staff with access to ICS systems—either direct or remote—are inside the kingdom, enabling them to wreak havoc, either overtly or through sins of omission (e.g., inserting an unknown USB stick into a network-attached computer).
• Unauthorized devices Operators may choose to circumvent ineffective or prohibitively cumbersome IT policies and procedures and deploy technology without proper corporate support, resulting in misconfigured devices that allow for unauthorized access.
OT protection: the time has come The convergence of OT and IT systems over the past several decades has enabled the OT space to leverage many important computing advances made in the IT world. However, the convergence has also been the single most significant factor in opening up new attack vectors against which OT environments must now mount defenses.
In the 1950s and ‘60s, OT systems relied primarily on proprietary, purpose-built designs. Beginning in the ‘80s, the desire to control costs, particularly by the U.S. Defense Department, and the broader applicability of IT technologies on the market spurred the adoption of commercial-off-the-shelf (COTS) technologies. Two significant examples of widely adopted COTS are Ethernet- and TCP/IP-based communications and the Windows OS. Notably, both came from the IT world and both created opportunities for connecting and combining OT with IT systems. And the trend line towards digitalization—including the rise of Data Historians and virtualization technologies—further accelerated the convergence.
Data Historians emerged as a means of creating reports that could be utilized to understand the behavior of OT systems. For instance, data collected by sensors on a production line is stored and analyzed to offer insight into production efficiency and quality.
With the rise of advanced data mining and analysis capabilities, access to operational data allowed for more refined decision-making, driving greater business efficiencies.
As storage capacity became cheaper, more data was collected and retained for longer periods. Data Historians evolved into collections of what we now call “Big Data.” Research into Big Data analytics surged, resulting in many sophisticated algorithmic techniques, often predictive, for improving production effectiveness and reducing the use of expensive resources and material.
As software capabilities advanced, compute resources on the hardware side steadily became more virtualized. Today, we have cloud providers offering Infrastructure as a Service (IaaS) and OT environments that leverage the cloud. Going forward, as cloud-based technologies such as micro services, self-scaling platforms, and machine-learning algorithms evolve, the pattern of leveraging powerful IT technologies will become even more pervasive.
9
The boundaries between control and business networks continue to blur, even beyond the four walls of an organization. In the IT world, cloud-based systems introduce further efficiencies as companies realize that it is cost-effective to host applications elsewhere. The concept of sending production data to a third-party provider was out of bounds even a decade ago. Today, the financial benefits are significant, but extending OT environments to the cloud further complicates network architecture.
Characteristic IT OT
Object under protection Information Physical process
Risk impact Information disclosure, financial loss Safety, health, environmental, financial
Main security objective Confidentiality Availability, integrity
Availability requirement Medium, delays accepted Very high
Real-time requirement Delays accepted Critical
Component lifetime 3-5 years Up to and over 20 years
Application of patches Regular/scheduled Slow/infrequent
Security testing/audit Scheduled and mandated Occasional
Security awareness High/mature Increasing
Table 1. The critical differences between IT and OT
The way organizations support OT networks has changed as well. In the “air-gapped” world of the 20th century, connectivity for remote support did not exist. Rather, support personnel performed computer and network troubleshooting on site. In organizations of any scale, maintaining such local expertise at multiple facilities was costly. In the event that an incident required escalation, support personnel were required to travel on site—a costly approach that typically delayed resolution of any problems.
In contrast, the ability for Subject Matter Experts (SME) to gain access to OT environments from a central location is cost effective and allows businesses to reduce support costs. Furthermore, the ability for the SMEs to monitor control systems from a central location allows local personnel to focus on the core competence of their facility with fewer distractions from IT-based issues.
The trend towards digitalization in the world of the Industrial Internet of Things (IIoT) seems unstoppable. However, it has also raised concerns. While it’s brought more computing resources to bear on the OT world, and done it cheaply and conveniently, it has also broadened the range of potential attack surfaces to effectively encompass the entire enterprise.
Being able to trust IT and its culture within OT environments, where availability and safety are paramount, is a major challenge. As the number of Internet-connected devices grows into the billions, questions regarding their trustworthiness increasingly arise. Connectivity and Internet exposure have exacerbated concerns regarding whether and to what extent data itself can be trusted.
10
OTCSA Working Groups Following is an overview of the first OTCSA’s technical Working Groups (WG) and their planned Work Products (WP), including end-to-end OT cyber security guidelines that will be developed to help OT operators protect critical information assets. Initially, the OTCSA has three technical WGs: WG1 - Long-term Vision; WG2 - Visibility, Intelligence, and Response; and WG3 - Protection for Inherently Vulnerable Devices. The objective, focus, and WP of each are shown below.
WG Objective Focus Work Products
WG1 Long-term Vision
To define the desired target to ensure safer and more secure OT and cyber-physical operations
• Brown and green fields
• Industry and vendor agnostic
• Scope, challenges, and use cases (problem statement)
• C-level communication about risk management and maturity
• Architecture blueprints and operational and management processes as needed
WG2 Visibility, Intelligence, and Response
To define a comprehensive solution to risk management based on asset inventory and monitoring, situational awareness, and response management
• Brown fields • Industry and vendor agnostic
initially, then selected industries and vendors to show feasibility
• Overall architecture • Data model/common API
demonstrator
• Response playbooks and threat intelligence
WG3 Protection for Inherently Vulnerable Devices
To define mitigating controls for protecting devices that today do not include, or include only limited, security controls
• Brown and green fields
• Industry and vendor agnostic initially, then selected industries and vendors to show feasibility
• Inventory of mitigating controls
• Risk-analysis-driven, cost-conscious selection process for mitigating controls
• Tools to assess the trustworthiness of implemented controls and their resilience against vulnerabilities
Table 2. OTCSA technical Working Groups (WG) and their associated Work Products (WP)
The technical WGs will contribute to a robust ecosystem of prescriptive guidelines, which will serve as “how-to” guidelines for OT stakeholders to strengthen their critical infrastructure and industrial automation operations.
WG1 is the top-level group, which will articulate an overarching vision for ensuring safer and more secure OT and cyber-physical operations. In its work, WG1 will leverage the Purdue Model, a widely used analytical model that provides a window into better security practices (see Appendix for more information).
Consistent with its focus on visibility, intelligence and response, WG2 will provide guidelines to help OT operators create and maintain comprehensive inventories of all cyber assets (e.g., nodes, software products and versions, communication relationships, and network topologies). The guidelines will demonstrate how OT operators can map their cyber assets to known vulnerabilities and threats and monitor systems for indications of compromise and/or exploitation. Importantly, they’ll describe how to determine the appropriate countermeasures to mitigate or eliminate risks and to counter ongoing exploitation and attacks.
11
WG3, which is chartered with developing guidelines for the protection of inherently vulnerable devices, will define controls from protecting devices that currently don’t include security controls, or are equipped with only very limited protections. The efforts of WG3 are critical because, in order to be useful in real-world situations, OT security must be strengthened without impacting ongoing operations or processes. To this end, enterprises must implement multiple layers of defenses to secure not just shop-floor systems or critical infrastructure in situ, but also must encompass protection of remote-access vectors. Here, approaches to robust protection include but are not limited to: traffic segmentation, traffic content inspection, and the use of secure protocols, data encryption, and end-point protection.
Going forward, the OTCSA plans to add technical WGs as the need arises for guidance in additional and emerging OT security domains.
Securing OT environments: OTCSA Work Products Table 2 details the output of the three current technical Working Groups (WG). Here, and as shown in Table 3, we outline the Work Products (WP) by target area. WPs are aimed at enabling safe and secure OT operations with respect to interoperability, reliability, manageability, resiliency, and auditability. WPs will focus not just on what to do, but more importantly, will provide prescriptive guidelines on how to do what’s needed to improve OT cyber risk posture. The guidelines will encompass the asset inventory function so that users can establish well-informed baselines of their infrastructure and security capabilities. OTCSA will provide guidance on incident response and mitigation.
The WPs will address three areas that can benefit from guidelines for heightened security: Technology, Process, and Compliance. As per the OTCSA’s commitment, the guidelines for protection of critical infrastructure will be industry and vendor agnostic and based on risk management processes.
WP guidelines will help organizations perform risk assessments and the prioritization of vulnerabilities and asset remediation according to severity of impact and mitigation identification and implementation. They will enable OT suppliers to secure their system architectures, relevant interfaces, and security functionalities. And they will support the procurement, development, installation, operation, maintenance, and decommissioning of safer, more secure critical infrastructure.
12
Domain Reach Focus Guideline objectives
Technology Includes architectures and design principles
• Industry- and vendor-agnostic WPs
• WPs specific to selected industries
• Verified instantiations of secure OT systems based on industry- and vendor-agnostic WPs
• Provide a desired/target status as well as guidance on reaching that status in a risk-based fashion and with a step-wise approach
• To be based on standard reference architectures, models, and protocols
• Provide additional details with respect to other security frameworks (e.g., describing how)
Process Includes workflow steps as well as roles and responsibilities
• Design, engineer, install, and decommission OT solutions
• Deploy, operate, and manage technology, people, and information for better security
• Align to IT processes
• Aligned with technology WPs • Leverage existing process
frameworks
• Follow similar approach to technology WPs for desired vs. transitional state, step-wise approach, generic vs. agnostic, and multiple levels of detail
Compliance Measure, test, and audit for compliance
• Focus on compliance and conformity assessments of: o Specific OT systems and
their operations to the technology and process WPs
o A member‘s product to the technology and process WPs
• Enable easy mapping of technology and process WPs to standards and regulations while highlighting gaps
Table 3. OTCSA Work Products (WP)
Conclusion The Operational Technology Cyber Security Alliance (OTCSA) is a new, non-commercial industry organization established to develop guidelines for ensuring safe and secure OT in critical infrastructure and industrial automation environments. Our efforts are aimed at supporting and improving everyday life in today’s evolving world. Amid an increasingly perilous cyber security landscape, we recognize how important it is to have an open alliance with vendor-agnostic guidelines that will enable OT operators to strengthen the security of their organizations and enterprises throughout the entire lifecycle.
We invite like-minded professionals—OT operators and IT & OT solution providers—to join us on our journey to promulgate best-in-class architectural, implementation, and process guidelines for OT cyber security. To learn more, visit our website at https://otcsalliance.org.
13
Appendix THE PURDUE MODEL: A PREEMINENT TOOL FOR CYBER SECURITY ANALYSIS As the OTCSA collaborates on the development of guidelines for strengthening OT security, it will leverage the Purdue Model, a widely used analytical tool that provides a window into better security practices.
Formally known as the Purdue Enterprise Reference Architecture (PERA), the model was developed by the Purdue University Consortium for Computer Integrated Manufacturing in the 1990s. It is a standard reference tool that can be applied in any industry supporting Industrial Control Systems (ICS) networks.
The Purdue Model is used to understand complex relationships among components of an ICS network to one another and to the enterprise network with which the OT environment is interfaced. It can unlock insights into where critical security boundaries should exist to protect information assets and prevent life-threatening safety events.
The standard Purdue Model divides ICS and enterprise networks into five levels:
• Level 4 — Business Logistics Systems.
• Level 3 — Manufacturing Operations Systems.
• Level 2 — Control Systems.
• Level 1 — Intelligent Devices.
• Level 0 — The Physical Process.
From an information security perspective, the most critical interconnect in the model lies between Manufacturing Operating Systems (Level 3) and Business Logistic Systems (Level 4). Historically, those levels were separated by the “air gap” between the ICS network utilized by Level 3 and the business or enterprise network in Level 4. However, with cloud-based infrastructures now widespread throughout the OT space to support data analytics, the “air gap” often no longer exists. Understanding what data is transferred between L3 and L4 is vital to protecting critical information assets.
The Purdue Model was a landmark tool in the 1990s. However, OT security today presents a much more complex landscape. Modern OT environments are highly interconnected, leveraging the Internet and comprising numerous Industrial Internet of Things (IIoT) devices. Data plays a key role, both within OT networks and across the edge to the IT side and the public Internet. All of these dynamics differentiate the OT world of today from legacy-operating environments.
The need for an updated, more granular version of the Purdue Model is clear. The OTCSA will leverage such a model, as shown in Figure 3, in the analyses it performs to develop OT security guidelines.
14
Figure 3. An updated version of the Purdue Model development guidelines
15
Acknowledgements The following people served as active members of the OTCSA Working Group 1 in the preparation of this document:
Name Affiliation
Michelle Balderson Fortinet
Peter Corrao Wärtsilä
Bart de Wijs ABB
Dharmesh Ghelani Qualys
Nadine Macklin BlackBerry Cylance
Gunter Ollmann Microsoft
Ofer Shaked SCADAfence
Damon Small NCC Group
Gilad Walden Forescout Technologies
Zanetti Davide ABB
Use of information Copyright 2019 Operational Technology Cyber Security Alliance (OTCSA)
Redistribution and use of this document AS IS, without modification, is permitted provided that the following conditions are met:
1. Redistributions of this work of authorship must retain the above copyright notice, this license and conditions, including the disclaimer listed below.
2. The name(s) of the copyright holder, the Operational Technology Cyber Security Alliance (OTCSA), or any of its members or contributors may not be used to endorse or promote any products or other offerings, without specific prior written permission.
THIS DOCUMENT IS PROVIDED BY THE OTCSA, COPYRIGHT HOLDER(S) AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OTCSA, COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.