Implementing cybersecurity solutions into legacy operational technology (OT) systems is a tradeoff. It provides additional operational awareness and early detection of cybersecurity-, as well as operational events, while introducing the risk of disrupting fine-tuned and fragile systems. Further, it consequentially adds additional requirement on the asset owner or organization to efficiently handle detected cyber and operational events. We present experiences from applying and testing a cybersecurity event detection solution in an existing critical aviation system. This work was done as part of the research of the project ‘Holistic Approach for Enhancing Cyber security Competence and Services in Air Traffic Management’ that investigates the protection of critical infrastructure considering cyber security in the perspective of people, processes, and technology.
In this paper the framework for safe and secure implementation of detection technology in legacy OT systems is presented together with gained experiences from applying the methodology to an existing system. Further, a set of attack scenarios that were designed to test both system resilience to cyber-attacks as well as the detection capabilities of the detection solution is presented. The attack scenario tests were applied on the OT system and documented using the NIST Cybersecurity Framework. Organizing according to the framework functions (identify, protect, detect, respond and recover) we highlight how mapping the attacks to the NIST Framework supported the uncovering of both technical and non-technical cybersecurity aspects of both the target system and organization. Finally, we discuss the tradeoff between system risk and operational insights and awareness.