Many companies around the world with industrial operating environments, commonly referred to as operational technology (OT) environments, do not invest the same resources in protecting OT systems as they do in securing their corporate environments. Yet these same companies are investing heavily to transform these environments with modern technologies and techniques to improve productivity, become more efficient, increase worker collaboration through increased data analysis, and achieve other benefits that will make the business more competitive through higher quality and cost effective. some products.
Some of these new industrial process improvements include reduced latency through advanced computing and 5G technologies, autonomous vehicles, robotics, cloud computing, industrial Internet of Things (IIoT) devices, remote access, etc. Yet the age-old problem persists that insufficient cybersecurity controls make these environments easy targets for cybercriminals and nation-state cyberattacks. Industrial OT environments are essential to the financial well-being of a business and, depending on what the business produces, can be essential to the functioning of society and the economy at large. A recent example is the semiconductor shortage that has affected many companies that produce all types of electronics, cell phones, and cars. The risk and impact of an OT attack is much higher than a cyber attack on the corporate environment of these same companies where they invest heavily today.
Most businesses take shortcuts to finding simple, inexpensive ways to protect their OT environments. This typically involves the purchase of OT intrusion detection system (IDS) technology that can assist with device discovery, network visualization, certain types of signature-based malware detection, and to device vulnerabilities. It’s a good start, but this type of solution is far from a comprehensive security program that is necessary to mitigate business risk in the face of a wide range of OT threats.
In the business environment where companies have invested in mature cybersecurity programs, a one-tool approach would be considered laughable and would certainly fail any compliance audit. So why are businesses reluctant to invest in protecting their critical OT environments?
- Lack of governance: Companies have not established roles and responsibilities for OT security. This is a critical step, and the tendency is to assign this responsibility to the Chief Information Security Officer (CISO). This is because the CISO understands what a good security program requires. The RSSI may not understand the OT environment, but this has not proven to be a significant problem.
- Lack of quantitative risk assessment: Why quantitative? Because business stakeholders will quickly support the need to invest in a cybersecurity program once they realize the financial impact to the business if they are unlucky enough to be attacked.
- Document “current state”: OT IDS products help with this activity but will not do everything. What kind of insight do you need? You need a point of view on:
- People: who needs access to the OT environment? Who already has access? How is this access managed? Is remote access common?
- Process: What are the processes of industrial operations? What technologies support these processes? What processes are changing due to new digital transformation strategies?
- Technologies: which devices support which industrial processes? Are there any OT assets that are not connected to an IP network? How will they be protected? This inventory will be valuable for much more than security. For example, consideration should be given to integrating the details of the OT device into the enterprise asset management system.
- Network architecture: How is the network designed? Are the safety principles of best practices built into the design? Many companies are digitally transforming their network infrastructure and taking advantage of 5G and WiFi. With OT original equipment vendors adding more industrial IoT capabilities to their new products, this should be considered and included in the security strategy.
- Threat assessment: which threats are relevant and which are not? It is very important to identify the relevant threats so that an effective and efficient security program can be developed to mitigate the risks.
- Vulnerability assessment: what vulnerabilities currently exist? Are associated controls in place to prevent exploitation of the vulnerability in a cyber attack?
- Data discovery and classification: what data is produced and transmitted from the industrial environment? If you don’t know, discovery, classification, and data protection should be added to the policy and plan.
- Lack of an OT security strategy and plan: Once you understand the current environment, it’s time to develop a cybersecurity strategy and plan to mitigate the risk of a cyber attack. This step seems logical, but it cannot be completed effectively without the first three steps. The results of the quantitative risk assessment establish the priorities. The plan should include techniques to maintain visibility in all areas referenced in step 3 at all times. It should have preventative controls in place to protect known vulnerabilities. Finally, solutions must be included to monitor the controls to ensure that they are functioning effectively. If not, there must be solutions to identify when a cyber attack is exploiting a vulnerability so that you can react quickly to mitigate any impact on the business and quickly get back to business as usual.
It is time for companies with OT environments to start investing in their OT security programs. It won’t be cheap or easy, so you should consider hiring a trusted systems integrator with experience in OT security.