Let’s start this column with some good news. I speak with dozens of enterprises every month about security (or lack thereof) in their operational technology (OT) environment, and I’m seeing more and more frequently that increased risk awareness among Boards and C-level execs within industrial enterprises has directed more attention, and action, to addressing how poorly protected and vulnerable their industrial control system (ICS) networks are. Coming out of “The Lost Decade,” where cyber-risk, and therefore security investment, was focused on IT systems and not on OT, the recognition of risk in the operational environment puts these enterprises one step closer to reducing it, so this is very good news indeed.
However, this recognition presents some challenges for CISOs and the Security organization. Seasoned security teams, with many years of experience in implementing security policies, procedures, and technologies for IT systems, suddenly have responsibility for an OT environment into which they have historically had little or no visibility.
Following their experience, they frequently start with a page from the IT security playbook: “cover the basics first”. That is, protect the endpoints and the network. Though a perfectly logical starting point, the challenge with ICS networks is that most of those more “fundamental” IT security technologies (e.g. endpoint protection, network scanning, and the like) are simply not applicable to ICS networks. ICS endpoints often include legacy technology and don’t support agent-based security. Industrial networks also communicate differently, frequently using proprietary protocols. So, security teams are recognizing the same steps they’ve come to rely on in IT cyber don’t necessarily apply to OT.
We’re also seeing that other basic strategies such as OT network segmentation are proving a very time-consuming and expensive challenge due to the nature of those networks. I’ve said many times that network segmentation is one of the most important steps industrial operators can take to reduce their risk profile, but industrial enterprises can have hundreds of sites, spread across widely-dispersed and difficult operating environments, and administrators often have incomplete information about the assets on the network and normal communication paths.
So, because the basics are either not available for the OT environment, or require unrealistic time and effort to implement, we’re seeing enterprises “running before they walk” by adopting advanced technologies like ICS monitoring to reduce their risk profile at a more modest investment of time and budget. In addition to the direct benefit of monitoring ICS networks for suspicious behavior, these technologies also can be quite helpful in helping administrators gain the visibility they lack to implement proper segmentation (see my previous “Reducing the Pain of Network Segmentation” for more on this).
But technology alone is not enough. Operationalizing OT cybersecurity requires collaboration across parts of an organization that may not historically be aligned. Security leaders need to rethink their scope of responsibility and map how the addition of ICS networks change the various aspects of their security programs. I’ll discuss three core functions where I believe this is most important:
Security Operations Center (SOC)
I have seen a few environments where a dedicated OT SOC made sense, but I generally recommend integrating IT and OT into a single SOC to maximize operational efficiency. Regardless of the model, SOC personnel will generally fall into three main levels: L1, L2, and L3. Within an OT context, the process might look like this: L1 teams receive and triage alerts from multiple monitored plants through a SIEM or other OT monitoring tool. Upon identifying a possible threat, SOC analysts may relay detailed “context” to OT Operations personnel who in turn perform further and deeper investigation.
Once the identification and review of the threat has been completed, the L2 team is responsible for piecing together the detailed forensics of the threat. For example, how was it able to compromise the network? Where was the initial access point? What actions did it take and where did it go next?
With a clear understanding of the attack, the L3 team, working with the OT Operations team, prioritizes the response based on the highest-value targets, taking the gathered information to proactively perform threat hunting (e.g. look at baseline deviations, communication patterns, other alerts) and restoring affected systems as needed.
Security Operations and Governance
The Operations and Governance team may actually have several functions which commonly include: Policy & Risk Management, Vulnerability & Patch Management, and Security Audit.
The Policy & Risk Management function is responsible for protecting the confidentiality and availability of an organization’s data and minimizing risks associated with security breaches. As such, this team requires deep visibility into the OT/ICS network and underlying assets. Additionally, this team is often responsible for developing and defining remote access policies as to reduce the risk of employees and 3rd party vendors who remotely access OT assets to perform software upgrades, periodic maintenance, and other support activities on assets within industrial control system networks.
Vulnerability & Patch Management establishes controls and processes to identify and remediate vulnerabilities within the OT network which could be exploited by attackers to gain unauthorized access, disrupt business operations, and steal or leak sensitive data. This can be a particularly challenging adjustment for IT security teams who are accustomed to frequently taking business systems offline to deploy patches. Uptime is a high priority for OT systems, so vulnerabilities must be thoroughly assessed and prioritized, and remediation steps carefully coordinated with OT Ops teams to minimize the impact on revenue-producing processes.
Last, the Security Audit function, as the name implies, oversees regular security audits – reviewing and examining records and activities to assess the adequacy of existing system controls, ensuring compliance with established policies and operational procedures, and recommending necessary changes. This often includes auditing remote access rights – reviewing who has remote access privileges and to which OT/ICS assets. Additionally, and to further enhance this visibility, Security teams review remote access sessions – including logs and session recordings, looking for potential bad actor activity (be it internal or external).
OT Operators are the Security team’s connection to what’s actually happening on the plant floor, their validation when an anomaly is detected, an
d the advocate for production systems and processes. When managed poorly, the partnership between Security and Operations can be adversarial and difficult. When managed well, it drives greater visibility into the operational environment, better risk mitigation, faster response to potential threats, and less disruption to production processes. This is as true in OT as in IT, perhaps even more so.
Security teams must rely on OT Ops’ detailed knowledge of operational systems and processes to identify key points of risk and mitigate them. Examples include, who needs access to each control system? Are the rules of least privilege enforced? Which network assets can be segmented from others? Which vendors need remote access to systems? Who needs to know when firmware has been updated in a PLC? How do they verify what changes were made?
With the recognition that protecting the OT environment from cyber-risk is mission-critical, the role of the CISO in many industrial enterprises has gotten bigger and now encompasses an operational environment into which they have historically had little visibility. To be successful, even seasoned Security teams must now adapt to support and protect an environment with different technologies and different priorities. The most successful organizations will be the ones that look at cyber risk holistically and build bridges between the IT, OT, and Security organizations; leveraging the combined expertise to share information freely, manage risks more efficiently, and respond to threats more quickly.