Recent attacks on U.S. critical infrastructure and actions by the U.S. government, including the July 28, 2021 National Security Memorandum, have added urgency to the need to modernize industrial control systems’ cybersecurity capabilities.
The status quo has done little to abate ransomware attacks and probes of infrastructure among critical industries, 90% of which are privately owned. So, although the memorandum stresses public-private partnerships and voluntary cooperation, the message is clear: Given our current level of vulnerability, owners and operators are expected to meet the performance goals outlined by NIST and CISA and implement technologies that bring visibility, risk management, and detection capabilities to control systems.
In this four-part series, I’ve focused on providing actionable advice to help CISOs and their teams at critical infrastructure companies strengthen their industrial cybersecurity programs. This has included key questions to ask vendors to ensure you get must-have visibility into your industrial environments so you know what needs to be secured, specific steps to understand and reduce risk, and how to assess threat detection and response capabilities.
In my final article in the series, we look at industrial cybersecurity within the larger context of the business and how to approach security holistically. Not only does this approach allow you to maximize return on investment by leveraging existing resources and personnel wherever possible, but it also offers significant performance advantages that enable enterprise-wide risk management.
The challenge of connecting IT and OT
Industrial networks power business. But far too often, efforts to secure and optimize these networks are all but entirely cut off from the rest of the business. Risk should be a key consideration in any business decision. However, given the complexity of operational sites and the unique challenges that must be overcome, industrial cyber risk is often omitted from enterprise risk-management initiatives.
The disconnect between operational technology (OT) cybersecurity and the rest of the business can be attributed to some fundamental challenges discussed previously in this series, including barriers to visibility into OT environments, a lack of industrial cybersecurity expertise, and incompatibility with IT security tools. Because organizations assume that they will need different skill sets and tools, many start down the path of creating a separate OT governance process and Security Operations Center (SOC).
This is problematic in several ways, including:
● It is difficult and costly to find and retain OT security specialists.
● Adversaries don’t see IT and OT as separate. Attacks are intertwined, so you don’t want to miss that connection because you have two separate SOCs or two separate teams.
● Recreating existing governance processes and doubling coordination efforts wastes time and effort.
Creating a unified front with a single SOC
The best cyberdefense strategy is a unified front against threats to IT and OT. So, critical infrastructure companies need to think of cybersecurity holistically, enabled by a single SOC to protect these once-separate environments in a holistic manner. Here are a few keys to success as you chart your path forward:
● Centralize responsibility and accountability for securing the industrial environment with the CISO. This ensures your industrial cybersecurity program and plan for connecting industrial cybersecurity to the rest of your business is driven from the top and tailored to your unique needs. A converged IT/OT SOC with a single leader and clearly defined roles and responsibilities enables you to gain continuity across the attack surface and across workflows. You can govern with the same processes and reporting metrics for a holistic approach to risk management and compliance.
● Appoint additional leadership team members. Designate an IT/OT cybersecurity program manager who will play a central role in implementing the program. Make sure to select a strong, detail-oriented leader to oversee this undertaking and who also understands and respects the difference in priorities between IT and OT teams. The teams that manage IT typically prioritize the confidentiality, integrity, and availability of data, whereas the teams that run OT networks typically prioritize the availability, reliability, and safety of industrial processes and operations. You also need to designate a cybersecurity site leader for each OT site. This person will serve as a liaison between on-site OT personnel and the SOC and, when necessary, lead incident-response efforts.
● Ensure integration with your existing IT security resources. To support a unified defense against IT and OT cyber threats, it’s crucial that your industrial cybersecurity solution integrates with your IT security systems and workflows as much as possible. These integrations should cover a broad range of use cases, including security information and event management (SIEM), workflow management, security orchestration, automation, and response (SOAR), and network infrastructure tools. Having a vast array of useful integrations at your disposal facilitates the extension of core IT cybersecurity controls to OT, while reducing total cost of ownership (TCO) for existing tools, as well as the OT cybersecurity learning curve. Your existing team gains the opportunity to build valuable skills, and you don’t have to hire an OT SOC analyst.
The pressure is on industrial cybersecurity leaders everywhere to strengthen their OT cybersecurity operation. With the CISO as the focal point, a single SOC, and a solution that both IT and OT teams can use, you can connect your industrial cybersecurity program to your IT program and with the rest of the business. Not only do you optimize your resources – talent, budget, and time – you also gain continuity across your attack surface. You can look at governance, risk, and compliance programs holistically and execute an enterprise-wide risk management strategy, which is the ultimate goal.