Connect with us

Hi, what are you looking for?


Security Infrastructure

Designing Security for Operational Environments

In my previous column, I expressed the hope that the Operational Technology (OT) security community will move away from pushing an IT compliance security model in the world of OT.

In my previous column, I expressed the hope that the Operational Technology (OT) security community will move away from pushing an IT compliance security model in the world of OT. Instead, as a community, we can focus our efforts and discussion on how to more efficiently make demonstrable gains in the OT security posture. One of the ways our industry can start seeing greater efficiencies in our controls security investment is to design for our operational environment.

When designing for the OT environment, we should review outdated paradigms, and consider newer technologies and the operational realities of the environment. To accomplish these efficiency gains in security OT, we will have to pivot our thinking on some of the staid paradigms of the IT world. For example, in a post-Stuxnet world, endpoint protection, while an important part of a defense-in-depth posture, has real limitations in OT. A decade ago, we inherently trusted the traffic between the HMI and the controller. My colleague Matthew Schwartz, Director of Enterprise Security at GE, says “Endpoint protection has gone the way of the dodo in critical infrastructure.” What could drive greater network security in OT?

Industrial NetworksAs our “trusted path” paradigm has changed, we can realize context-rich, security monitoring of both HMI issued commands and controller-received commands. One of the features that can drive a great deal of efficiencies into the Industrial Controls security is “Context-Awareness ;” using information about the processes, workflows and environment of devices, controllers and networks to provide more actionable security alerts and profiles. A decade ago, without the advent of relatively low cost sensors and correlation engines, this context-awareness would have been unattainable in the controls space—and perhaps, viewed as unnecessary.

Technological advancements in sensing technology capabilities and lower production costs allow us to bridge the gap between traditional network security at OSI layer 3, 4, (network, transport) with new network security controls up to OSI layer 7 (application). We have the opportunity to provide highly actionable information to our critical infrastructure operator colleagues by leveraging sensors, controls path device log aggregation, and decision engines trained to recognize valid system parameters. We can verify the path; network devices with industrial protocol awareness can be deployed as sensors to provide unparalleled visibility. This approach may see broader application in industry as it has been demonstrated in Idaho National Laboratory’s Sophia project and in existing commercial offerings.

Another common IT paradigm that is less effective in the OT environment is the use of System Information and Event Monitor (SIEM) in OT environments, which sit between the controls and plant network. Hands-on plant side experience suggests that in many sites a SIEM is rarely touched after initial installation, so as threats evolve and environments change, very little is done to inform the SIEM of the latest ICS risks and the context of the operation. The firewall that sits next to the SIEM is of course updated annually, but by and large, these policy updates address traditional IT threats associated with the operating system and its configuration.

There are a lot of operating contexts that make a SIEM difficult to maintain. When we think about the effectiveness of a SIEM in OT, let’s consider the operational context of Floating Production, Storage and Offloading (FPSO). There is a very limited rotating staff on a marine vessel and there is only intermittent satellite internet connectivity. How pragmatic is it to think that a SIEM on such a vessel will be updated for known ICS threats?

A SIEM is a powerful tool but its efficacy is tied to both the quality of configuration and updates. Unfortunately, typical SIEMs have been designed with configuration and update workflows targeted at an IT professional in lieu of being tailored for the instrumentation and control technicians that will maintain them on a FPSO unit for example.

Our peers that operate in critical infrastructure environments are constantly weighing the cost benefit analysis of operational integrity and demonstrable security improvements. As an industry, we have a unique opportunity to pivot our thinking away from IT compliance paradigms towards design for purpose to promote investment in demonstrable improvements in OT security.

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

While silos pose significant dangers to an enterprise's cybersecurity posture, consolidation serves as a powerful solution to overcome these risks, offering improved visibility, efficiency,...


Identity and access governance vendor Saviynt has closed a $205 million financing round.