Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Three Tips to Help CISOs Close the IT-OT Security Gap

Advice for CISOs on Bridging the IT-OT Security Gap: Part 1

Advice for CISOs on Bridging the IT-OT Security Gap: Part 1

In my two previous articles I talked about how industrial networks have become the latest geopolitical battleground and why CISOs should care. Now, I’m going to provide three actionable recommendations to bridge the IT-Operational Technology (OT) security gap, including common pitfalls from the field and how to avoid them.

Before getting into specifics, it’s important to set the context and acknowledge that these recommendations are predicated on the fact that security teams are very familiar with IT networks but not OT networks. Their instinct is to apply their trusted IT cybersecurity best practices to the OT environment and take a “crawl, walk, run” approach. In other words, they start with the basics, like securing the perimeter and implementing physical segmentation.

The problem is that we don’t have three to five years nor the resources to segment networks that are geographically dispersed, say with 100 manufacturing sites around the world. And attempting to implement the same 15+ IT security tools within an OT environment takes too long and often isn’t effective or necessary. Adversaries are evolving their approaches and escalating attacks against industrial control systems (ICS) networks. They aren’t operating on our timelines, so we need to move straight to “run” and focus on what we can do next week and next month to reduce risk the most. 

The good news is that most Fortune 500 companies have the support of their board of directors and budgets to strengthen the security of their ICS networks. The other piece of good news is that we are working with a blank slate. OT networks have no modern security controls, which provides an opportunity to build a security program from scratch. One that will allow us to leverage existing IT security resources to quickly lock down production environments. So, let’s get started.

1.) Eliminate complexity. When you try to apply the same IT playbook to OT environments you introduce unnecessary complexity. Measures such as lengthy physical segmentation projects within the OT networks and deploying multiple security tools don’t scale and don’t reduce risk immediately. While we should still plan for physical segmentation and expect to deploy certain technologies and tools, we need to be more creative and use a different playbook for OT networks.

As Winston Churchill said, “Perfection is the enemy of progress.” The biggest challenge is that we have zero telemetry and, thus, no visibility into OT networks. We don’t need to be constrained by preconceived notions of perfection; we just need a plan we can start executing immediately to gain visibility and, thus, reduce risk. Based on eight years in the field of OT cybersecurity working with hundreds of organizations, here are some top suggestions:

• Remove from your “to do list” everything that is not adding value. For example, this would include implementing Endpoint Detection and Response (EDR) solutions on endpoints of Level2 and below in your OT networks. Installing these solutions on real-time controllers voids manufacturers’ warranties. You can also expect opposition from engineering because these real-time machines control physical processes that cannot be disrupted. You face a losing battle when you attempt to install EDR solutions on these machines and, more importantly, you shouldn’t spend time trying. Why? This leads me to my next point – try to leverage the natural characteristics of those OT networks to your advantage. 

Advertisement. Scroll to continue reading.

• OT network traffic is a data-rich resource, so use it. Adversaries may already be in the network and you may not know it due to significant blind spots. But EDR solutions aren’t the answer. OT networks are designed to communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, and more. OT network traffic provides all the security information you need to monitor for threats. Consider solutions that you can quickly implement for asset visibility and continuous threat monitoring. 

• Deploy virtual segmentation. While you execute your physical segmentation project within the OT networks (e.g., to segment Level1 and Level2, or DCS to Safety Systems), deploy virtual segmentation to zones within the ICS network. This will alert you right away to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. Or it will identify operational issues with the way the process is set up, which is equally important in achieving the goal of uptime and availability. In certain levels of the network you can’t really block traffic because doing so also stops the physical process and may create safety issues. However, this type of segmentation can improve network monitoring and access control and greatly accelerate response time, saving cost and reducing downtime in the event an attacker does establish a foothold. What’s more, virtual segmentation provides visibility across the network that can inform your physical segmentation project. So not only are you significantly reducing risk today, you’re accelerating and improving the outcome of your longer-term physical segmentation efforts. 

These are just some of the top suggestions and examples of how to secure your OT network without trying to repurpose your IT playbook and eliminate complexity in the process. In my next column, I’ll cover the final two recommendations for bridging the IT-OT security gap: 2) Align IT and OT teams, and 3) Simplify governance.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Galina Antova is the Co-founder and Chief Business Development Officer at Claroty. Prior to that, she was the Global Head of Industrial Security Services at Siemens, overseeing development of its services that protect industrial customers against cyber-attacks. She was also responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services for industrial control systems operators. Previously, Ms. Antova was with IBM Canada, with roles in the Provisioning and Cloud Solutions business. She holds a BS in Computer Science from York University in Toronto, and an MBA from the International Institute of Management and Development (IMD) in Lausanne, Switzerland.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.