Advice for CISOs on Bridging the IT-OT Security Gap: Part 1
In my two previous articles I talked about how industrial networks have become the latest geopolitical battleground and why CISOs should care. Now, I’m going to provide three actionable recommendations to bridge the IT-Operational Technology (OT) security gap, including common pitfalls from the field and how to avoid them.
Before getting into specifics, it’s important to set the context and acknowledge that these recommendations are predicated on the fact that security teams are very familiar with IT networks but not OT networks. Their instinct is to apply their trusted IT cybersecurity best practices to the OT environment and take a “crawl, walk, run” approach. In other words, they start with the basics, like securing the perimeter and implementing physical segmentation.
The problem is that we don’t have three to five years nor the resources to segment networks that are geographically dispersed, say with 100 manufacturing sites around the world. And attempting to implement the same 15+ IT security tools within an OT environment takes too long and often isn’t effective or necessary. Adversaries are evolving their approaches and escalating attacks against industrial control systems (ICS) networks. They aren’t operating on our timelines, so we need to move straight to “run” and focus on what we can do next week and next month to reduce risk the most.
The good news is that most Fortune 500 companies have the support of their board of directors and budgets to strengthen the security of their ICS networks. The other piece of good news is that we are working with a blank slate. OT networks have no modern security controls, which provides an opportunity to build a security program from scratch. One that will allow us to leverage existing IT security resources to quickly lock down production environments. So, let’s get started.
1.) Eliminate complexity. When you try to apply the same IT playbook to OT environments you introduce unnecessary complexity. Measures such as lengthy physical segmentation projects within the OT networks and deploying multiple security tools don’t scale and don’t reduce risk immediately. While we should still plan for physical segmentation and expect to deploy certain technologies and tools, we need to be more creative and use a different playbook for OT networks.
As Winston Churchill said, “Perfection is the enemy of progress.” The biggest challenge is that we have zero telemetry and, thus, no visibility into OT networks. We don’t need to be constrained by preconceived notions of perfection; we just need a plan we can start executing immediately to gain visibility and, thus, reduce risk. Based on eight years in the field of OT cybersecurity working with hundreds of organizations, here are some top suggestions:
• Remove from your “to do list” everything that is not adding value. For example, this would include implementing Endpoint Detection and Response (EDR) solutions on endpoints of Level2 and below in your OT networks. Installing these solutions on real-time controllers voids manufacturers’ warranties. You can also expect opposition from engineering because these real-time machines control physical processes that cannot be disrupted. You face a losing battle when you attempt to install EDR solutions on these machines and, more importantly, you shouldn’t spend time trying. Why? This leads me to my next point – try to leverage the natural characteristics of those OT networks to your advantage.
• OT network traffic is a data-rich resource, so use it. Adversaries may already be in the network and you may not know it due to significant blind spots. But EDR solutions aren’t the answer. OT networks are designed to communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, and more. OT network traffic provides all the security information you need to monitor for threats. Consider solutions that you can quickly implement for asset visibility and continuous threat monitoring.
• Deploy virtual segmentation. While you execute your physical segmentation project within the OT networks (e.g., to segment Level1 and Level2, or DCS to Safety Systems), deploy virtual segmentation to zones within the ICS network. This will alert you right away to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. Or it will identify operational issues with the way the process is set up, which is equally important in achieving the goal of uptime and availability. In certain levels of the network you can’t really block traffic because doing so also stops the physical process and may create safety issues. However, this type of segmentation can improve network monitoring and access control and greatly accelerate response time, saving cost and reducing downtime in the event an attacker does establish a foothold. What’s more, virtual segmentation provides visibility across the network that can inform your physical segmentation project. So not only are you significantly reducing risk today, you’re accelerating and improving the outcome of your longer-term physical segmentation efforts.
These are just some of the top suggestions and examples of how to secure your OT network without trying to repurpose your IT playbook and eliminate complexity in the process. In my next column, I’ll cover the final two recommendations for bridging the IT-OT security gap: 2) Align IT and OT teams, and 3) Simplify governance.