As a security consultant, I’m not going into an environment to design and build an organization’s network from the ground up in most situations. For the majority of the time, I’m working with legacy environments where some old technologies might be phasing out and newer ones joining the mix of solutions. In the case of one environment I went to, for instance, it was all of this plus a variety of Shadow IT that was so business-critical that the operations team was anxious about investigating at the risk of causing disruption.

To add complexity to this issue, organizations with Industrial Control Systems (ICS) (therefore Operational Technologies (OT)) that are mixed in with their Information Technology (IT) have to balance an even more complex landscape. If any of this sounds familiar, don’t worry. Whilst it can be frustrating, it’s not impossible to improve.

Often, we have heard the ‘basics’ of security—more recently, security ‘foundations’ because honestly, the word ‘basic’ gives the illusion of simplicity, which it is not. Instead, I prefer discussing it as the resilience foundations of IT/OT infrastructure. In order to break it down into distinguishable pieces, we can focus our conversations and planning within the following six points:

  1. Documentation and asset management: To start off, you need to understand what is on your network. This is as critical as data classification because it’s a central point of embedding resilience. What is required to actually be resilient? Identify the hardware and software assets and then realize the capabilities of said assets. For example, legacy systems may be limited to passive scanning such as listening to the existing communications vs. poking them with questions. Identifying these systems that must be restricted is a key piece to step three: ability to separate.
  2. Restrictive mappings: As I noted in the (Read more...)