A 4 Step Guide to Stronger OT Cybersecurity

by Erin Anderson on April 14, 2020

Security and risk management leaders at organizations around the world are increasingly concerned about cybersecurity threats to their operational technology (OT) networks. A key driver behind this is that cyberthreats, like disruptionware, are increasing in quantity and sophistication all the time. Industrial control system (ICS) networks are categorized as high risk because they are inherently insecure, increasingly so because of expanding integration with the corporate IT network, as well as the rise of remote access for employees and third parties.

An example of an IT network within a control system is a PC that’s running HMI or SCADA applications. Because this particular PC wasn’t set up with the initial intention of connecting to IT systems, it typically isn’t managed so can’t access the latest operating system, patches, or antivirus updates. This makes that PC extremely vulnerable to malware attacks. Besides the increased cyberthreat risk, the complexity resulting from IT–OT integration also increases the likelihood of networking and operational issues.

Another factor driving this increased focus on industrial cybersecurity is that the impact of an OT security incident is potentially far more serious than one which affects traditional IT networks. Of course, the theft of customer credit card details or similar types of confidential data is a big deal, but when you contrast that with a successful attack on an electric utility resulting in a widespread blackout, or the compromise of a manufacturing organization producing critical equipment, you realize just how serious it could be. This has become especially clear in light of the COVID-19 pandemic, which has exposed the fragility of our supply chain and the significance of keeping the electric grid operational to power other critical infrastructure in society, like hospitals.

OT infrastructure owners are rarely able to manage a converged environment holistically, particularly because securing OT networks requires a different approach than the traditional methods applied to IT networks. Below is an overview of a 4 step approach to a stronger OT cybersecurity program:

Assess
This stage is all about establishing an accurate asset inventory with baselines for each and developing a complete network map of all inbound and outbound communications. A good assessment should include detailed asset data, including role, model, firmware, and backplane connections for non-Windows OT devices, as well as impact-based risk data to better prioritize device vulnerabilities.

Secure
Once you have a clear understanding of network flows and patterns, you can appropriately apply security controls within OT environments, like network segmentation and network access control. This means knowing, for example, whether relevant authorized users are using the correct remote access proxy, the number of protocols in use, and which assets are connected directly to the Internet. This also gives you the ability to identify abnormal operating conditions and put proper rules in place to automatically correct them.

Monitor
Effective cybersecurity depends on timely, accurate and relevant threat information. Many threat intel sources are available, including government, industry and commercial feeds. The quality and speed of this information can vary widely and is only useful if it can be turned into actionable intelligence. To successfully achieve this, security teams should leverage automated threat ingestion capabilities in network monitoring solutions. Doing so allows you to check for emerging threats in near real time, while also analyzing historical data to see if a particular IoC from those feeds has been seen on your network in the past, and then quickly initiate a response to mitigate it.

Respond
Once you begin proactively monitoring your OT environments, you will find security, networking and operational events of interest. To make the most of this valuable data, you need to establish a proper RACI matrix and use that to define which stakeholders get notified about which events of interest and how. An effective approach should also involve the implementation of a tracking system to avoid multiple alerts for cases that are already open. Leveraging bi-directional integrations between security solutions is a key capability to effectively implement this step and reduce your mean time to respond (MTTR).

OT systems are rapidly morphing into cyber-physical systems that are connected to vast corporate and operational networks via the internet, which has increased the risk of both cyber and operational threats in these networks. Proactively identifying, classifying and monitoring your OT infrastructure helps you not only discover what risks you face now, but also how you will reduce future risk.

Sponsorships Available

For a deep dive into how security and risk managers can apply this approach, plus real use cases from companies who have implemented it, download our OT Cybersecurity Playbook.