Today, there is a tremendous amount of work being done to protect IT systems against cybercrime. Worryingly, the same cannot be said for OT, the operational technology systems that are used to run everything from factories to oil pipelines to power plants.
Organizations should be fortifying their cybersecurity strategies because threats targeting OT assets and operations are quickly increasing in volume and sophistication. At the same time, cybersecurity measures that are commonly deployed to protect IT — such as patching and antivirus management, secure file transfer, continuous monitoring, threat detection and response and network hardening — are sometimes conspicuously absent in the OT realm.
Often, there is neither adequate visibility nor understanding of the growing OT cybersecurity risk at the enterprise or site level. Worse still, there is a significant shortage in the OT space of cybersecurity professionals with required domain expertise.
How did we get here? Part of the challenge is that OT networks and operations were thought of by many as being safe from cybersecurity threats. Historically, they were viewed as being air-gapped and isolated from external connectivity including the Internet and corporate IT networks. This misconception provided many with a false sense of security. OT networks and assets are subject to malware that can be accidentally or purposely introduced in the OT environment via employees, contractors and vendors bringing laptops, tablets, as well as network and USB connected devices on site. The increasing use of remote access for OT operations, maintenance and support as well as the deployment of Internet of Things (IoT) devices and networks further increases the attack vectors and risks. In some cases, operators have yet to fully segment and secure OT networks from IT networks.
The OT cyberattack surface is expanding and adversaries are increasingly finding ways to attack it, devising clever ways to introduce malware, access backdoors and establish remote connectivity, which enables them to sneak inside OT systems and wreak havoc.
In short, OT cybersecurity risks are now enormous — and so are the consequences. Cyber incidents can lead to production loss, product-quality issues, damage to the environment, plant explosions, damage to brand and reputation, and even loss of life. Chillingly, Gartner predicts that by 2025, cyberattackers may be able to weaponize OT systems to harm or kill people. It further predicts that CEOs could be held personally liable for fatal incidents.
So what can be done? Here are four ways organizations can better protect their operational technology against cyberattacks.
1: Assess OT cybersecurity posture and risks
First and foremost, organizations need to gain an understanding of the security status or posture of their OT assets, networks, policies, procedures, practices and systems in place. An OT cybersecurity assessment conducted by reputable OT cyber professional is a great way to start. This assessment should inventory OT assets, classify the assets by primary function, map the network connections and traffic flows between the assets as well as prioritize the criticality of these assets and connections. It should identify vulnerabilities that exist in the OT environment and assess the risk of these vulnerabilities, identifying the severity of each. Finally, it should identify the efficacy of security controls including policies, procedures and technology.
Once you’ve conducted the OT cybersecurity assessment(s), you’ll have a better picture of the identified vulnerabilities and risks within your OT environment and the status of security controls. Organizations need to have ongoing visibility of their OT assets, networks and vulnerabilities, and software solutions can be leveraged to help provide it.
2: Build a program around OT cybersecurity like safety
Organizations should approach OT cybersecurity as a program, just as they do safety in the industrial space or IT security in the corporate space. Using findings from the cybersecurity assessments, leaders can identify potential gaps in the organization’s approach to managing risks. Then they can begin to address capability gaps, clearly define cybersecurity policies required and determine responsibilities for mitigating risks. OT cybersecurity needs to be embraced at the highest levels of the organization. What’s more, much like how safety is treated, cybersecurity needs to be maintained as an ongoing program and regarded as a key operational enabler for the business.
Baked into that program should be well-defined OT cybersecurity governance, along with policies and procedures, dedicated resources and budgets, and roles, responsibilities and decision rights. A plan should be implemented to continuously measure and report cybersecurity risks. Organizations should establish remediation steps and policies to address these risks. Also, the creation of an incident response plan can help to formalize procedures to respond to cybersecurity incidents.
Lastly, leadership should build a team of cybersecurity specialists that are trained to successfully manage and respond to threats. Having the right specialized OT cybersecurity talent is important, so some organizations may need to decide which roles will be handled in-house while other roles are outsourced. Some companies are purchasing external managed security services, which are end-to-end security-as-a-service solutions, to help protect OT environments, control systems and operations by identifying and mitigating emerging cyber threats to their business.
3: Implement the right OT cybersecurity tools and technology
It is critical for organizations to leverage technology solutions to make cybersecurity operations more effective and efficient. Top of the list is ensuring that you have implemented appropriate security measures and controls for your network architecture controlling communication and for access to the OT environment for internal and external users and systems.
Fundamental technical security controls should be in place. Network and endpoint hardening should be implemented to reduce vulnerabilities and a best practice is to use technology to continuously monitor configurations for compliance. Organizations should have appropriate security for any remote access solution specific for OT. The solution should include advanced authentication, granular permissions per asset/system, data/time and actions allowed along with full traceability and auditing of who accesses company assets. Technology to support asset discovery and inventory can be used to increase visibility. And endpoint and network protection can be strengthened with technologies including USB protection to address this major risk and next-generation firewalls.
Patching and anti-virus management are essential technologies to minimize vulnerabilities. Many companies struggle with patching assets in their facilities, sometimes due to very limited opportunities to apply patches and reboot systems due to continuous operations and in other cases due to outdated and unsupported software. Compensating security controls including application control that allows only known and trusted applications to run on OT assets can be deployed to address these challenges.
4. Establish early detection and response strategy
Cybersecurity leaders must ensure that their organizations have solutions in place for ongoing, automated threat detection coupled with incident response. This requires continuous monitoring of OT assets and process control networks so that anomalous behavior, actions and changes are identified in near real-time. By using software solutions, indicators of compromise (IOCs) can be identified quickly and actions taken to mitigate risks before they become major incidents.
In addition to automated threat detection and continuous monitoring, organizations should have rapid response processes and resources in place to move quickly to address incidents. Proper backup policies should be in place to rapidly respond and recover after a cybersecurity event. In some cases, a response may require that internal cybersecurity personnel are supplemented with external experts so that the organization is best positioned to respond effectively to incidents.
As OT and IT systems continue to converge, the threat of cyberattacks will increase. But defending OT environments from cyber incidents will require a different set of strategies, skills and tools than are currently used to protect IT. The good news is that the world is finally waking up to the OT risk and realizing the need to strengthen OT cybersecurity — significantly and urgently.