As operational technology (OT) systems become more intertwined with IT networks, they face new levels of cyber security risks that must be protected against. Therefore, protecting OT from cyberattacks has never been more critical.
Even isolated OT networks can be subject to cyberattacks: hackers can install malware onto machines even without an Internet connection.
As part of its cyberdefense efforts, Operational Technology must first identify any potential vulnerabilities which could allow attackers to gain entry to sensitive data, disrupt services and cause other forms of damage.
Vulnerability management (VM) is a security practice focused on detecting known software flaws from vendors or third parties published through automated tools, and conducted by teams of security specialists.
Vulnerability management in OT environments can be especially complex due to legacy equipment that no longer receives security updates and the unpredictable nature of operations, meaning scanning systems for vulnerabilities is risky and applying patches may disrupt operations.
However, global efforts have begun to address these concerns and a consensus is currently developing around best practices and critical controls that will enable operational technology (OT) cybersecurity teams to harden their systems against attacks while decreasing risks of intrusion.
Operating Technologies (OT) present hackers with an attractive target because of their highly connected nature and constant operation requirements, as well as complex equipment which is hard to replace or patch.
Vedere Labs of Forescout recently issued a report showing that operational technology (OT) systems are riddled with basic security flaws that can easily be exploited by malicious actors for remote code execution or credential compromise.
As such, it is crucial that organizations prioritize OT security efforts. Organizations should identify the systems most connected in their OT networks as well as threats that hackers could potentially leverage against those systems – this allows the organization to prioritize vulnerabilities based on how likely they are of being exploited and devise strategies to mitigate those risks.
An essential aspect of this strategy is ensuring OT assets are regularly backed up and whitelisted in lockdown mode, to help mitigate vulnerabilities quickly while simultaneously discouraging hackers from breaking in to the system in the first place.
For optimal protection of operational technology (OT), an integrated security strategy that combines traditional IT practices and tailored OT-specific cybersecurity solutions is key. This will allow organizations to identify vulnerabilities early, secure their environments against attacks, and monitor networks to prevent future threats.
Developing a Comprehensive Plan
One of the first steps in protecting OT from cyberattacks is creating a comprehensive plan. A strong plan will address community goals, policies, and actions in an organized fashion, making it easily accessible to elected officials, developers, and residents.
Planning begins by gathering data about the environment, traffic conditions, economic conditions, social conditions and land use in an attempt to assess current city conditions and plan for future requirements. Furthermore, it allows integration of other policy documents which address hazards into one central location.
Comprehensive plans outline community goals and policies while outlining approval criteria for development applications. A good comprehensive plan should be an easily read document which sets forth goals and actions necessary for the city’s continued growth in an orderly fashion.
Establishing an effective plan requires considerable time, energy, and resources; but the investment will pay dividends over time as your community becomes protected against cyberattacks and is able to develop a stronger economy.
Though OT cybersecurity faces threats from many sources, the three primary ones include hacktivists, employees and nation-states. These actors tend to be motivated by personal or professional goals such as revenge or notoriety.
As well as threat actors, the security landscape for OT systems is rapidly evolving. With more IT and OT assets coming together in mixed environments and traditional OT systems losing the ability to air-gap their equipment from external environments, new risks are emerging that threaten these critical systems.
As organizations integrate OT and IT networks and implement an expanded selection of security products and services, it will become ever more essential that these technologies and solutions be integrated into a comprehensive strategy for protecting OT from cyberattacks – known as defense in depth.
This strategy involves the implementation of numerous cybersecurity measures throughout both hierarchy and physical infrastructure layers. Key controls include firewalls, VPN/firewalls, IDS/IPS systems, network access control (NAC) devices and deception/obfuscation tools among many others.
Gartner advises combining IT cybersecurity controls aimed at the network and endpoint levels with operational technology-specific cybersecurity measures to create an OT/IT security program that aligns with overall risk management strategy decisions. They further advise creating a Chief Security Officer (CSO). Upon creation, this individual would ensure all investments in cybersecurity investments align with overall risk management strategy decisions and support an optimal balance of OT and IT investments.
Investing in Monitoring
Monitoring is an integral component of any successful project or program, helping identify key performance indicators, guide project development, and provide data that inform future planning decisions.
Monitoring can take many forms and be performed by various entities at multiple levels – it could involve an individual or team effort, or it may encompass multi-national programs on an international scale.
One effective strategy for increasing both quality and quantity of monitoring data is employing a systematic method for collecting and evaluating it. Although this can be a time-consuming endeavor requiring involvement from several individuals, its rewards will benefit both organisations as well as individuals involved.
Therefore, it is crucial that a formal system for recording and storing all monitoring data be created in order to quickly identify trends and patterns. This could involve either using simple spreadsheets or more sophisticated analytical tools such as machine learning.
Even so, most organizations do not use such systems – only 7% have formal monitoring strategies in place!
As organizations become more sophisticated over the coming decade, more will likely adopt more comprehensive security approaches that incorporate more formalised risk management strategies and centralized security operations centres. This may spark an explosion of OT cybersecurity industry with 70% of organizations expected to make their CISO responsible for their OT cyber-security efforts by 2021, up from 35% today.
To make sure this happens, the best approach is to create an effective monitoring strategy aligned with your business or organisation’s overall aims and needs. To accomplish this goal, excellent leadership and culture must exist along with technology solutions to support its goals of your OT cybersecurity program.
Creating a Culture of Security
Establishing an effective security culture takes time and hard work. A successful security culture should involve employees working alongside managers in creating and enforcing effective cybersecurity policies and procedures.
Security policies and procedures must be easily accessible, achievable, and approved by leaders at all levels of an organization. They should also be supported by organizational structures that ensure accountability while upholding cybersecurity visions.
Employees need to be made aware of their responsibilities and how to report any breaches, which should be reinforced through clear, comprehensive security awareness training sessions that employees can revisit at a later date. Record and upload these training sessions so employees can review them whenever necessary.
Recognizing good cybersecurity behavior is another key element of creating a security culture. Recognizing acts such as blocking unsolicited calls or intercepting phishing emails keeps security awareness high, and can serve as a reward for employees who have shown exceptional commitment to meeting security goals in their organization.
An effective security culture rests upon the principles of a secure development lifecycle (SDL). An SDL serves as the framework for creating a lasting security culture by ensuring every software and system release undergoes strict requirements, threat modeling and testing processes.
Make cybersecurity part of employee evaluations so employees understand their responsibilities and are held accountable if they violate rules.
People within an organization will quickly follow in the footsteps of its leaders who display and advocate security awareness, especially within industries like transport or oil and gas.
Establishing a security culture within your company may not be simple, but the results can pay dividends when protecting assets from cyberattacks. To begin this journey, identify vulnerabilities and devise plans to address them.
An organization’s security culture should reflect its values, purpose, and mindset. Understanding its current state will enable you to map out an improvement plan. To do this, conduct a security culture survey – its results will show how your culture compares to that of other companies in your industry and where improvements may be necessary – helping you identify a path towards reaching your cybersecurity goals.