Critical controls for world-class OT cybersecurity

As operational technology (OT) cybersecurity becomes a top priority from boardrooms to the manufacturing floor, CISOs and their teams must implement proven strategies to protect the business. Until recently, OT has long been underrepresented, leading to communication challenges, a cultural gap with IT, and uncertainty about how to move forward. Thankfully this is changing with OT cybersecurity now getting the attention it deserves.

The 2021 Dragos Year in Review continues to provide meaningful insights into understanding the cyber risks surrounding industrial control systems (ICS)/OT environments. It adds context with evidence from the field of how industrial organisations are progressing in their cybersecurity readiness and where they need to continue their work. Building on this, we outline the key components of ensuring a world-class OT cybersecurity program.

Build the foundation with executive alignment

Before ICS teams can build a set of controls to support OT cybersecurity, they need buy-in and alignment from the top to create the foundation for a successful program. This is crucial because when cybersecurity strategies come from the bottom up, teams tend to address them with the resources they have, which means many efforts aren’t resourced correctly. This opens the organisation to unnecessary risk and is hard to scale. Getting every plant manager educated and onboard is rarely realistic while putting the responsibility on leadership enables a bias for action. The ICS teams also need to help executives understand the risks and rewards of OT security. This can be done by sharing real-world scenarios on how much it would cost for a plant to go down, researching previous attacks and explaining the difference between IT and OT security and what the cyber risk is on under-serving OT.

Prioritisation

Next, consider your package of controls. Start by asking executives for a top-to-bottom list of the most critical sites in the company, which will act as a prioritisation tool, enabling IT and OT to decide what systems and locations to focus on first. Use the scenarios from the initial conversations to establish how much priority each site should receive and how to balance operations across prevention, detection, and response. What you learn from the “A” sites, you can then apply to the “B” and “C” sites.

Collaboration between IT and OT

Many successful OT attacks originate in IT systems like remote access VPNs. To protect the business, IT and OT must work together, sharing technology – asset management is a great place to start. Done right, this collaboration eliminates duplication of effort, adds consistency, eliminates gaps in OT/IT interface points, and reduces complexity in the overall enterprise environment.

With leadership on board, sites prioritised, and IT/OT teams aligned, having the right critical controls is next.

1. An ICS-specific incident response plan

OT’s incident and response plan involves different device types, communication protocols, tactics, techniques, and procedures specific to the industrial threat groups. Investigation requires a different set of tools and languages. Managing the potential impact of an incident is different for pipelines, electrical grids, and manufacturing plants. Create a dedicated plan that includes the right points of contact and thought-out next steps for specific scenarios at specific locations, and tabletop simulation exercises can test and improve response plans

2. A defensible architecture

OT security strategies start with hardening the environment - removing extraneous OT network access points, maintaining robust policy control at IT/OT interface points, and mitigating high-risk vulnerabilities. Perhaps even more important than a secure architecture are the people and processes to maintain it. Don’t underestimate the resources and technical skills required to adapt to new vulnerabilities and threats.

3. OT visibility

You can’t protect what you can’t see. Get an inventory of assets, map vulnerabilities against those assets (and mitigation plans), and actively monitor traffic for potential threats. This visibility validates the security controls implemented in a defensible architecture. Threat detection from monitoring allows for scaling and automation for large and complex networks, and monitoring can also identify vulnerabilities for action.

4. Secure remote access

Secure remote access is critical to OT environments, and multi-factor authentication (MFA) is a rare case of a classic IT control that can be appropriately applied to OT. Implement MFA across your systems of systems to add an extra layer of security for a relatively small investment. Where MFA is not possible, consider alternate controls such as jumphosts with focused monitoring, focusing on connections in and out of the OT network and not on connections inside the network.

5. Key vulnerability management

Knowing your vulnerabilities and having a plan to manage them is a critical component to a defensible architecture. Over 1200 OT-specific vulnerabilities were released last year, the majority with incomplete or erroneous information. While patching an IT system like a worker’s laptop is relatively easy, shutting down a plant has huge costs. An effective OT vulnerability management program requires timely awareness of key vulnerabilities that apply to the environment, with correct information and risk ratings, as well as alternative mitigation strategies to minimise exposure while continuing to operate.

Following these important steps can harden your OT security posture and better combat today’s most sophisticated threats. Get the free guide here.