Many companies around the world with industrial operations environments, commonly referred to as operational technology (OT) environments, do not invest the same resources to protect OT systems as they do to secure their corporate enterprise environments. Yet, these same companies are investing significantly to transform these environments with modern technologies and techniques to improve productivity, become more efficient, increase worker collaboration through increased data analytics and achieve other benefits that will make the company more competitive through higher quality and cost-effective products.
Some of these new industrial process improvements include reduced latency through edge computing and 5G technologies, autonomous vehicles, robotics, cloud computing, industrial Internet of things (IIoT) devices, remote access and more. Yet, the age-old problem continues to exist whereby insufficient cybersecurity controls make these environments easy targets for cybercriminals and nation-state cyberattacks. The industrial OT environments are critical to a company’s financial well-being and, depending on what the company produces, may be essential for the functioning of the broader society and economy. A recent example is the semiconductor shortage that has impacted many companies that produce all types of electronic products, mobile phones and cars. The risk and impact of an OT attack are much higher than a cyberattack on these same companies’ corporate enterprise environment where they invest significantly today.
Most companies are taking shortcuts by looking for easy and cheap ways to protect their OT environments. This typically involves the purchase of OT intrusion detection system (IDS) technology that can help with device discovery, network visualization, some type of signature-based malware detection and device vulnerabilities. This is a good start, but this type of solution is far from a comprehensive security program that is required to mitigate the company’s risk from a broad set of OT threats.
In the corporate enterprise environment where companies have been investing in mature cybersecurity programs, a one-tool approach would be considered laughable and certainly would fail any compliance audit. So why are companies reluctant to invest in protecting their critical OT environments?
- Lack of governance: Companies have not established the roles and responsibilities for OT security. This is a critical step, and the trend is to assign the chief information security officer (CISO) this responsibility. This is because the CISO understands what a good security program requires. The CISO may not understand the OT environment, but this has not proven to be a significant issue.
- Lack of a quantitative risk assessment: Why quantitative? Because the business stakeholders will quickly support the need to invest in a cybersecurity program once they realize the financial impact to the business should they be unlucky enough to be attacked.
- Document “current state”: OT IDS products help with this activity but will not do it all. What type of insight do you need? You need a perspective on:
- People: Who needs access to the OT environment? Who already has access? How is this access managed? Is remote access common?
- Process: What are the industrial operations processes? What technologies support these processes? What processes are changing due to new digital transformation strategies?
- Technologies: Which devices support which industrial processes? Are there OT assets that are not connected to an IP network? How will these be protected? This inventory will be valuable for lots more than just security. For example, consideration should be given to integrating the OT device details into the company’s asset management system.
- Network Architecture: How is the network designed? Are leading practice security principles incorporated into the design? Many companies are digitally transforming their network infrastructure and leveraging 5G and WiFi. With OT original equipment vendors adding more industrial IoT capabilities to their new products, this should be a consideration and included in the security strategy.
- Threat Assessment: Which threats are relevant and which are not? It is very important to identify the threats that are relevant so that an effective and efficient security program can be developed to mitigate the risks.
- Vulnerability Assessment: What vulnerabilities exist currently? Are there associated controls in place to prevent the vulnerability from being exploited in a cyberattack?
- Data Discovery and Classification: What data is being produced and transmitted from the industrial environment? If you do not know, then data discovery, classification and protection must be added to the strategy and plan.
- Lack of an OT security strategy and plan: Once you understand the current environment, it is time to develop a cybersecurity strategy and plan to mitigate the risk of a cyberattack. This step seems logical, but it cannot be completed effectively without the first three steps. The quantitative risk assessment results establish the priorities. The plan should include techniques to continuously maintain visibility into all the areas referenced in step 3. It must have preventative controls put into place to protect known vulnerabilities. Finally, there must be solutions included to monitor the controls to make sure they are operating effectively. If they are not, there must be solutions to identify when a cyberattack is exploiting a vulnerability so that you can quickly respond to mitigate any impact to the business and quickly return to business as usual.
It is time that companies with OT environments start investing in their OT security programs. It will not be cheap or easy, so you should consider leveraging a trusted systems integrator with OT security experience.
Partner, Global OT Security Services Business Leader, IBM
With more than 30 years of experience in the Information Technology field, Rob Dyson has held technical and leadership positions while providing IT services ...