Operational technology (OT) uses hardware and software to monitor and control physical processes, devices, and infrastructure. Although the security of information technology and operational technology is different in multiple ways, IT and operational technology security do intersect and converge as increasingly digital innovation requires OT systems to interact with IT business systems.
This means that OT systems that traditionally would not have been connected and would have remained offline are being exposed in other ways as OT now converges with IT networks. A multilayered defense strategy can protect both the IT and OT environments to curb cyberthreats early on.
Attacks on OT are diverse, and organizations are battling attacks ranging from amateurs pursuing a challenge to sponsored well-funded, organized nation-states attacks as well as insider attacks, both malicious and accidental — by negligent or disgruntled employees.
Securing the operational technology environment
A visible distinction between IT and operational technology’s security is that an attack on IT would likely result in data loss. In contrast, with OT, an attack outcome could impact the physical environment, the assets, and people. It’s important to note that whereas OT controls equipment, IT controls data. Securing the OT environment needs to be looked at differently than securing an IT environment, including what needs to be secured and how to secure it. OT security would focus protection measures on the physical environment.
As with most security projects, the first step is to determine the starting position to analyze the current security posture, consider the gaps, and realize the desired outcomes by introducing the appropriate measures via a strategy. Generally, an initial assessment could involve the following:
- An information gathering and investigative process to document the physical environment (the people, architecture, and technology).
- An evaluation of the documentation regarding network configurations, topology, and policies of the organization.
- Interviews with employees to uncover missed detail, perhaps not within the documentation, to build a more comprehensive picture of the environment and its workings.
- A technical assessment of the current cybersecurity posture by assessing the existing safeguards to identify the security gaps and other vulnerabilities.
- An analysis of best practice methodology to assess the potential risks.
- A risk assessment to appraise the level of risk associated with each vulnerability and to establish the risk appetite by considering the likelihood of an attack occurring, the possible extent of damage, and the recovery that would be required.
- The establishment of a realistic roadmap for implementing countermeasures to eliminate the threats and mitigate the risks, thereby improving the security posture.
OT security strategies to mitigate risks
Education and awareness training
Security awareness and education are always focal areas, and the same goes for OT security. General security awareness training is vital to inform users. Regarding OT awareness training, the training framework should consider the risk posed to the business’s operational facet. So, when considering cyberattacks and aspects such as phishing, credential security, and physical device security, this should be done in the context of the operations and the potential impact of these on the operations and the ability to keep the operations running should a threat prevail.
Visibility and asset discovery
With the overlap and convergence of IT and OT, it is crucial to achieving visibility into systems and networks to identify any potential risk. It is essential to identify the assets to work out the risk areas and levels. An OT asset inventory is beneficial for this. OT environments generally lack visibility; therefore, automatic asset discovery technologies can help as well. Documenting in detail the operating systems, firmware, software, libraries, and interaction of the assets can help establish a better understanding of the OT environment. By discovering any device on the network (IT/OT), the degree of trust for each device can be established. The behavior can be monitored to continuously manage and control that trust level and act accordingly to secure the environment.
Regarding OT, connectivity is essential; however, it is vital to get the access control right. It is critical to establish an access control regime for OT, as unlike in IT environments, OT environments often lack the same level of identity and access management protocols. Regarding access control, the same security constraints adopted for IT should be adopted for OT to reduce the attack surface and maintain much-needed availability. Consideration should be given to identity and credential management, password control and security, multifactor authentication, how remote access is used and managed, thereby ensuring that the right people have the appropriate assigned access.
The segmentation of networks
Segmenting networks provide a means to separate and control. By doing this carefully, threats can be more readily detected, and the level of separation can add a degree of protection through inhibiting spread. To achieve this effectively, it is important to understand how all the systems connect and interact. Keeping on top of managing these interactions is key, so controls can be established within the network to secure each zone appropriately if something changes.
Continuous monitoring and incident management
Again, visibility is a fundamental part of identifying threats and managing incidents timely and effectively. It is important to understand what you are looking at (the assets in the environment), where they are in the network’s scope, how they interact with other assets, and the risk of vulnerabilities. Analysis of behaviors in OT networks, significantly when it’s continuous, can help identify intelligence regarding these aspects and highlight potential threats. Once this is observed, defining the roles and responsibilities regarding who will be monitoring and for what and how an incident will be communicated and responded to if discovered is key. It all comes down to effective coordination and quick action. So, knowing and sticking with the plan is essential. It is important to note that threat monitoring and hunting are most effective if it is real-time. If done correctly, OT security insights can be identified through use and device behavior analysis, and assessments of threats can ensure continuous protection.
Patching OT software can be more complex than for IT software; however, keeping software within the OT environment patched and up to date is just as important. Having the asset inventory for the OT environment will come in handy and make the process a bit easier. Legacy systems can provide a further level of challenge too. Also, the limited window for when patching can occur, as connectivity and systems availability is essential. Where no patch exists for a vulnerability, the reliance on other defense layers described in the points above may need to be utilized to limit the risk.
Security policies must encompass operational technology security
It’s essential to expand security policies to encompass OT and consider where OT and IT intercept to cover all the potential security gaps, especially as OT and IT converge. OT, if breached, could impact the physical environment, which depending on the systems involved, could result in critical services being compromised with frightful consequences.
Similarly, as IT systems become more connected and the risk of exposure and vulnerabilities increases, with the increase in OT systems’ connectivity, the levels of exposure to cyberattacks are also increasing. Achieving adequate visibility and control of these physical systems and establishing appropriate security policies is essential. Therefore, incorporating an OT security strategy to secure the OT environment should be vital to any security strategy.
Featured image: Shutterstock