Operational technology (OT) security is gaining more attention than ever before, but sufficient understanding of what it takes to prevent breaches is still lacking amongst many organisations.
With the digitisation of industrial processes, malicious actors can exploit security gaps in the informational technology (IT) and OT network to access and take down critical infrastructure. This can result in devastating consequences, and enterprises are well-aware of the need to strengthen their cybersecurity posture, especially after the SolarWinds and Colonial Pipeline incidents in 2021 exposed the vulnerabilities of industrial control systems (ICS).
However, one common flaw persists in a majority of companies’ OT protection strategies: an over-reliance on product security.
Understanding the challenge of OT cybersecurity
In many organisations, effective cybersecurity management of OT systems is currently lacking. This can arise from factors ranging from siloed teams, the lack of security controls to insufficient detection and response capabilities. Organisations have to ensure that their OT cybersecurity strategy accounts for unintentional weaknesses and adversarial tactics, such as insecure product design, unpatched vulnerabilities, tampered components, and malicious firmware upload.
Coupled with the challenge of finding skilled and experienced practitioners in this nascent field of OT cybersecurity, IT and facilities teams may lack the knowledge required to assess the cybersecurity posture of their infrastructure, let alone establish a robust industrial cybersecurity strategy.
For instance, one common misconception I have observed in conversations with customers is: I already have an enterprise firewall that is also protecting the ICS and plant network. Isn’t that enough?
Indeed, this is not sufficient, as such firewalls only provide a perimeter defense and are easy to misconfigure. Common flaws include setting the wrong order of rules, and leaving un-encrypted interfaces enabled. This provides loopholes for attackers to slip through the firewall.
Strengthen cyber resilience with a systems-level approach
Cyber resilience is all about achieving the right balance between proactive and reactive security controls. Cybersecurity frameworks can provide a good reference point for organisations to start with when developing a comprehensive OT cybersecurity strategy.
One such framework is the defense-in-depth principle, which involves the design and implementation of multiple layers of security around a product or system. This would significantly increase the time and effort required to compromise the system, and thus help to deter or detect any potential attacks.
This strategy has been included in numerous standards and regulatory frameworks, and can be applied to a wide range of OT systems such as ICS, Internet of Things (IoT) and SCADA (supervisory control and data acquisition) environments.
Applying the defense-in-depth principle to the firewall scenario, organisations can divide ICS networks into layers or zones based on control function. Each zone has a clearly defined border, and connections between the zones called ‘conduits’ can provide the security functions that allow different zones to communicate securely.
This concept of zones and conduits, found in the ISA/IEC 62443 security standard, is just part of one layer of a defense-in-depth strategy. In order to develop a holistic industrial cybersecurity program, an integration of people, processes and technology is necessary for its success.
The importance of people is highlighted in the U.S. National Institute of Standards and Technology (NIST)’s guide to OT security, which notes that security management and governance will guide the decisions made for the other defense-in-depth layers, and should thus be addressed before implementing the other aspects, such as physical and network security.
Of course, frameworks and international standards are descriptive documents. The effective implementation of OT security ultimately depends on the organisation’s commitment to make it a priority and the criticality level of OT systems. For example, many OT processes are required to be available 24/7. Sometimes, software updates and security patches are delayed as this requires a system reboot that disrupts production, and have to be scheduled days or weeks in advance. Ensuring that OT devices and systems are updated in a timely manner, even if at the expense of service availability, will ultimately require buy-in from the leadership team first.
When business leaders are cybersecurity advocates, this will trickle down to the implementation of processes and a culture that prioritises cybersecurity alongside other business objectives. Performance measurement indicators for OT teams, for instance, should emphasize metrics such as security incident response time, to reflect their role in contributing to the organisation’s cybersecurity defenses. Employees should also be encouraged to see cybersecurity as a shared responsibility, and have good cyber hygiene practices in place.
Staying ahead of evolving cyber threats
Opportunistic threat actors are constantly evolving to exploit vulnerabilities in the infrastructure architecture. By leveraging a defense-in-depth strategy, enterprises will be better equipped to leverage the benefits of digital technologies while protecting themselves against the growing threat of cyber attacks. Clear ownership and accountability will ensure that key stakeholders, be it from the leadership, IT or facilities team, are empowered to maintain the cybersecurity program, and ensure resilience in an ever-changing threat landscape.