As any good doctor will tell you, first you need to diagnose the patient before deciding on the cure. The same is true in cybersecurity: discovering your organisation’s most important assets is the first step towards understanding the risks and protecting them. But when it comes to operational technology (OT), this is easier said than done.
Securing OT comes with a particular set of challenges, which I outlined in my first blog from the recent BT Ireland Secure-OT 23 event. The second in the series looked at why “security through obscurity” is no longer an effective strategy now that OT systems are being connected to the internet. Now in part three, let’s turn our attention to solving those challenges, and why a network map and asset inventory can help uncover the systems and unearth vulnerabilities.
What came through clear from many of the presentations from experts who spoke at the event, is that OT has specific characteristics that make it very different to IT. These systems were designed to work in industrial or manufacturing settings for years – far longer than the lifespan of the average laptop or server.
Mapping the territory
Not only are OT systems hard to find, to complicate things further, they often run critical services for organisations. “A lot of our systems in OT are old, outdated hardware and software, functioning fine, but they can't just be taken offline. It's not that easy just to do a large stop,” said Trish McGill, a subject matter expert in OT and IT. “OT is a layered architecture with many different controls, systems and processes.”
To understand what they’re dealing with, organisations need an inventory. “How can you protect something if you don’t know what you have?” Trish asked. Simon McDonald, industrial control consultant at BT, echoed this point in his presentation: “The first step will always be to understand your assets.”
Attendees heard that some organisations aren’t as mature in their security and still struggle with this step of documenting what’s on their network. Speakers said that in conversations with chief information security officers (CISOs) in manufacturing companies, who are responsible for OT security, some admit they don't know what’s connected to their IT network.
Why visibility matters in OT security
That’s why Paul Donegan, Ireland country manager with Fortinet, said visibility is the fundamental building block of OT security. “Most organisations don't really have the visibility, they don’t have the tool sets. Even those that have a schematic or a blueprint of the organisation, in most companies that may be 20 years old, that their network diagrams might be there. But they still don't know, in the interim, what has been added in,” he said.
Fortunately, technology platforms from vendors like Fortinet and Nozomi Networks can help organisations map what connected systems they have in their OT infrastructure, by mapping assets. These help security professionals to understand how those systems interact with each other. Once they establish a baseline for what a normal pattern of behaviour looks like, then it starts to get easier to spot any signs of suspicious activity.
“It allows you to kind of have a much richer view of what’s actually going on. And from an OT security and anomaly detection perspective, it becomes easier to actually identify who are the, let's call them malicious actors, or the devices that have unwanted behaviours,” said Aengus Gorey, security systems engineer with Analog Devices.
Two steps to security
Simon McDonald built on this, talking about a two-step process that starts with understanding the state of the network, and then putting in place processes, policies and governance to manage the security, and then assign responsibility to various parts of the team.
Forward-thinking organisations are moving towards this model of asset-centric security. This has lots of benefits at a technical level, because it means that attackers don’t have full access to the network even if they get past the first line of defence.
Aengus Gorey talked about trustable devices as “a foundation stone of your asset map”. “Look at embedding trust and setting up routes of trust. If a device within a network can establish its credentials, it allows you to build trusted zones … so if a device can’t verify what it is, it can be isolated within the network.”
Business benefits of better resilience
At a business level, visibility also helps organisations to know where the risk lies so they can build a strong business case for investing in OT security. It also guides them towards making better-informed decisions about which systems need the most protection, which improves business resiliency. This is the vital ability for an organisation to withstand a security incident without affecting its operations. The conference heard of many examples in organisations that were unprepared for a cyberattack, and had to either shut down production, or go back to using pen and paper processes because they couldn’t use their technology.
“If you don’t know the size of the problem, how are you going to fix it?” asked Richard Bainbridge, General Manager for the Cyber Security Portfolio at BT. “There’s no point in putting OT protection into 200 sites if ten of those are the ones that are really critical for your business if they go down and you can’t come back from them. Focus on protecting those.”
Making operational technology more secure is the goal, and there are clear steps to achieving it. Once you know what you have, it’s easier to make decisions about protecting it. When you see it, you can secure it. Or as Trish McGill likes to say: “You connect, you protect.” In the final blog in the series, we’ll look at some of the best practice for you to follow as to go along that journey.
Paul McEvoy is a seasoned professional with an extensive understanding of the cybersecurity industry. With a comprehensive technical knowledge of security products, services, vendors, and processes, Paul helps customers to navigate the evolving threat landscape and avail of governance frameworks to manage their security more effectively. Currently serving as a Cyber Security Deal Architect at BT Ireland, Paul strategically drives BT’s Global Security Services through innovative marketing campaigns, industry events and workshops.