Most organisations have years of experience in securing their IT systems, but OT is new territory for them. Industry standards and frameworks can help to guide this necessary work, win support from the business, and target investment to where it’s needed most.
In the earlier blogs in this series, I started out by covering the challenges involved with securing operational technology, now that these systems are becoming increasingly connected to the internet and therefore are discoverable and vulnerable. The material for this series comes from BT Ireland’s inaugural OT-23 cybersecurity event, which took place in Dublin featuring expert speakers from industry.
As the event heard, the risks to OT are growing: many of these systems run outdated hardware and software, which makes them vulnerable to older viruses and malware. And for OT that’s running critical industrial control systems, or manufacturing, it’s not a question of being able to take them offline to update them.
But now it’s time to start looking at a more positive outlook in OT that aims to help solve these challenges. Our third blog looked at why it’s important for security professionals to map the assets in their OT systems, so they can identify where they need to focus on protecting.
How industry frameworks help to secure OT
In the fourth and final blog in this series, we’ll look at why security frameworks and standards are so important in an operational technology environment. We’ll also cover ways to win investment for projects to make OT systems more secure. Lastly, we’ll talk about the importance of having a clear incident response plan.
There are many helpful security frameworks such as the NIST Cyber Security Framework, ISA/IEC 62433, ISO 27000 series, CIS Critical Security Controls, or the Network and Information Security (NIS) Directive. Until now, lots of organisations are doing different activities but aren’t following common guidelines to follow, which leads to confusion and difficulty in communicating upwards to other stakeholders.
Simon McDonald, industrial control consultant at BT, recommended choosing a single standard in full rather than a piecemeal approach. “You've got to follow a standard. It doesn’t make much sense picking off small parts of a task to follow. You’ve got to start the journey as a whole, pick your framework and follow it through,” he said.
Guiding the OT security journey
The Cyber Maturity Assessment is based on the ISA/IEC 62433 standard; this can be a useful framework to start the OT security journey. Simon said it can guide next steps such as staff security training, and help in forming a plan with assigned roles.
One advantage of following a framework is that it gives organisations a method to assess the current state of security in their OT architecture and network, and identify what areas to focus on. “We’ve seen a significant uptick in the number of organisations following them,” said John Golden, regional director for UK and Ireland with Nozomi Networks.
Winning investment for improving OT is critical, and working to an agreed standard can help these efforts, added John. Using a security standard throughout the organisation provides a common language to communicate to executive level, the board, or budget holders, to gain support for their work.
Securing budget for protecting OT
And speaking of convincing budget holders, the audience heard that it can help to talk about OT security as part of the bigger picture, and link it to the business strategy rather that treating it like a standalone project. For example, an organisation might want to segment its network to reduce the risk of an attacker gaining access and having free rein within a company’s infrastructure. “Sell the network segmentation project to the business as part of doing digital transformation securely,” suggested Ben White, OT business development manager for cybersecurity with Fortinet.
Obviously, budgets are finite, so it’s essential to know where are the risks in the OT infrastructure, and which are the most critical. This way, organisations can prioritise investment and direct the sending to where it’s likely to have the biggest effect. “Make sure the stuff you need to do is within the figure that you’re going to get,” said Richard Bainbridge, General Manager for the Cyber Security Portfolio at BT.
Phil Page, Director of Business Development and Partner Technologies with Nozomi, pointed out that growing numbers of organisations are adopting cloud-based risk assessments to automate the information gathering process about their OT devices, and understand the risk profile associated with them. “Sometimes the easiest fix is not necessarily the most expensive.” There are targeted ways to reduce or mitigate risks to OT systems, such as upgrading the Windows XP Service Pack, he added.
Improving the current state of security
One of the values of this risk assessment exercise is to understand the OT environment in an organisation, how and where it interconnects, what devices are on it. That in turn helps security professionals to know where to apply segmentation.
We returned to the theme of getting senior management on board with OT security. The visibility solution that an organisation uses for its OT needs to make it easy for management to understand what’s happening.
When discovering what’s on the network, it’s worth keeping in mind that the aim is to improve the current state. “I always tell customers and partners, if the best that we can get is 90%, let’s do 90%. There’s no such thing as perfect continuous monitoring within OT. However, going from 0% to 90% is still, of course, a huge win. The classic saying is, ‘don’t let perfect be the enemy of good’,” said Page.
The importance of response planning
Keeping with this idea, he said it’s vital for organisations to plan for when an incident happens – there’s no such thing as perfect security. Rehearsing what could happen in the event of an outage is a key part of recovery planning. “In the past, there are examples of organisations that were hit by a cyberattack, that they detected but they weren’t able to respond,” said Page.
The response plan needs the combined input of OT and IT security teams, said Abiodun Shutti, BT senior cybersecurity consultant with BT. He added that it’s important to be able to isolate a system if it’s been affected, to avoid the risk spreading to other parts of the OT environment. It’s also important to keep monitoring for unusual activity on the network. This applies not just to obvious attempts at attack, but making sure that existing suppliers are keeping to the same level of security. “When vendors and third parties are connecting to your environments, are they meeting all the standards?”
The OT-23 cybersecurity event was packed full of useful information, with many takeaways. I would describe the tone of the day as realism: there’s no denying the threats, risks and challenges with OT. There’s work to be done. But knowing there are clear steps to take, and frameworks to set out the path, means there’s motivation to start on the road.
Paul McEvoy is a seasoned professional with an extensive understanding of the cybersecurity industry. With a comprehensive technical knowledge of security products, services, vendors, and processes, Paul helps customers to navigate the evolving threat landscape and avail of governance frameworks to manage their security more effectively. Currently serving as a Cyber Security Deal Architect at BT Ireland, Paul strategically drives BT’s Global Security Services through innovative marketing campaigns, industry events and workshops.