With the rise in vulnerability breaches, securing your operational technology is more relevant than ever. But where should you start?
When I first began my career over 25 years ago working with PLCs, DCS, and other industrial automation systems, the overall threat landscape and approach to securing Operational Technology (OT) (aka, Industrial Control Systems, or ICS) networks was immensely different than it is today. In those days, we largely relied on air gapping (i.e., ensuring that the ICS networks were never connected to the internet or corporate networks) to secure those critical production systems. While not perfect (see Stuxnet), the practice was largely effective and widely adopted throughout the industry as an effective security measure. In today’s world, however, air gapping is often not a practical solution as business requirements demand remote connectivity and real-time visibility into operational metrics, requiring the interconnection of IT business systems and ICS environments.
The convergence of IT and OT systems, with data flowing between the corporate network and OT systems, has greatly complicated the process of securing them. As a result of high-profile attacks as well as increasing industry and government regulations, corporations have begun building more robust cybersecurity programs and implementing technological controls to improve their security posture. Still, even for companies that have built corporate security programs, it can be difficult to adapt corporate IT security policies and controls to OT environments.
In IT environments, patch management policies may require that high-severity vulnerabilities are addressed within days. In OT environments, it may not be practical (or in some cases even advisable) to patch systems for months, if at all. Additionally, there is a personnel and equipment safety concern with OT networks that is simply not a consideration in IT environments. While IT policies and programs can provide an excellent starting point for building a company’s OT security program, IT and OT personnel should work closely together to determine how to best secure OT networks while considering the unique operational and safety requirements of those environments.
Fortunately, there are a plethora of free and open-source resources available to help companies build cybersecurity programs for both IT and OT environments. SANS, the Center for Internet Security, and the National Institute for Standards and Technology all provide excellent resources for helping companies develop and mature their cybersecurity programs.
Nevertheless, even with all these available resources, it can be daunting to know where to begin, especially when it comes to OT systems, due to their unique demands. To that end, SANS published a whitepaper outlining the five most critical cybersecurity controls for OT networks.
According to the paper, the five critical controls are:
- ICS Incident Response
- Defensible Architecture
- ICS Network Visibility and Monitoring
- Secure Remote Access
- Risk-Based Vulnerability Management
As evidenced by the title, the whitepaper’s aim is not to provide guidance on building a comprehensive cybersecurity policy for OT/ICS networks; rather, the aim is to provide guidance on the minimum required controls. Additionally, it should be noted that while these controls will be part of almost any regulatory compliance program, they are not sufficient for meeting compliance in and of themselves. In other words, these controls are the “first step” building blocks of a comprehensive cybersecurity program.
For anyone struggling with where to start, I would encourage you to read the SANS guidance, if for no other reason than to provide a reference to begin discussion amongst management, IT, OT, and safety personnel. As always, the Keller Schroeder team is here to assist your team in building your IT and OT cyber programs or in implementing specific controls to secure your networks. Please reach out to our Security Solutions Group to talk with one of our team members, no matter where you and your team find yourselves in this journey.
If you need any assistance with understanding the details within the advisory, understanding your current cybersecurity posture, your preparedness for a breach, or any other cybersecurity topic, we would love to have a discussion with you. Contact us today, and let’s chat about your environment and ways to lower your chances of becoming a victim of cybercrime.