The level of asset risks that OT operators are exposed to varies according to industries and the asset security management practices that they have adopted.
Assets lie at the heart of almost every security measure an OT operator adopts. So it is essential to get your asset security strategy right in order to minimize your overall risk exposure.
What are the practices that can help improve asset security and reduce risk exposure? Let us explore the answers.
10 steps for an improved OT or ICS asset security
Step 1: Determine the unique security requirement for each asset
The first step towards improving asset security involves understanding the unique security level required for each asset. An asset could require a higher level of security because of its mission-critical nature when it comes to business or because it is a legacy system or because it has an unpatched vulnerability.
Thus, an asset threat index for determining the security levels for each asset on the shop floor cannot be a static one. It has to be dynamic to account for the forces that are shaping the asset risk levels in an organization.
Step 2: Put a policy in place for managing security during procurement
We have seen that in many cases, security challenges emerge much later after the installation of the device and in some cases, the OEM does not respond in time to address those issues.
By having a policy in place, the vendor can be made to provide a higher level of security assurance to the customer.
Further, the procurement team including the end users can then use this policy as a guide to request more information or place security conditions that need to be fulfilled before or after procurement as the situation demands.
Step 3: Conduct a Security Acceptance Test each time a new asset is added
No asset should be added to the infrastructure without conducting a Security Acceptance Testing. This testing should be done in a manner to verify:
- The ability of the device to retain data and command integrity under various scenarios of usage including extreme ones
- The ability of the device to withstand code-level manipulations
- The presence of backdoors or Trojans
The bill of materials can also be checked to ensure that all components have been derived from verified entities and the documentation is in order
- Its present level of security using penetration testing
- The presence of vulnerabilities, if any
In case, any doubts emerge on the asset at a later stage, a fresh test can be conducted at a later stage.
Step 4: Use a mix of OT Security standards for handling assets
You can read more about this in a previous Sectrio blog post on OT asset security. In that article, we do an in-depth analysis of the relevant standards that you can follow to improve asset security and to benchmark your internal security measures.
The most common standards that you can rely on are IEC 62443-2-1, IEC 62443-4-2:2019, IEC TS 62443-1-1, and various NIST CSF categories. Such an approach helps develop a best-of-practices approach to secure assets with the best possible set of security measures.
Access Sectrio’s compliance kits to learn and understand more about these standards.
Step 5: Train to raise actionable awareness in Industrial cybersecurity
Each employee should be aware of best security practices and company policies when it comes to asset security. OT operators must ensure that their employees are trained in best practices and operate with a high level of security sensitivity and responsibility. You can read on how you can train your employees on OT security here.
Step 6: Periodic ICS risk assessment and gap analysis
The recommended cycle for an OT Security risk assessment and gap analysis for an OT critical infrastructure operator is once every 6 months. Non-critical infrastructure OT operators can do a risk assessment exercise at least once every 9 months. Here are the essential factors to keep in mind when conducting an OT security risk and gap assessment:
The report that is generated from such an exercise should be actionable with each security issue prioritized for remediation with recommended timelines
The assessment should be conducted by an independent vendor
- Post-assessment the vendor should conduct a workshop to inform all key stakeholders about the findings and the recommended next steps
- At the bare minimum, the assessment should be based on IEC 62443-3-2
- The assessment should be OT-focused
- The report should compare best practices followed across industries and recommend them
More information is on how you can do a comprehensive OT risk assessment and gap analysis is available here.
Step 7: Focus on patch discipline
Every patch should be applied within a certain period as dictated by an OT security policy. If the patch is not deployed for any reason, then step 8 should be followed.
Know more about Sectrio’s Patch Management program
Step 8: Deploy OT micro segmentation
As opposed to network segmentation, OT micro segmentation involves the creation of zones to house critical and/or legacy assets with an added level of security. The extra layer of security comes from the additional controls that are deployed in the zone. Assets in this zone will be allowed to transact only certain approved interactions with the rest of the network. Micro segmentation enables the adoption of a true zero-trust approach for security.
Microsegmentation also enables the prevention of lateral malware movement in case of a breach. More information can be found here.
Step 9: Improve ICS asset visibility
Knowing what your assets are up to at all times is an important need. The asset inventory should be maintained in an automated manner with all assets and their behaviors being accounted for. Asset visibility is a baseline OT security need.
Step 10: Talk to a Sectrio Asset Security expert.
Our asset security experts are trained in both the security and functional aspects of industrial assets. They can help you determine:
- The best asset security measures you need to deploy
- Your current asset security level for each device and how these levels could be improved
- IEC 62443 controls that can be applied to your assets
- How you can use micro-segmentation for your crown jewels
- Whether your ICS risk assessment and gap analysis approach is in order or otherwise
- Gaps in OT security training and awareness levels among your employees
- The robustness of your DMZ or any specific security measure Drop us a line here to block a free preliminary consultation slot with our asset security expert.
Reach out to us now.
Conduct an IEC 62443/NIST-CSF based risk assessment and gap analysis now!
Book a free consultation with our Industrial Control System security expert to learn about the latest cyber risk minimization strategies and models.
Book a consultation with our ICS security experts now. Contact Us
Sectrio’s OT and IoT threat report uncovers the Chinese intelligence conveyor belt
Sectrio, the premier IoT and OT security company has launched the…
Leveraging Tabletop exercises to Enhance OT security maturity
Has your organization tested its OT security incident response plan in…
How to evaluate OT security program maturity
An OT security program can lead to better resource use, improved…
Launching a critical infrastructure security program in 4 phases
As per the Cybersecurity and Infrastructure Security Agency (CISA), threat actors…
Simple yet essential cybersecurity strategies for ensuring robust OT security
At the heart of an OT security strategy lies the ability…
10 steps for reducing ICS asset risk exposure
The level of asset risks that OT operators are exposed to…
Why is Chinese threat actor APT 41 in a tearing hurry?
Since June 1st 2024, Chinese frontline threat actor APT 41 has…
Thinking of an ICS security training program for your employees? Talk to us for a custom package.
