What is phantom OT?
Phantom OT comprises systems that operate without any policy, security, or governance controls within an enterprise. They are either outside the realm of any security intervention or are deliberately overlooked in terms of security measures and policy recommendations because:
- Such systems are considered too old to be hacked
- The security teams may not consider them to be a target for hackers
- Some of these systems were added to the infrastructure as part of a temporary project and/or testing and were forgotten
- Existing IT/OT security policies are not enforced on these devices/systems for various reasons
An AI-Generated tool paints an apt representation of a phantom OT system
Security challenges associated with Phantom OT
Phantom OT can have multiple security and operational implications for ICS asset owners. It also opens up a gap in compliance with IEC 62443 specifically vis-à-vis IEC 62443 2-1 outlining the requirements for an Industrial Automation Control System (IACS) security program.
It can also hamper the validation of organizational security measures while lowering the accuracy of reassessments done to measure the impact of organizational and technical security measures.
“If the organization has conducted an ICS risk and gap assessment but has not identified Phantom OT for remediation, there is a strong possibility that the assessment was not performed in accordance with the requirements outlined in IEC 62443-3-2.”
The security gaps arising from Phantom OT also bring forth issues related to ownership of these assets and the infrastructure. Overall, it renders the infrastructure vulnerable to attacks, breaches, and rogue insider activity.
As the rest of the enterprise moves on, such assets could theoretically be stuck in a time warp and exist as silos within the larger infrastructure. This presents challenges in terms of security and operations and if not addressed, can pose a much bigger security and disruption risk to the enterprise.
Read More: How to get started with OT security
Phantom OT is not a mere symptom of bad governance and security practices. Instead, it represents challenges in adopting security measures at a granular level.
Phantom OT also opens gaps that grow with the passage of time and allow threats to move across converged environments to target more complex systems upstream or downstream.
Threats from Phantom OT
- Puts lives at risk
- Financial losses
- Reputational damage
- Large-scale operational disruptions
- Erosion in consumer trust
- Lateral movement of malware and other threats
How to deal with Phantom OT
Developing a deeper understanding of the asset landscape is a good place to implement a strategy to deal with Phantom OT. By identifying the presence of and the practices that lead to the establishment of Phantom OT, an enterprise can address the security challenge.
Other steps to deal with Phantom OT include:
- A comprehensive risk assessment and gap analysis/OT security audit based on IEC 62443 to identify the assets that can be classified as Phantom OT
- Conduct regular asset inspections and inventory checks to detect the presence of such assets and determine a time frame to convert them to regular assets covered by security policies and measures
- Determine clear ownership of OT assets
- Put in place a clear governance and cybersecurity policy for onboarding of new assets and management of legacy systems. No device or system should operate without a cybersecurity policy in place
- Ensure regular and time-bound application of patches
- Incorporate IEC 62443 into all aspects of governance, risk management, asset ownership and ongoing security improvement practices
- Expand ICS governance and policy coverage to call out measures related to ongoing security practices for legacy systems
- Deploy ICS cybersecurity solutions in areas such as asset intelligence/management, vulnerability and patch management and continuous monitoring
- Work with OEMs to ensure regular deployment of patches and adequate asset visibility in terms of operations
- Improve ICS security awareness among employees through a custom training program
To learn more about better asset management strategies and IEC 62443-based security practices and compliance measures, get in touch with us for a free no-obligation consultation.
Reach out to us now.
Conduct an IEC 62443/NIST-CSF based risk assessment and gap analysis now!
Thinking of a ICS security training program for your employees? Talk to us for a custom package.
