In the last couple of years, OT security has managed to get plenty of attention from security teams. Some businesses have even started having dedicated teams to manage OT security and tools. However, many businesses are still in the process of figuring out a strategy to deal with OT threats and specific risks to infrastructure and networks. This article will shed some light on how to improve OT security without putting strain on your existing resources.
Where to start?
In a manufacturing plant in the APAC region that was attacked in May last year, security teams were unable to agree on which tool to choose for securing OT systems. This resulted in a prolonged delay in decision-making. The teams met over 22 times in 6 months without being able to come to a consensus on the way forward.
In every meeting, the IT security team, the SCADA and ICT team, and the CISO’s nominee would discuss and agree to disagree on these points:
- The IT team wanted to go with the existing vendor who was offering an untested and unproven solution for OT security for free
- The SCADA team wanted to go for a proven OT solution but the CISO’s nominee was not comfortable with the budgets that were being sought
The logjam continued for almost 200 days till a cyberattack crippled their plant operations. The assembly line sustained much damage but luckily since the plant was not operational during late evening after work hours, no loss of life was reported.
The teams holding disparate opinions on how to deal with OT security came together and agreed on a line of approach immediately and thus, the plant got a new security solution in just 23 hours and that was not all. A cybersecurity audit for all systems including vulnerability scans was conducted and everyone chipped in to identify new security standards to readily embrace to keep the focus on OT security going.
Lesson: move fast. Learn rapidly, decide early, and execute with diligence without wasting any time. Even small steps implemented early can lead to incremental OT security gains. On the other side, the more you delay, the greater are your chances of falling victim to a debilitating attack.
Also read: The 2022 global threat landscape report
1. Conduct an OT threat assessment
By doing a comprehensive OT threat assessment exercise, you will be able to identify and understand the threats, their sources as also the level of intervention required to deal with them. Sectrio can help with a custom threat assessment for your business. Share a few details here to get started.
2. Know your network and assets
OT and associated networks often harbor devices that have not been part of any inventory for years. We have seen power plants and manufacturing shop floors host complex OT devices serving simple functions that may once have been part of an inventory but are now transparent to the security operations team and to inventory managers. There could be two reasons for this:
- These devices are no longer playing a major role in the overall scheme of things (though they are still connected to the overall network)
- Or such devices are part of a sub-inventory that is managed separately
Without an integrated inventory, it becomes difficult to know what to protect which might add major gaps to the security posture of a business. Over a period of time, such devices are not just forgotten but they are also not maintained in any way and certainly not patched.
Lesson: put an inventory together of all assets without any discrimination.
3. Publish an OT security policy
Publishing an OT security policy will serve many purposes. It can be a statement of intent as also a statement of direction and confidence in the need to address OT security. We have put together a template for you here that you can readily use. The OT security policy can very well be the first step but always ensure that there are regular follow-ups to draw and act on action items. If this is not done, then the policy will remain on paper and will not be of much help to the organization. The OT security policy should be action-oriented.
4. Investigate and patch all vulnerabilities
Every vulnerability is an invitation to a hacker to exploit and attack. Run frequent scans for detecting vulnerability and patch status of devices. Act on the vulnerabilities detected and patch all unpatched devices. Calendarize such scans and also check the CVE DBs frequently for any new vulnerabilities that may be associated with the devices in your network. These are essential parts of your overall cyber hygiene and must be given adequate priority.
5. Integrate OT risk exposure into your institutional risk management plan
All OT risks identified should be part of the institutional plan along with identified timelines for addressing these risks. OT risks can be addressed in isolation at a tactical level if they do not have any dependency on the overall infrastructure (which is rarely the case). Risks related to device patching for instance can be handled as part of an OT security plan but that plan has to connect with the institutional risk management plan at a strategic level. This will ensure more visibility for OT risks and also help in generating awareness on the need to address OT risks.
6. Identify standards and mandates to comply with
All security measures should have benchmarks to look up to. This is where NIST CSF, IEC 62443, and many ISO measures come into play. Many countries are now passing legislation mandating businesses to comply with new and stringent reporting requirements. Even before that, businesses need to look at streamlining their security measures and align them with the best standards out there. This will give your security team added motivation as well. When you declare your organization to be say IEC62443 compliant, it will also give your customers more confidence to engage your organization.
7. Work with the right threat intelligence
All cyber threat intelligence vendors will claim that they cover OT security. However, there are only a few vendors that can actually produce quality OT threat intelligence. Sectrio is one of them. Check out our threat intelligence feeds for free for 15 days and find out how big a difference it makes to your SecOps efficiency and effectiveness of your threat hunting drive. Without the right threat intelligence, threats will slip under the radar and it will take more time to detect them. The more the delay, the more will be the possibility of that threat causing a major hazard or problem for your shop floor or other parts of the manufacturing plant or power plant.
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.