Five things OT cybersecurity wants IT to know

In recent years, information technology (IT) and operational technology (OT) have significantly converged. As technology has become more complex, more capable and more critical, and cyber threats have gotten more frequent, sophisticated and devastating, both teams have come together out of convenience and necessity.

But this convergence doesn’t translate to IT and OT merging into a singular mission. Each discipline has important distinctions that determine how each environment can and should be run.

To strengthen cybersecurity across the organisation, IT needs a clear understanding of how precisely OT differs and the implications of those differences to processes, technologies and outcomes. Here are some distinct ways to collaborate towards a stronger security posture.

OT requires a different mentality

As IT and OT converge, questions arise. Organisations begin to explore whether they can apply IT security controls to OT when looking for economies of scale in technology and processes. While similarities between the two environments exist, OT requires a different mindset. For example:

• IT often puts too much emphasis on vulnerability management. OT systems can’t be patched and updated similarly without risking downtime and performance, nor do they often need to be.
• OT can’t keep pace with IT asset refresh rates. The interconnectivity of systems means the latest software is not necessarily the best software.
• Moving to the cloud looks very different for OT. While there are some applications that make sense, OT teams must be cautious about how they deploy to the cloud and how far down those connections go.

The OT security triangle looks different

The classic IT security triangle breaks down IT security drivers into three components: confidentiality, integrity and availability. One misperception often repeated is that in OT, the priorities are similar but ordered differently, that availability, integrity and confidentiality drives security in industrial industries. Seasoned IT professionals refer to the triad as a three-legged stool. Each leg bears an equal load in maintaining an organisation’s security posture. While availability stands as a core tenant in OT security, it doesn’t necessarily trump everything.

Three-letter acronyms aside, there’s a mission focus for industrial operations that can vary depending on the industry or organisational output. So, it’s crucial to understand in every plant what the mission focus is to help be service-oriented to operations.

OT has unique requirements

While the requirements of both environments look similar on paper — high uptime, redundancy, low latency — OT must support specific circumstances. High uptime, for instance, must be measured in years, not months, with systems that literally run for multiple years between rounds of maintenance. Redundancy stems less from a security standpoint than availability; many OT critical components can’t be turned off and need workarounds in order to touch them. Low latency isn’t just the amount of time it takes data to move from one place to another; it’s the milliseconds and microseconds that determine whether a robot will place the correct part at the correct time as a vehicle rolls down an assembly line. These use cases demand that OT teams think differently about meeting these requirements.

Cyber risk is calculated differently for OT

The traditional IT security risk equation does not account for the functional, real-world physical outputs of industrial processes. We state that a more OT-centric risk equation should be ‘Cyber risk = Consequence x Threat x Vulnerability’.

Cyber risk and its associated impacts can benefit from engineering and reliability inputs, such as process hazard analysis and failure mode and effects analysis, by focusing on a more consequence-driven approach. These evaluations provide detailed information on conditions that may result in unreliable, unsafe and possibly destructive states for control systems, something that does not exist in IT-centric cyber risk models. Because of the link to physical impacts and reliability, industrial cyber risk should include additional concepts from disaster recovery and business continuity.

OT security relies on crown jewel analysis

OT is about understanding what matters so you can prioritise and protect it, and they do this by going through an OT-specific process called crown jewel analysis (CJA).

Predicated on the idea that not all ICS devices and systems are the same and each has a different level of criticality based on process impact, CJA identifies the key systems and components that need enhanced prevention, detection and recovery capabilities. This process of categorising OT assets enables OT teams to prioritise their efforts and ensure that the ‘crown jewels’ are protected.

How can IT and OT work together for successful cybersecurity?

With this context in mind, IT and OT can form a cross-functional team that supports and strengthens security across the organisation. In brief, teams need five critical controls for effective OT security:

1. Create an OT-specific incident response plan. This should cover the different device types, communication protocols, types of tactics, techniques and procedures specific to industrial threat groups.
2. Build a defensible architecture. Start at the edge and work your way in, using traditional IT tools as appropriate and identifying and securing OT/IT data flows to the enterprise and cloud environments.
3. Implement network monitoring. Monitoring industrial assets validates your security controls, allows you to scale and automate threat detection, identifies vulnerabilities easily for action and supports incident response processes.
4. Establish remote access authentication. Enable multi-factor authentication, the most effective control for remote access authentication. If that’s not possible, try controls like jump hosts with focused monitoring.
5. Manage key vulnerabilities. Most OT vulnerabilities have a limited impact within a defensible architecture. Prioritise those that bridge IT and OT over vulnerabilities that reside deep within the ICS/OT network.

With the appropriate understanding and context, plus the support and culture to form a cross-functional unit, both OT and IT teams can successfully contribute to a more secure organisation.

Image credit: iStock.com/Thinkhubstudio