For over a decade, the industrial control systems industry has talked about the coming threats and challenges of OT cybersecurity. Many have been mocked because of what has appeared as an overstatement of the risks. Although there are still many who overstate the actual historical events, the increasing need for defense is not over-stated. In fact, the past two years have been a bit of a watershed as the threats to OT systems, along with government and organizational responses have increased significantly.
Industrial organizations are under what we call an “AIR-RAID” of OT cyber security challenges:
- Attacks: OT systems are under increasing attack with industrial and energy organizations rising from 8th and 9th most targeted by attackers to 2nd and 3rd, respectively.
- IT: OT systems are becoming much more dependent on IT systems – and their inherent vulnerabilities.
- Regulation: Regulators are increasing the focus on industrial operators both in the United States as well as around the world with increasing implementation and reporting requirements.
- Resource constraints: OT is already resource-constrained in the day-to-day operations, and the 50-75% increase in ICS vulnerabilities in the past 12 months makes it almost impossible to keep up with the threats.
- Access: The “air gap” is dead…if it ever existed. This increased connectivity significantly adds risk to these “insecure by design” networks.
- Insurers: Cyber insurers are now requiring much more robust OT security reporting to maintain coverage. This significantly increases the pressure on OT security practitioners to demonstrate consistent maturity.
- Directors: Boards have realized the significant threats from ransomware to financial operations and are now placing greater requirements on CISOs and operations leaders to demonstrate improvement in OT as in IT
And just at the end of 2021, the Log4j vulnerability dramatically increased the challenges for OT cybersecurity personnel. This is an insidious vulnerability as it exists within libraries used by a very large number of software vendors. Finding that library on sensitive OT systems is incredibly challenging. Unfortunately, this is only the latest in a series of challenging risks and vulnerabilities which have been arising ever more frequently.
These challenges are overwhelming OT organizations responsible for managing cyber security risks. The processes, organizations, and tools used to date – mostly based on legacy operational maintenance – are not sufficient to keep pace with these growing challenges.
OT security challenges with OEM vendor-specific approaches
One of the most significant challenges we observed is the vendor-specific approach to systems management in many industrial organizations. As this approach extends into cyber security, complexity and lack of cyber security skills lead to breakdowns in efficiency and effectiveness. Most industrial organizations have multiple, in many cases dozens or scores of different control systems vendors’ equipment in their facilities. Further, many organizations heavily rely on these vendors or their contractors to support those systems as it is almost impossible to maintain full-time employees at each site with knowledge across all the different vendors’ equipment and software. This may even differ by each plant as vendors may use different contractors in each region, thereby adding further to the mix of different parties involved in systems maintenance.
We aren’t here to debate the effectiveness of this from a maintenance and operations point of view, but from a cyber security point of view, the approach is untenable for most mid-size or larger organizations. The tendency in many organizations has been to follow the traditional maintenance model, assigning security responsibility to vendors, since they know their systems the best. Many of the larger OEMs have branded a suite of home-grown and white-labeled cyber security tools relevant for their specific control systems. And many are offering security consulting directly or through their local partners.
In a world of accelerating threats and cyber security requirements from the “AIR-RAID”, these vendor-specific approaches are failing for several reasons:
- Cyber security is a fundamentally different skill set than control systems hardware or software design, especially when it comes to the software development needed to produce a robust cyber security solution. So OEMs will have the challenge to become or remain best-in-class in this very different field.
- Each OEM relies on its own set of tools and technologies which do not work with other OEM tools and technologies. This creates multiple challenges for the operator’s security:
- No way to consolidate cyber security metrics or risks across different vendor systems to provide a single platform for analysis of risks or reporting.
- No way to scale resources across different vendors as each has its own tools and approaches.
- No way to actively manage security across sites or even within a site, leading to the need either for more OEM support or additional internal headcount.
- A matrix of different tools for each security function for each vendor means dozens of different security tools for the organization to maintain and manage over time.
- Incident response will always require cross-vendor approaches as any threat will move across OEMs. With a vendor-specific approach, the incident response time and complexity increase geometrically as different OEMs or contractors need to be contacted to include them in the overall incident response process.
Some organizations have realized these challenges and deployed overlay network tools to provide some visibility while still relying on OEM-specific approaches to endpoint systems management. Not only does this not provide comprehensive visibility, but it also leaves an inefficient approach to improving and measuring security maturity.
The good news is there is an alternative that provides a vendor-agnostic approach addressing the above challenges, providing efficient and effective enterprise OT security, all while not disrupting the operational resilience of the OEM systems.
4 Benefits of an OEM Vendor Agnostic OT Security Approach:
- Up to 70% reduction in cyber security management and labor costs
- Improved compliance and reporting for regulators, boards, insurers, etc.
- Accelerated remediation of risks and response to threats
- Improved overall security posture by eliminating the gaps created by a series of vendor-specific solutions
Since 2007, Verve Industrial has provided its vendor-agnostic OT security solution to clients across a wide array of industries and on almost every brand name of control system. The approach is proven safe for OT environments. It provides a significant reduction in the total cost of ownership. And, it accelerates security maturity. We call this Vendor Agnostic OT Security Management.
The solution brings together technology and talent to provide turn-key support to address the “AIR-RAID” discussed above.
Verve Security Center (VSC)
The Verve Security Center provides a single, vendor-agnostic platform addressing the key elements of the NIST CSF as well as other standards and frameworks such as the CIS Top 18 security controls.
As you can see from the diagram, VSC begins with the industry’s deepest asset inventory which forms the foundation of the rest of the security applications depicted by the other gears in the diagram. This comprehensive view, with a single platform, means that OT cyber security teams do not have to manage dozens of different tools across all of their sites. Each of these components is vendor-agnostic.
So, for instance, the platform provides vulnerability information regardless of whether it’s an Emerson Delta-V controller, a Rockwell PLC, a Schweitzer relay, or an ABB server. Similarly, the patch solution is applicable across vendors and can integrate with their “approved” lists for their systems so that the operator can have a single source of truth for both applicable patches as well as approved.
Similarly, the platform enables processes such as incident response across vendor systems. This allows rapid investigation of events occurring across the system. It allows the ability to dive into endpoint behavior regardless of the OEM system to see how threats may be moving laterally across the environment. And then, perhaps most importantly, the platform allows the organization to take response actions to stop the threat, regardless of the OEM vendor system.
The first question we often hear is “How can you provide security management across vendors without disrupting operations?”. The answer is: In our 30 years of heritage as a control systems integrator Verve has been designed, programmed, and implemented vendor-agnostic industrial control systems across a wide range of industries. The team consists of controls engineers that understand the inner workings of these different systems. As we like to say, we know what you CAN do, not just what you CANNOT do.
Verve baked this knowledge into the architecture of an endpoint solution that is tested on every brand of OEM system and has dozens of reference customers. An endpoint solution that is tuned down to have zero impact on operations where it is invisible on the wire. An endpoint solution that communicates with OEM equipment using native protocols to avoid any disruption in the network. And an architecture that can be deployed in almost any complex OT network environment without disrupting Purdue, IEC, or other models.
Finally, a “Think Global: Act Local” architecture enables scaling of the analysis, prioritization, and remediation design of risks across an entire enterprise while ensuring “local” or process expert control over any remediating or response actions to ensure operational resilience.
- Think Global: Scale analysis in centralized platform – Gather data from all sites into centralized database for vulnerability and risk analysis and remediation/response planning.
- Leverage regional SMEs with access to same platform for specific security advice.
- Act Local: Operations control over actions – Provide automation to plant/regional personnel to enable them to take action in a way that is sensitive to requirements of the operational environment.
OT cyber security talent:
Cyber security is NOT just technology. The tools and the talent must work together to drive improvement. One of the challenges in OT is that most organizations are relatively vendor-specific – whether that be the OEM itself or the contractors. Key to the success of the vendor-agnostic approach is having cyber security personnel that can understand system differences, but the security commonalities to drive consistency, efficiency as well as operational resilience.
As mentioned, Verve has a 30-year legacy of vendor-agnostic control systems design. Over the past 15 years, we have expanded this expertise into cyber security, maintaining that vendor-agnostic approach. Verve works with customers to conduct technology-enabled vulnerability assessments, across the different vendors in the environment. They develop risk reduction roadmaps across an enterprise down to plant level. They assist in remediation efforts across network segmentation, patch management, configuration hardening, etc. – all across different vendor systems.
Segmentation is a perfect example where a vendor-agnostic approach is critical. These systems interact so it’s crucial for the design team to understand how the different systems work so for the right network architecture design. Verve’s OT cybersecurity security services team has the capability to draw those cross-vendor insights.
This extends to detecting and responding to threats as well. The team needs to see across the vendor landscape the events occurring and be able to draw implications on possible response actions. This requires central visibility and a team that understands the various systems in use.
The result of this vendor-agnostic approach drives a 70% reduction in OT security management costs while providing improved security response times as well as centralized reporting for compliance and governance purposes.
The industrial world is under increasing threats. Traditional OEM-specific approaches will break under their own weight and complexity. There is an alternative that drives efficiency and effectiveness across the enterprise.