4 Components to Rapidly Improve & Measure OT Security

For over a decade, the industrial control systems industry has talked about the emerging threats and challenges in OT cybersecurity. While to some this may be an overstatement of the risks, the increasing need for defense is not over-stated. In fact, the past two years have been a bit of a watershed as the threats to OT systems, along with government and organizational responses have significantly increased.

One of the greatest challenges for CISOs and those responsible for OT cyber security is the time it takes to make meaningful progress in their overall maturity. The combined challenges of distributed network environments, sensitive and legacy devices, the variety of tools needed, the testing required before deployment, and the lack of available resources not only to assess but most importantly to remediate identified risks mean there is a long lead time prior to demonstrated progress in reducing the cyber security exposure of OT environments.

These challenges are heightened as CISOs and boards of directors demand action and results. They do not want to hear about a plan or a tool deployment, they want demonstrated improvement.

In IT cyber security, CISOs and their bosses expect clear progress reporting on vulnerabilities, patches, user & account management, reductions in incident response times, etc. For too long, the answer has been limited to deploying detection tools to potentially identify new threats in the environment and creating network protections through some form of segmentation. But this approach offers little in the way of demonstrable improvement. Boards, regulators, and insurers require this same kind of measurable improvements within OT as well.

Further, operational organizations (manufacturing, distribution, pipelines, etc.) base success on metrics and deliver measurable improvements in quality, productivity, safety, etc. To gain commitment and delivery on cyber security requires the same type of management approach to security, where these teams can see “red-to-green” changes occurring and track progress over time.

OT security is not as mature as IT security

Many industrial organizations realize their most critical systems – those that integrate cyber and physical operations – have not received the same cyber security focus as traditional IT systems. In almost every survey, OT/cyber physical systems/IOT are significantly behind IT in terms of cyber maturity.

There are plenty of reasons for OT security lagging behind IT security: many OT systems have historically been less connected to the outside world/Internet than their IT peers; IT security tools and procedures do not work effectively or are risky to use in more sensitive, legacy and embedded OT systems; operational requirements make managing vulnerabilities and insecurities challenging as changes can disrupt uptime and productivity; and there is a significant knowledge and skills gap in deploying security within the OT environment.

Each of these points to the urgent need to make demonstrable improvements in OT cyber security posture. Increases are necessary to ward-off increasing threats, but they also need to be measurable to satisfy insurers, regulators, and directors of the continuous improvement that the organization is making towards its goal.

The notion that it will take six months of assessment and planning followed by 18-24 months to deploy hardware (taps, span ports, firewalls, etc.), harden endpoints, deploy robust backup solutions, and create a robust vulnerability management program for OT is not acceptable anymore. And doesn’t need to be the case.

Challenges measuring improvement in OT cyber security

The current approaches to OT cyber security often lack the ability to demonstrate progress and improvement on key security metrics over time.

There are many factors that make achieving this result difficult:

• OEM-vendor “balkanization” (i.e. the OEM-specific security tools, managed by the OEM or its designated contractor) creates a lack of centralized visibility
• Operational risks from scanning using traditional vulnerability scanners
• Constraints on many direct remediation efforts (e.g., patching, updating firmware, etc.)
• Lack of an integrated view across cyber security controls on an asset-by-asset basis to enable mitigating controls trade-offs where necessary
• Lags between assessments given the cost and complexity of assessing OT environments creates a challenge in monitoring improvements (or steps backward) over time

As a result, many organizations turn to a patchwork (no pun intended) of solutions and services to address their need. Some have relied on OEMs to secure their systems and aggregate this data throughs system integration projects. Others used network taps to capture information from network communications to provide some level of updated information, albeit limited to whatever is available on the wire. Still, others deployed a combination of IT-type tools and adjusted their capabilities for application into OT.

None of these approaches deliver easily measurable, proven results that CISOs (and their boards, insurers and regulators) want.

4 components to rapidly demonstrate OT security progress

Over the past several years, Verve has worked closely with customers ranging from power, chemicals, pharma/medical device, CPG and beyond to rapidly demonstrate quantifiable improvement in their OT security. The method brings together the power of the Verve Security Center’s software-defined approach to OT security with our distinctive OT security services.

This approach contains 4 core elements for an organization to define its risks and rapidly demonstrate improvements in reducing those risks and improving incident response capabilities.

1. Technology-enabled vulnerability (or risk) assessment

The first challenge that many industrial organizations encounter is in the design of their risk assessment. The traditional approach, designed in many cases in IT by consultants, is conducting a survey-based approach combined with reviewing data from IT systems management databases to determine risks. Then the team evaluates the data and creates a roadmap of initiatives to execute over time. In many IT environments, this is appropriate as the initiatives are conducted centrally – e.g., deploy a centralized patch management tool, deploy backup solutions, employ a standard secure configuration, and deploy to all machines, use AD to clean up accounts, etc.

This traditional approach poses significant problems as it extends into a distributed industrial environment.  First, survey-based assessments in OT often lead to very little practical information. OT personnel at the site often don’t know the answers to the questions, there is no available systems management data, etc. As a result, the foundation is lacking.  But second, and more importantly, remediation is not an enterprise solution. Each site will likely require its own patching based on its devices (and pushing patches from the enterprise down to a plant can cause significant operational disruption), configuration hardening, etc. Many environments do not operate off a central AD server, so “enterprise” solutions need local deployments. The result is a lengthy lag between assessment and remediation.

A technology-enabled vulnerability assessment changes this model. It leverages Verve Industrial’s endpoint platform to conduct a fact-based assessment of the plant environment on a plant by plant, asset by asset basis.

Benefits of a technology-enabled assessment:

• Much more accurate risk view at the plant level that allows trade-offs of different risks, mitigating controls, etc.
• Rapid remediation leveraging the same technology that assesses and immediately takes actions such as patching, configuration hardening, user & account management, etc.
• Ongoing, real-time assessment. By leveraging technology, the organization is not dependent on another assessment in a year to determine progress. It is available daily.

2. Rapid remediation requires action

As mentioned above, one of the strengths of the approach is enabling immediate remediation at the plant level.  Demonstrable cyber security improvement requires action. It is nice to know your risks, and it is important to monitor for potential anomalies or threats, but demonstrable progress means taking actions to secure endpoints. The only way to do this efficiently is with an OT endpoint management platform.

This is built directly into the Verve platform. Unlike network tools or active scanners, Verve collects risk data directly from the endpoint and allows local personnel to control a set of tasks to remediate the risks discovered. This allows the organization to immediately demonstrate how it’s moving from “red” to “green” on key metrics such as reduced vulnerabilities, insecure configurations, weak user and account control, etc.

3. Ongoing, real-time reporting

A platform approach allows organizations to track progress on a daily, weekly, and monthly basis across each asset and each plant. Regulators, insurers and boards ask for this data because they want to know if the organization is remediating its critical vulnerabilities, removing network risks, etc. The only practical way to report on this is with a centralized, vendor-agnostic platform that sees every asset and its comprehensive security status.

The traditional approach of selecting a set of plants or sites to conduct an “audit” or “assessment” is not practical when an organization has dozens or hundreds of sites around the world. Enterprise reporting is a necessary component of demonstrating true success.

4. Aligned accountability

Closing the loop requires aligned accountability to security metrics. Approximately 30 years ago, industries adopted a safety mindset driven by OSHA in the United States and similar regulatory regimes around the world. Over this time, the safety of industrial processes has increased dramatically. One of the keys to this transformation was including safety metrics in management’s balanced scorecards to aggregate performance dimensions so compensation and other performance reviews take into account the holistic performance of a leader – productivity, cost, quality, and safety.

The most successful companies integrate cyber security into these same balanced scorecards. They use measurement dashboards, but if it’s not reflected in someone’s performance review and compensation, making changes will be slow. This organizational component is imperative to enabling rapid, demonstrable improvement.

Integrated OT cyber security solution for risk remediation

Verve delivers this through a three-pronged integrated solution that defines a clear baseline starting point and allows for actions to immediately remediate risks as the assessment is completed. These three components also enable an ongoing process that continually maintains and improves the maturity over time once the step change is achieved.

The 3 key elements of the approach are:

• A software-defined security solution that deploys in hours or days, not weeks or months. Taps and span ports are not required for deployment, alleviating expensive and time-consuming labor. It provides rapid visibility AND actionability to quickly remediate the risks and threats identified.
• An integrated platform brings together a comprehensive security solution including both the identification of risks as well as the remediation of those risks. The platform enables turnkey integration across the range of maturity requirements of standards such as NIST CSF, CIS Top 20 Security Controls, ISA99, etc.
• A distinctive group of OT/ICS expert engineers that understand industrial cyber security and have rich experience in operations of control systems, communications, and sensitivities to effectively enable rapid actionability without risking operational reliability.

Let’s look at each component a bit deeper:

Risk prioritization through a software-defined cybersecurity solution

The first key element of a rapid maturity improvement is to gain visibility and insight into a prioritized list of risks to remediate. In IT, this is often completed through a series of tools from a network device management platform, to a vulnerability scanning tool, to user and account management/configuration management tools, patch management, etc. Each of these functions is well-defined and usually well-resourced.

In OT, this picture changes. The inventory is unclear. Vulnerability scanning can “brick” embedded OT devices. Network management often does not extend to within the firewalls. Etc. In OT, many have turned to tools that promise to provide inventory visibility through monitoring of network traffic. These tools can provide some level of visibility, but they require expensive network tap infrastructure to see deep down into the network which can be both expensive and time-consuming to deploy. Further, the level of insight is only as good as what goes across the wire.

Verve built a software-defined solution that does not require deployment of taps and other hardware elements. The agent-agentless approach gathers deep inventory and identifies risks across the full spectrum of security requirements: patch & vulnerability, configurations, software, user & account, network device configurations, etc. All of this is done within a matter of minutes or days, rather than the weeks it might take if additional hardware were required.

Moreover, because of the architecture, the time to remediation is radically reduced. There is no need for separate integration with patch or configuration hardening tools, user or account management, etc. As soon as Verve identifies a risk, the platform can be used to remediate that risk. Certainly, operators want to analyze and test any changes. However, the built-in functionality enables that testing and deployment of remediation to occur in a matter of days across heterogeneous control systems.

Consolidated risk view from a multi-function platform

The second key element is a platform that brings together the full range of controls so that users can have a single deployment and single dashboard view to manage it. One of the biggest problems facing OT is the lack of resources. Using four or six independent security tools adds time and complexity to achieving maturity.

Verve brings together the key components of the NIST CSF, CIS Top 20 etc. from inventory to vulnerability management, patch management, configuration management, anti-malware, backups, etc. This enables a single, rapid deployment and accelerates mean time to maturity vs. a piecemeal approach. Further, it reduces the ongoing maintenance and operational cost.

Expert OT/ICS security resources

Achieving rapid maturity requires resources that understand the myriad of control systems in a typical operating environment. We all have seen the statistic on the shortage of cyber security talent. This is even more extreme in the OT world where a mistake can be fatal or operationally catastrophic.

Verve builds on our 25+ year heritage of OT engineering. The team is experienced in plant management across a range of control systems. As many clients say, the team understands their systems better than they do. An integrated services capability is critical to accelerating the time from identifying the gaps to deploying the remediating measures in a safe and operationally secure way.