5 Questions a CISO Should Ask About OT/ICS Cyber Security

Industrial companies – utilities, manufacturing, chemicals, oil and gas, transportation, etc. – are under growing risk of cyber attack. These companies’ crown jewels are their industrial control systems. Not only are these systems critical to operations, improper operations cause physical damage or safety risks, and the data in these systems is often key IP at risk for espionage.

The increasing threat of ransomware creates significant financial risks for industrial companies as evidenced by Merck, Maersk, Mondelez and others who suffered hundreds of millions of dollars in losses from ransomware attacks.

Many argue that controls systems are complicated and the attacker needs to understand the inner-workings of the process to impact operations. However, ransomware is not designed to change the process, just stop it, which requires less “inside knowledge” and therefore creates more susceptibility to attack.

While under increasing risk, protecting these systems requires adjusting traditional IT cyber security approaches due to the sensitivity of the devices and processes that make up the controls networks. Gartner forecasts that over the next five years or so, the CEO and C-suite more generally may be held legally accountable for breaches.

For the past 25+ years, Verve has worked with industrial companies to design and secure these complex, multi-OEM vendor environments. Over time, we have worked with dozens of CISOs and hundreds of senior IT security leaders to bring the same level of security to these OT systems as they have in IT. We have seen industrial organizations struggle with the differences in technology, and even more so with the differences in mindset and priorities of OT leaders.

From that experience, we have developed five questions CISOs should ask as they pursue an OT cyber security program. We have found these five questions helpful in establishing an effective organization and technical approach.

5 Questions a CISO Should Ask about OT Cyber Security

Who should be involved in the OT security program?

This is the first question for a reason. In many IT organizations, the answer is clear: Security requires networking, endpoint, cloud, regulatory, and other IT partners. In OT security, however, getting the “who” right is critical and often more complex.

Depending on the organization, the “who” may include the head of Process Control Technology, the SVP/EVP/VP of operations or manufacturing or supply chain, influential plant managers, Quality or similar regulatory personnel, etc. This is on top of the more “typical” groups involved in IT security.

We have seen many organizations stall if key operations personnel are not included early in the process to identify bottlenecks or technical challenges. Successful CISOs create a steering committee of IT and OT personnel in addition to the operations leaders that understand the technical challenges of the systems.

Without this joint team, organizations struggle to gain buy-in for the necessary technical changes and required support personnel to achieve success. Together, this group forms the right process for deciding aspirations, technical feasibility, etc.

Where should you begin your OT cyber security journey?

Almost all industrial companies have some level of cyber security underway. But often the question is where to focus first to improve the security of the OT systems. Options usually include network protection such as segmentation and separation, endpoint protection, network anomaly detection, asset visibility and inventory for improved vulnerability management, security event monitoring and analysis.

There is no absolute “right” answer to this. Some will argue for deploying network protection technology to create a barrier. Others will argue for vulnerability assessment or asset visibility and inventory as a starting point.

The “right” answer depends on the organization’s starting point. However, the foundation of all of these initiatives is a robust asset inventory with what we call “360-degree” visibility on hardware, software, network connections, users and accounts, vulnerabilities, etc. To make network protection effective, you must know what you are protecting and how it needs to communicate. To make proper vulnerability management decisions, you need clarity of the comprehensive 360-degree risk because in OT, not all assets can be patched or upgraded. Alternative compensating controls may be required, and prioritization is key. Security event monitoring requires knowledge of the assets to monitor, their operations and asset criticality, etc.

This 360-degree view provides a comprehensive view of the risks and how they interact. For instance, two devices may have similar vulnerability or patch status, but one has application whitelisting locked-down, a robust backup, hardened configuration settings, and sits behind a well-configured firewall, where another does not. Or one operates critical operational processes whereas the other does not. Even more so than in IT, these relative priorities are critical in OT given the challenges of taking rapid remediating actions.

Why do you need an OT security program?

This is the most obvious question. CISOs have protected IT systems for over a decade. You likely have dozens of tools at your disposal to address cyber security according to Check Point, Gartner and others. So, why in the world do you need a specific OT cyber security program?

The reality is these systems truly are different, but perhaps not in exactly the ways that OT folks or OEM vendors often say. They are sensitive to change or traditional IT security scanning. They are highly integrated. They do operate many legacy operating systems due to long lifecycles. They include many embedded systems that cannot be scanned or managed in the same way a Windows PC or cloud server can. And the downside risk of acting on a false security alarm is operationally devastating.

However, they can be managed with the right OT security toolkit. You can apply many of the same controls and gain consistency across IT and OT such as CIS Top 20 or NIST CSF.

You can have a single OEM-agnostic solution to provide security management and monitoring. We built Verve to address exactly this challenge – apply IT security to OT systems in a way that is safe and operationally resilient. We know from experience that the program needs to be specific but can align in many ways with your IT security program.

What security management actions should be included in the program?

Many organizations become hamstrung with the actions they can take to secure their OT/ICS environments. In part due to the fear, uncertainty and doubt raised by OEM vendors or some in OT, organizations limit what can be done to secure these systems. Perhaps they limit themselves to segmentation or network monitoring because of the fear of managing these sensitive systems.

Our suggestion is to employ what we refer to as OT Systems Management. These are the same techniques that IT conducts on IT systems (and actually represent over 70% of all IT security tasks). This includes functions such as patching, vulnerability management, configuration management, user and access management, etc.

This comprehensive set of management actions ensures protection and hardening these devices in advance, as well as the detection of anomalies of ongoing attacks. They also align IT and OT security into consistent practice areas that can be monitored and tracked.

How should an OT security program be managed?

There is no one “perfect” way to manage a cyber security program. Our experience tells us that it depends on the way the organization is structured more broadly. Is the culture top-down with a drive for operational consistency, even if that may take longer to align different parts of the organization? Is the culture one where targets are set, but business units are left to determine how best to hit those targets? Is there a close working relationship between IT and OT today? These sub-questions inform how best to organize your approach.

We have found several key elements regardless of the overall structure:

• Establish a target early on that allows for measurement and tracking. We have seen great success leveraging the CIS top 20, but there are other targets or models to use. But selecting one is key.
• Gain alignment between IT and OT and leverage each for the strengths that they bring.
• Build traction early with visibility into key risks and addressing key vulnerabilities and risks.
• Create accountability by adding security into balanced scorecards to ensure results have impact on performance.

The answers to these five questions allow a CISO to set the right direction and create the right momentum to accelerate OT security.