4 Essential Elements of Effective OT Systems Management (OTSM)
Explore the crucial 4 key elements of OTSM for enhancing cybersecurity and reliability in connected industrial systems.Learn More
Subscribe to stay in the loop with the latest OT cyber security best practices.
In the United States, critical infrastructure includes 16 industries:
These vary somewhat by country but generally include similar sectors.
Critical infrastructure is those physical and digital systems that provide the essential services for a country’s economy, therefore the disruption of these systems would create significant economic or public health and safety risk. Cyber security includes the protection of those digital systems from potential cyber-related attacks.
These critical infrastructure sectors include assets owned by government entities as well as those owned by the private sector. Consider the commercial facilities sector: in the United States, federal, state and local governments own and manage a large number of commercial facilities, as does the private sector. In fact, in many sectors, such as Energy or Financial Services, government and private sector assets intermingle, and a disruption to one side of this integrated system can impact the other.
In addition, many of these sectors include not only IT systems but also OT/IoT/ICS/IIoT and other “cyber-physical” systems that control not just data but physical processes. Gartner defines “cyber-physical systems” as “engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans).” When secure, they enable safe, real-time, reliable, resilient and adaptable performance. By using the broader term, Gartner encourages security and risk leaders to think beyond IT security and develop security programs encompassing the entire spectrum of cyber-physical risk.”
Therefore, as we consider the cyber security of these sectors, these three factors guide the approach.
The 16 sectors identified by the United States government as critical infrastructure are those “that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Some of these are obvious – the Nuclear sector, for instance — some less so, such as Commercial Facilities. A critical element of these sectors is their interdependencies that could create knock-on effects if one is attacked. For instance, the Energy sector is fundamental to the operation of Water, Transportation, Financial Services, etc. Similarly, the Communications sector enables Power, Financial Services, etc. These interdependencies make the cyber security of these systems even more challenging and unique.
Cyber security in all industries is essential but protecting these 16 is a national security priority. As a result, the U.S. (and other countries’) government has created organizations, partnerships, requirements, etc., to encourage, support, and monitor the cyber security effectiveness of operators of these sectors. What does this mean for asset operators?
In summary, the bar for cyber security of these sectors is increasing – both because of the increasing threats but also the requirements of governments as to what these sectors need to do to ensure they are protected. Operators need to raise the bar on their cyber security efforts. Cyber threats are increasing, and there is significant potential impact on the operator and the economy as a whole.
CISA provides a range of resources, including:
These sectors are not limited to only government or private sector operators. For instance, the Transportation sector includes regional organizations such as MARTA, CTA or other regional public transit agencies. It includes FedEx, airlines, railroads, trucking and many other private-sector enterprises. And perhaps most importantly, many of these have interdependencies between the government and private sector. For instance, a cyber attack on a federally-owned electric utility can impact the private sector power grids operating in that region. A cyber attack on key members of the Defense Industrial Base (the 300,000 small manufacturers that make critical components for the US military) can bridge to the Department of Defense operations.
This reinforces the potential impact of a cyber attack and highlights the need for these groups to work together – or at least rely on each other’s actions – for defense.
As a private sector operator, there are several key takeaways:
As a public sector operator, there are similar and additional takeaways:
The third factor driving the approach to cyber security in these critical infrastructure sectors is the presence of cyber systems that interact with physical processes and operations. The term, coined by Helen Gill at the National Science Foundation in 2006, according to the University of California at Berkeley, means:
“embedded computers and networks (that) monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa. As an intellectual challenge, CPS is about the intersection, not the union, of the physical and the cyber. It is not sufficient to separately understand the physical and computational components. We must instead understand their interaction. Therefore, the design of such systems requires understanding the joint dynamics of computers, software, networks, and physical processes. It is this study of joint dynamics that sets this discipline apart.”
Gartner recently began to use the term related to cyber security to aggregate a group of related devices and networks to bring some order to a very complex “acronym salad.”
These critical infrastructure sectors all contain various elements of the above systems.
Given the above unique challenges of cyber security for critical infrastructure, how does the Chief Information Security Officer or the person responsible for cyber security at the operator succeed?
For the past 30 years, Verve has worked with critical infrastructure operators to support them in achieving greater levels of cyber security on these cyber-physical systems.
Demand that you apply the same rigor of IT cyber security to these cyber-physical systems.
This goes against much of what the CISO or IT security leaders will hear from their OT colleagues, the ICS OEM vendors, and perhaps some OT security vendors. The standard refrain is these cyber-physical systems, especially those that directly control industrial processes, are too sensitive, old, critical, etc., to adopt similar approaches that one would take to IT devices.
Although we agree with the perspective on the uniqueness of these devices and networks, we have found that CISOs can achieve IT-like security in OT (or cyber-physical systems) by applying OT-specific toolsets with the same standards and philosophy as applied to IT security.
For 30 years, Verve has deployed our OT/CPS-specific platform to apply IT-level security controls to those systems. We call this “OTSM” or OT Security Management, similar to the Security Management approach that’s been in place for 20 years in IT. This includes comprehensive inventory based on direct access to endpoints, robust patch management, detailed vulnerability identification (not relying just on network traffic analysis), endpoint detection and response, hardened configuration, etc.
Verve often works with CISOs who have struggled with operational teams pushing back against the application of security to these systems, offering a variety of rationales – from a lack of need because the networks are “air-gapped” to inability due to operational requirements to organizational capacity limitations, etc. We have found that successful CISOs do not settle. They work through these challenges with the confidence of knowing that others have succeeded in applying these controls.
Perhaps most fundamentally, this comes down to the ability to apply endpoint security. Cyber-physical security often stops at the network – network intrusion detection or firewalls and other hardware-based solutions. The reality is that endpoint protection is possible, practical, and proactive in defending cyber-physical systems.
Point #1 should not be read to say that cyber-physical systems do not require unique approaches to security. Legacy, embedded, sensitive devices and networks require an OT-specific approach. Vulnerability scanning, automated patching (what we call spray-and-pray), WMI calls, etc., can all cause significant disruption to operations in the pursuit of security.
Over the past 30 years, Verve has tested all of these different approaches on test systems in our lab. We have built OT-specific vulnerability, patching, configuration, and other endpoint security technologies that do not risk operational reliability but do provide the same level of security and reporting as in IT.
See our OTSM Whitepaper to learn more about bringing the same level of IT cyber security practices into OT environments.
This recommendation is for both the security team as well as the operations team. It is critical to protect the cyber-physical systems and ensure ongoing operational resilience so that these two organizations – who may not regularly interact – work together to find common solutions to security challenges. The example of the Colonial Pipeline is relevant here. The incident that caused the outage was actually an IT incident, but because of the potential for the attack to spread into the operational systems, they were shut down. Close coordination between the two sides may have avoided that.
We have seen a variety of successful approaches to this “convergence.” Some organizations have assigned senior cyber-physical system leaders to the cyber security leadership team across IT and OT. Others have created a top-down objective aligned between the IT and OT teams to ensure common metrics and milestones. Still, others have created balanced scorecards where cyber security becomes an equal element of performance as they did with safety over the past 30 years.
Success often requires both sides to learn to trust the other. There is usually a history of mistrust due to “IT causing operations disruption” or the “operations teams going their own way.” Breaking down these barriers of mistrust is vital to making progress in cyber-physical cyber security.
As mentioned above, the largest barrier to successful cyber-physical cyber security is the lack of knowledgeable resources. One of the reasons for this is that cyber security is often “stuck” at the plant or facility level. Operations teams are rightfully nervous that IT would centrally manage the security of its systems. All of them (and us) have countless examples of IT impacting operations by applying security or other changes to systems without operator consent or awareness – patches on running HMIs, network device rule changes, updates to anti-virus, changes to configurations, etc. In addition, many of the security tools in place today are “stuck” at the plant or facility as well. CISOs often don’t even have visibility if they want to.
In our experience, the way to solve this challenge is what we call “Think Global, Act Local.” This means aggregating all of the asset, user, software, network and other risk and threat data into a common enterprise database where a small group of skilled resources can “think globally” – i.e., analyze data across plants or facilities to identify the greatest risks and to develop playbooks of how to remediate or respond. Our clients have found this central enterprise database reduces labor costs and resources by up to 70% versus their traditional site or facility-level approach.
“Think Global” without “Act Local,” however, is a recipe for operational disaster. “Act Local” means that while the playbooks and analysis are central, when remediating or response actions are taken, those with knowledge of the control systems are engaged and approve those actions based on the proper operations of the process. This is the key to cyber-physical security. These “physical” systems cannot easily be rebooted, stopped at the wrong time, or updated with new firmware or software without knock-on effects. Therefore, any cyber security management software needs to enable this operational control over actions – what we call “Act Local.”
Critical infrastructure cyber security differs from traditional cyber security and, therefore, requires a different approach by public and private sector entities. One of the key differences is the significant presence of “cyber-physical systems,” – i.e., those where digital systems control physical outputs. Organizations in these critical sectors need to adapt their cyber postures, given the greater risks and challenges associated with these complex environments.
Explore the crucial 4 key elements of OTSM for enhancing cybersecurity and reliability in connected industrial systems.Learn More
Learn efficient & compliant OT patching with Verve's 6-step process, ensuring streamlined operations and regulatory adherence.Learn More