OT Cyber Security Technology Investment: Gifts That Keep on Giving

In modern history, holidays and special occasions involve the giving of a gift or investment.  More often than not, many gifts are not useful, and the recipient regifts it or tosses unused gifts away after an undisclosed amount of time.  In cyber security, it’s money spent, and once it is spent (especially if wrongly applied) – it’s usually gone.

In many Operational Technology (OT) environments, organizations make investments into cyber security products and are cautious to invest in new solutions without fully utilizing what they already possess.  Unfortunately, “failed” investments cannot be regifted to recover the losses in time, effort, and budgets – so it is critical to choose wisely when securing your organization and start small in a cost-conscious manner.

In fact, a few aiding activities in that process might be as follows:

• Determine what you already have invested in and deployed in your environment from an asset perspective
• Evaluate the level of utility current investments provide or could be further utilized to ensure maximal benefit
• Derive a risk-based approach that is holistic, but appropriate to your environment
• Realize technology may not eliminate risk, but it may reduce efforts in other categories long-term if foundational capabilities are implemented
• Prioritize efforts to raise the bar for security today, but also to enhance future technology
• Commit to, and focus on the delivery of selected activities and technology for security enhancement
• Recognize security is a maintenance activity, not a project with an end date

Before signing off or investing in industrial cyber security that largely does not benefit the organization, let’s make sure it’s a solid gift to the OT security capability portfolio and it addresses tangible pain points. Conversely, several gifts can be combined for savings and have impressive longevity assuming you don’t need the maximum bells and whistles. Similarly, many organizations may require many upgrades to get them to a sufficient level of security, but some “select gifts” may provide measurable ROI by easing administration and reducing disruptive events over their security journey instead of starting from scratch and overwhelming themselves with change paralysis.

For example, imagine you have a friend moving out on their own during the holidays, and they need average cooking equipment, so you:

• Could get them niche equipment that is limited in application and would rarely be used
• Get a very expensive set of items that does everything but requires a commercial gas stove
• On a budget – purchase quality foundational elements used for most cooking and eating situations
• Buy them a rock with googly eyes and let them starve

Instead of giving your friend the rock with the googly eyes, choose any of the other three options. Or with a very modest and well-meaning effort, get the person a few basic pots and pans, basic cooking preparation tools, a cutting board, and a small dining set.  Obviously, it’s better than rarely used gadgets, so the budget option is likely the most intelligent.

This way, the friend can also choose to extend their cooking setup as they go or replace items as needed.  It is certainly a pragmatic approach, but one that mimics what is needed in Industrial Control System and Operational Technology environments for the most part – the need for quality basics that enable other investments and human efficiency enhancements.

Needless to say, Verve helps industrial organizations achieve a variety of cyber security objectives or multiply other investments, but nonetheless, our mission is to keep the lights on, the water flowing, and society safe.  Verve’s strategy is one that aims to assist the asset owner by helping them implement fundamental capabilities such as gifts that keep on giving.

7 gifts an asset owner can benefit from assuming a reasonable level of commitment:

• If you have Windows systems, they can be managed and hardened through many native OS features such as Active Directory (AD) and Group Policy Objects (GPO).
• Standardize and maintain hardened “golden” images for common asset types in your OT environment as a way to improve security going forward.
• Deploy asset endpoint security strategies including native OS functionality, anti-malware, backup software, policy enforcement agents, and application whitelisting to add extra compensating controls to hosts.
• Virtualize a number of Windows systems and applications as a step towards moving to the cloud (should that ever happen) while improving hardware dependencies, reducing chances of failure, and improving backups/testing. Cloud or not, you will wish you had done it before in many situations.
• Examine and enforce proper user account hygiene, policy, and maintenance on hosts, devices, and applications, but especially on systems that are used for remote access/desktop or Virtual Private Network connections.
• Use asset endpoint management strategies to enumerate all users, policies, applications, and logs for a host system, and help administrators ensure their environments can be quickly interacted with, but also accurately synchronized with expectations (e.g., we have 0 end of life systems, but in reality, we have X). This is also critical for transient assets to be managed correctly when they operate in untrusted environments.
• Modernize your network infrastructure for future increased usage of remote access (think Secure Remote Access), VLANs, micro segmentation, and other separation measures used to secure your organization’s sites, zones, and conduits. Many of these features and assets can be monitored and controlled with endpoint management interactions further helping them achieve their fullest security contribution over its operational lifetime.

These are seven areas among the many you could explore, and some will require more lift than others. However, many of these can be executed in order, some can be combined combinatorically, and some can be complete initiatives on their own.  The point is, there are things that can be done on a low budget that keep giving back to the organization’s true needs, and if done for the right “price” and the organization minimizes disruptive events (or goes without) – then they did their job.

After all, aren’t we trying to give our organizations and customers gifts that keep giving back positively over a reasonable period of time to achieve a reasonable level of gains for the investment?  I thought so, and it’s an honest conversation we are willing to have to help the customer secure their environment.