The need to address OT (operational technology) cyber risks has never been greater. New threats are emerging every day – both targeted as well as untargeted collateral damage risks.
OT challenges in risk identification and remediation:
- Old systems that can’t be updated to address known vulnerabilities without significant capital expenditure to upgrade an entire control system
- Critical systems which cannot be patched (requiring reboots) for either operational risk/performance reasons or regulatory change management challenges
- Wide range of endpoints that cannot be scanned safely with traditional vulnerability scanning tools
While these challenges are real, we do not need to accept the conventional wisdom that we can only monitor our asset counts and detect potential threats through anomaly detection. The real challenge is having a lack of clear visibility to the wholistic risk picture of each endpoint and how to reduce and remediate those risks in the most cost-effective way. Essentially a true risk-based endpoint protection plan.
Many point to the fact that OT environments do not have an accurate asset inventory. Although this is absolutely true, the challenge runs deeper than just knowing what PLCs or drives or controllers are on the network. A true risk perspective requires having the depth of information and remediation actionability that has become commonplace in ITSM programs.
ITSM best practices to leverage for OT risk management:
- Full, accurate and up to date software inventories
- Accurate patch status (not just what the OEM-vendors provide as approved or what OS-version the device is operating, but full visibility into all available patches across all application software on the endpoint)
- Updated information on Anti-virus signature status or Application Whitelisting status
- Information on whether the device has a recent backup and whether that backup was successful
- Firewall configuration strength for the network protection that is supposed to be defending that asset
- User and account status as to whether the device has shared passwords or accounts, dormant accounts, etc.
- Asset criticality both to the operational process as well as to the network communications
- Efficient tools to harden assets or network architectures with no risk to operations
We have seen several companies successfully take a true endpoint risk management approach to their cyber defense efforts. This approach provides an OT-specific way of conducting ITSM (what we call OTSM or OT Systems Management) as well as greater “defense-in-depth” than relying only on monitoring or detection as the line of defense.
5 steps for successful OT endpoint risk management:
- Gather deep vendor-agnostic, endpoint visibility including 100% software inventories, full patch status on all the application software as well as OS, detailed and regular information on configuration settings, password and user/accounts, defensive tool status such as A/V, and whitelisting, network configuration rules and settings to understand network defenses, and asset criticality based on process and network
- Create risk scores based on this rich data of which assets are most critical and most at risk
- Build remediation plans based on the feasibility of different approaches: configuration hardening, patching, network protection hardening, locking down endpoint protection elements, etc. on an asset-by-asset basis
- Use tools to automate this process and drive efficiency of managing these devices for the OT technicians in the plant or OT environment
- Establish a set of OTSM guidelines and procedures that are OT-specific, but provide similar functionality as their IT brethren
This approach has led to significant, rapid, and demonstrable-through-metrics improvements in their OT cybersecurity maturity whether based on NIST CSF, CIS CSC20, IEC-62443 or other standards.