For those of you that follow Verve Industrial and this blog, you have heard us call for a new approach to OT/ICS security and describe “How To” achieve OT Systems Management maturity. We have also called for new policies and procedures leveraging a single OT security management platform.
Some have asked, however: What exactly is OT Systems Management and why is it critical to OT Security?
This blog seeks to answer those two preliminary questions of the What, Why & How of OT/ICS Systems Management.
What Is OT/ICS Systems Management?
OT systems management is the active administration of operating technology systems (i.e., those that control a cyber-physical process). The key functional elements include:
- Asset Inventory Management
- Lifecycle management, including: defining system requirements to achieve desired physical system outcomes, establishing specifications to ensure reliability and security, supply chain management and control over these systems, and replacement of outdated components
- Configuration management
- Patch and vulnerability management
- Network and system design
- User and account management
- Log and performance monitoring for reliability and security
- Incident and trouble response
- Backup and restore
These key functional elements mirror the Information Technology Systems Management (ITSM) found in standards such as ITIL and CoBit. IT organizations leverage these standards to drive significant improvements in reliability, productivity and security in IT systems. The above definition leverages those well-developed guidelines but applies them to Operating Technology.
Critical to the above description is that systems MANAGEMENT is more than systems tracking or systems inventory. Just as in IT Systems Management, OTSM requires active control over the processes and devices within the purview of the OT leadership.
“Management” is defined by Merriam-Webster’s as an active, not passive term. One of the top definitions reads: “a judicious use of means to accomplish an end”. That seems like a great definition for what should be the definition of Operating Technology Systems Management – a judicious use of actions (means) to accomplish the security, reliability, and productivity (ends) of OT systems.
Systems management must include more than monitoring. It must include more than having visibility of the devices in your network. It must include more than replacing assets when they stop working or when the budget is available for an upgrade.
If we are to achieve the security and reliability – and frankly the innovation necessary to compete in the 21st century – we need to actively manage these systems by regularly updating them with software patches, removing dormant and unnecessary accounts, ensuring configurations are reset to secure baselines, monitoring performance to act on troubled devices before they die, etc.
4 Reasons Why OT Systems Management is Critical to OT/ICS Security
At this year’s S4 ICS Cyber Security conference, Rebekah Mohr of Accenture discussed the risk of relying on the “silver bullet” of anomaly detection for OT/ICS security in her presentation, “Shiny Object Syndrome… Is OT Anomaly Detection Worth It?”
To summarize her point: OT/ICS security is much more than deploying sensors to monitor for network anomalies. It requires the consistent application of secure design, vulnerability and patch management, lifecycle management to upgrade insecure devices, implementing secure policies and procedures, etc.
While she did not use the term OT Systems Management, the message she sent was very similar – i.e., to truly secure OT/ICS systems, you need to manage those systems as we do IT systems.
A lack of effective systems management leaves OT systems open to significant cyber attack risk and financial impact
Within the past couple of years, the lack of effective OT systems management cost companies such as Merck, Maersk and Mondelez billions of dollars due to ransomware that impact unpatched systems. Over the next several years, the sunsetting of Windows 7 support will create a dramatic “legacy device” problem for operations leaders everywhere (not to mention XP!).
OTSM is critical to identifying solutions to protect these unprotected systems through compensating controls or through lifecycle replacements. These protection solutions rely on the core foundations of OT Systems Management to deploy the means – i.e., take actions – to achieve a more secure environment.
In our work with industrial clients, we have recognized that a lack of OT Systems Management creates significant OT Security risk – thousands of unpatched critical vulnerabilities in an individual plant, devices which have not had a backup in months, devices with anti-malware signatures that haven’t been updated for over a year. And these are the simple ones.
It is critical to OT/ICS Security, not only that we know that these risks exist, but also that we take actions to remediate as quickly and efficiently as we can.
IT-OT convergence drives the increasing need for consistent systems management
Over the past several years, OT Security has become a greater concern of the C-suite and is becoming a greater focus for the CIO and CISO. Not surprisingly, IT leaders want to adopt the same policies, procedures, and systems management on the IT equipment in operating environments.
Most recognize there is a big difference between a PLC or VFD and a laptop or cloud server. However, they want to apply the same principles of Systems Management that have been effective in IT for years. Operating Technology leaders need to find a way to adapt and deliver on these expectations.
To see how critical these functions are in security, one only needs to look at where the open jobs are. Open positions directly tie to the relative effort taken on different elements of security. CyberSeek, the database generated by NICE/NIST of open jobs in cybersecurity, identifies 7 different functional roles.
Approximately 75% of the 500,000+ open cybersecurity positions in the United States are functionally considered “Systems Management” – patch and vulnerability management, configuration, network management, log management, etc. Less than 10% of the open jobs, according to CyberSeek, are related to “data analytics” or “threat hunting”. By this data, systems management is roughly 75% of security.
OT systems management allows you to measure and report on quantifiable progress
One of the most heated debates in cyber security is whether compliance with standards actually makes an organization more secure. This blog does not intend to try to solve that question. However, the reality is that, regardless of what one believes, organizations look to standards for guidance on how they are doing. It is almost impossible for a CEO or board of directors to ascertain how “secure” or “insecure” the organization is without some metrics and guidelines.
According to SANS 2019 State of OT/ICS Cybersecurity Survey, the NIST Cyber Security Framework and the CIS Controls are the two most used security standards, followed closely by ISO 27000-series.
All of these standards call for the same general functional elements described in the definition of OT Systems Management, above. For instance, CIS v7.0 Controls 3.4 and 3.5 require the use of patch management tools to ensure all OS and application software is running the latest version. This requirement is even more stringent in the case of NERC CIP for Medium and High impact sites.
As these controls are rolled out across the OT landscape, they measure and report the cyber security maturity progress an organization is making. It is not surprising that these functional requirements are similar to IT Systems Management since they draw on many of the same base documents such as ITIL and CoBit.
OT systems management drives greater efficiency and productivity
Over the past decade, Verve has worked with customers to implement these OT Systems Management practices and tools. From this experience, it is clear that OT Systems Management drives a significant and rapid increase in over OT Security maturity.
However, many are likely asking, “How can we afford to execute all of the functions listed in the ‘what is OTSM’ section? Regular patching, configuration, lifecycle, backup and other management will surely be expensive, time and labor consuming”.
The reality is that with the right approach, OT Systems Management drives lower – not higher – cost, greater productivity and less risk. Improved design and supply chain processes reduce the ultimate built cost of the control system. Regular reviews of software often leads to reduced licensing for software that is not needed on OT systems, but is placed there by the standard IT configuration.
Ensuring robust and timely backups saves significant money when systems fail – even not from a cyber event. Monitoring of logs and system performance enables preventative replacement of components before an unplanned outage shuts down the line. All of these items have little to do with cyber security protection.
Obviously, avoiding cyber events has a massive financial impact. But using the right OT Systems Management tools and procedures radically reduces the cost of cyber security as well. With the right technology, vulnerability management, patching, configuration management, log management, user and account management, etc. it can be done at scale with fewer resources than if the organization was doing these activities ad hoc, without a consistent OT Systems Management approach.
OT Systems management can be defined as the judicious use of actions (means) to accomplish the security, reliability, and productivity (ends) of OT systems. And by building these capabilities organizations can significantly reduce their risk as well as lower their operational costs.
If you are now asking – well all this sounds great, but “how” can our organization execute on a more effective OT Systems Management approach, please read our white paper.