Subscribe to stay in the loop with the latest OT cyber security best practices.
Opening your news feed (or reading a paper), you’ll quickly realize the increasing amount of cyber-related threats to our industrial and critical infrastructure. Colonial Pipeline, JBS Meats, MolsonCoors, WestRock, and dozens of other industrial organizations have recently been compromised with ransomware causing direct damage to their operations and external damage to the broader economy. In fact, the manufacturing and energy sectors went from 8th and 9th to 2nd and 3rd, respectively, as the most targeted industries for cyber attackers.
Regulators, insurers, and boards of directors are waking up to a significantly increased risk of operational disruption caused by cyber-attack. Governments around the world are responding by placing increasing requirements on critical infrastructure operators to secure their networks and assets.
One recent case in point is the new TSA and CISA guidelines for North American pipeline operators, establishing a set of proactive security requirements more stringent than anything ever seen outside of the power sector. Insurers are beginning to request and require OT or ICS security assessments and proof of controls. This is leading boards to ask the hard question: What is our OT or ICS security strategy?
Until now, organizations have focused exclusively on the “information” assets of companies – employee and customer records, information systems, IP, etc. In large part, this is because most of the public incidents had largely targeted/impacted those assets.
The assets that control the delivery of supplies, manufacturing, or delivery of products and services are often forgotten or excluded for a variety of reasons: lack of compliance requirements, lack of recognition of the risk, and lack of a plan to remedy. In many cases, most operating companies have a cursory overview of what exists on the ‘operations side’ of the firewall.
This whitepaper aims to provide a practical perspective to develop an effective and efficient strategy to protect the “crown jewels” of most industrial organizations – its operating technology infrastructure.
These steps – taken from the basic tenants of business strategy research – create a clear, high return cyber security strategy to drive improved results and provide visibility to critical C-suite and board of directors’ stakeholders.
CEOs traditionally delegate cyber security to IT or a CISO function. In the case of Industrial Control Systems (ICS) or Operating Technology (OT) cyber security, the CEO or a senior representative of the C-suite should take a more active role in guiding the organization dynamics. In most organizations, CISOs have an IT background in servers, workstations, networking, etc. So, while the relationship between IT and security is far from perfect, they mostly speak the same language.
Unlike with IT systems, the ownership of OT assets – manufacturing control systems, logistics systems, PLCs that control distributed pipeline networks, etc. – normally sits within the manufacturing or operations organization, not in IT. And so it follows that the worlds of the CISO and that of the VP of Operations, Manufacturing, Logistics, etc. in most organizations is very separate.
OT is often separated from IT because of the unique nature of the end devices and the complex and proprietary networking installed to make these systems work. In many cases, the IT staff does not even have a view of the inventory of assets in the operational environment.
Furthermore, because these devices are proprietary in nature, many of the traditional security approaches may not work and may cause damage to the very systems they are intended to protect creating unplanned outages.
As a result, someone – likely the CEO or a senior delegate – needs to choose an organizational model to bridge these two worlds to manage the inherent conflict. There is often a false trade-off seen as “security vs. operational reliability”. The reality is that the appropriate security approaches can, in fact, improve, not reduce, reliability.
To achieve this, the C-suite begins by gaining alignment through joint working sessions, a balanced OT security governance model, and agreement on cyber security program objectives to gain alignment across the team of the ultimate intent: a more secure AND more reliable operation.
Design a Successful Governance Model >>
In a corporate or business unit strategy, successful practitioners always establish targets and objectives prior to defining their action plan. But when it comes to cyber security, why can’t organizations answer the question: “what is our goal?” or “what does distinctive performance vs. average performance look like?”. The fundamental problem is that the threat landscape is constantly evolving, and success is like proving a negative – i.e., “we’ve never been hacked so we must be secure”.
Successful industrial cyber security begins with clear, ambitious, measurable targets. To paraphrase Lewis Carroll, “If you don’t know where you are going, any road will take you there.” Too often leadership states “we want to secure our operational technology”, and junior teams head off to find tools or technologies that provide some form of security. Many “proofs of concept” are completed. Many meetings are held. Pilots happen. But in a year, it is still unclear whether the organization is more secure…or even if any of the efforts were directed at the “right” set of objectives.
So, how can leaders with little OT cyber experience set those targets? The great news is there is a range of standards available – from ISA99/IEC 62443, to CIS Top 18 Controls, to NIST CSF, to NERC-CIP, to ISO 27001. None of these are perfect but do not let perfect get in the way of the good.
As a high-level direction, the NIST CSF is a great starting point defining a set of five core elements: Identify, Protect, Detect, Respond, and Recover and sub-elements in each of these five, and has been the leading choice of industrial security practitioners.
Each of these cyber security frameworks offers “maturity” or “compliance” tiers or levels. Some, like the CIS Top 18, are prescriptive providing measurable standards as to whether an organization is at level 1 or 2 or 3 on any individual metric. But when starting out your cyber security journey, even a high-level framework provides direction to the project. Then the organization can tailor – in line with its unique operational and cultural character – the metrics and scoring criteria to measure against.
Without these metrics, organizations get lost in poorly defined objectives such as “identify assets” or “detect threats”. Use a framework to establishing measurable results. It reduces the risk of ineffective activity with little gain in the way of true security maturity.
But what about timing? Not all of the goals are achievable at once. And, importantly, certain objectives rely on primary steps. Therefore, we lay out a maturity curve objective that builds off early steps to grow security over time. This curve should have firm, hard deadlines so teams know what their objectives are and when those objectives need to be achieved.
An example below shows how an organization measures the initial starting point and then how that improves over time.
A robust security program matures over time and needs a roadmap to provide direction on priorities and sequencing.
Almost every roadmap should begin with a robust assessment. If you don’t know where you are, it’s hard to know where you are going. In a desire to make progress, staff may quickly pursue specific security elements: network segmentation, asset inventory, threat detection. However, this quick fix often leads to rework or slow progress. Conducting a detailed asset-by-asset risk assessment enables leadership to understand where the greatest risks exist and the kinds of initiatives that effectively address those risks.
The below diagram is one example of such an assessment, providing specific gaps to close:
The assessment forms a clear “portfolio of initiatives” to build your cyber security program from the ground up. There is an appropriate sequence to security as certain elements provide the foundation for other elements.
The term “initiative” is important in this context. An initiative should deliver an outcome, not just take an action. All too often, cyber security programs become a series of tool deployments, training programs, and playbook generation. Many times, the outcome and goal are forgotten in the pursuit of the actions. Initiatives are a set of actions that taken together deliver an outcome.
The below diagram shows the kind of sub-initiatives in each element of the NIST CSF. This demonstrates how the components fit together and elements build on each other for increasing levels of security over time.
For instance, we often find that the first initiative is to build an inventory of asset vulnerabilities and risks. This is often translated as “asset inventory”. However, it is key that the “initiative” include the ultimate objective – i.e. a “360-degree” risk view of the environment. This then directs the team to an outcome – i.e. a database that aggregates vulnerabilities, configuration insecurities, user and account insecurities, network insecurities, etc. managed over time.
The initiatives form the direction for teams to execute on their program development and deployment into maintenance.
Considering this an “initiative” takes away the likelihood of ending up with a stream of new tools, each requiring new skills just to manage them. And perhaps most importantly, by framing individual initiatives within the broader context of the overall program, more intelligent and valuable decisions are made early on for recurring value over the entirety of the program.
For example, inventory that only addresses a cursory list of IP addresses and vendors will be insufficient when building other parts of the program. User review and management, vulnerability and patch management, and incident response and disaster recovery keep coming back to asset profiles. Knowing this at the start often puts a high emphasis on data quality at the inventory phase.
Build an OT Cyber Security Roadmap >>
Once leadership agrees on a roadmap, the final step is to ensure resources are assigned to deliver results. The “portfolio of initiatives” prioritizes the sequence of steps and areas of greatest risk and security improvement. These are then linked to resources and budgets.
According to recent KPMG surveys, 58% of OT security practitioners say the #1 challenge is adequate skilled resources to deliver the cyber security objectives. Cyber security talent is in short supply, and for those with true OT security knowledge, the pool is even smaller. As in any enterprise-wide program, success begins by defining leaders for the program as well as each initiative. OT security often requires leveraging third-party resources as the availability of internal OT security experts is often limited.
Further, by breaking things down into smaller “initiatives,” budgets are seen granularly rather than as a big bucket of “cyber security”. Each initiative is budgeted and tracked at an individual level and the overall security maturity of your organization is measured, tracked, and reported.
Too often, companies do not have a measurable way to set cyber security budgets because there is no clear outcome to measure success against. The above process enables companies to create a fact-based set of potential outcomes and targets. This model is similar to the way companies would assign maintenance budgets or control upgrade budgets.
Close the OT Cyber Security Talent Gap >>
No cyber security strategy is successful without measurement and reporting. As outlined above, a clear objective is critical to an effective cyber security strategy. By setting those objectives and building a measurement and reporting culture and capability, senior management understands the initiatives driving improvement, those that are falling behind, and most importantly, where to add new initiatives to close gaps that were unforeseen in the initial strategy setting. The notion is that these initiatives must iterate over time as new learnings and information emerge.
Measurement and reporting provide three critical results:
This very detailed tracking enables an organization to continuously measure success against specific controls and the overall program, as evidenced below.
Remember that reporting does not need to be onerous. Automated solutions to gather data across multiple control systems now exist to reduce the burden and increase the effectiveness of such reporting.
Demonstrate OT Cyber Security Maturity Progress >>
Cyber security strategy can learn from the basics of corporate strategy development. Control system cyber security strategy has been overlooked for many years as the regulations, compliance, tools, and dollars have focused on “information system” security.
We believe that an appropriate cyber security strategy for most companies would identify control systems as a critical area to compete with adversaries to protect the safe, reliable, expected operation of their facilities.
A five-step process ensures focus on the right assets to protect and build a program over time that delivers measurable cyber security improvement linked to the operational budgets of the business.
For 20 years, IT teams have applied foundational techniques to improve IT system security, reliability, lower operating costs, and create better customer satisfaction with IT as an organization. But these types of tools, techniques and processes are missing in OT environments – and for good reason. OT environments are inherently different from IT, requiring a unique approach to systems management.…
Learn MoreThe current approaches to OT cyber security lack the ability to demonstrate progress and improvement on key security metrics over time. Here’s how to change that.
Learn MoreIt’s no surprise that leading Gartner security analysts say that introducing additional tools adds more complexity into IT and OT security environments. Adopting multifunction platforms provides end-users with simple, but easy-to-manage solutions across all security needs/functions regardless of where organizations find themselves in their cyber security journey and maturity. This webinar aims to explore the efficiency of a centralized data…
Learn More