Security and reliability are parallel objectives within industrial control systems. At Verve, we believe they must be accomplished together in a cohesive way. For 25+ years, we have partnered with our clients in their efforts to ensure efficient and effective systems security for their ICS environments.
We learned that technology alone is not enough. OT/ICS security and reliability require the integration of “man and machine.“
Our experiences taught us valuable lessons about what best practices exist, what is necessary to ensure uptime, how to design for defense and operational resilience, what security measures are most effective and efficient, and what maintenance functions are key to sustained success.
From this experience, we developed a philosophy that we call OT Systems Management (OTSM). We believe it is the key foundation to secure and reliable control systems. We learned that technology alone is not enough. OT/ICS security and reliability require the integration of “man and machine.”
What is OT Systems Management?
OT systems management is the active administration of operating technology systems (i.e., those that control a cyber-physical process). The key functional elements include:
These key functional elements mirror the Information Technology Systems Management (ITSM) found in things such as ITIL and CoBit standards. IT organizations have leveraged these standards to drive significant improvements in reliability, productivity and security in IT systems. OTSM leverages those well-developed guidelines, but applies them to Operating Technology.
It’s important to differentiate that systems MANAGEMENT is more than systems tracking or systems inventory. Just as in ITSM, OTSM requires active control over the processes and devices within the purview of the OT leadership.
4 Reasons Why OT systems management is critical to effective OT/ICS cyber security:
1. Reduce cyber attack risk
A lack of effective systems management leaves OT systems open to significant cyber attack risk and financial impact. Companies such as Merck, Maersk and Mondelez lost billions of dollars due to ransomware that impacted unpatched systems.
OTSM is critical to identifying solutions to protect these unprotected systems through compensating controls or through lifecycle replacements. These protection solutions rely on the core foundations of OT Systems Management to deploy the means – i.e., take actions – to achieve a more secure environment.
Thousands of unpatched critical vulnerabilities in individual plants, devices without a backup in months, and devices with anti-malware signatures without updates for over a year are a few simple examples of where OTSM identifies risks and takes actions to remediate as quickly and efficiently as possible.
2. Improve IT OT cohesion
IT OT convergence is an accelerating trend as industrial organizations strive for greater operational efficiency and reliability in production and technology.
IT leaders want to adopt the same policies, procedures, and systems management on the assets in operating environments that they have in their traditional IT systems, so OT leaders need to adapt and deliver on these expectations.
3. Measure and report on quantifiable security progress
We cannot manage what we cannot measure. Systems management allows analysis of established target metrics for IT OT asset uptime.
The NIST Cyber Security Framework and the CIS Controls are the two most used security standards, followed closely by ISO 27000-series.
They all call for the same general functional elements described in the definition of OT Systems Management. For example, CIS v7.0 Controls 3.4 and 3.5 require the use of patch management tools to ensure all OS and application software is running the latest version. This requirement is even more stringent in the case of NERC CIP for Medium and High impact sites.
As these controls are rolled out across the OT landscape to measure and report on progress, it is not surprising that these functional requirements are similar to IT Systems Management since they draw on many of the same base documents such as ITIL and CoBit.
4. Drive greater efficiency and productivity for industrial cyber security
OT Systems Management drives lower cost, greater productivity and less risk. Improved design and supply chain processes reduce the ultimate build cost of the control system; regular reviews of software leads to reduced licensing for unnecessary software, but is placed there by the standard IT configuration; ensuring robust and timely backups saves significant money when systems fail; and monitoring of logs and system performance enables preventative replacement of components before an unplanned outage shuts down the line.
OT Systems management can be defined as the judicious use of actions (means) to accomplish the security, reliability, and productivity (ends) of OT systems.
Verve’s philosophy to assist our clients make significant, measurable improvements in reliability and security is based on this notion of OT systems management. We built the Verve Security Center and the Verve Industrial services portfolio to bring efficient and effective OT Systems Management to our clients.
OT Systems Management
OTSM is the foundational element that enables reliable and secure control systems