Critical infrastructure organizations reliant on operational technology (OT) for their core business are increasingly concerned that they’re under constant attack. According to figures in the Ransomware Marketplace report from incident response company, Coveware, the average number of days a ransomware incident lasts is now 16.2 days, up from 12.1 days in the third quarter of 2019. That amounts to a huge financial loss if it affects the availability of an OT system, like we saw when LockerGaga hit Norsk Hydro last year. The discovery of critical device vulnerabilities is also rapidly increasing, including zero days like TRITON/TRISIS in Triconex safety controllers and the URGENT/11 RTOS vulnerabilities.
It’s now more critical than ever to implement a strong OT security program to not only reduce downtime risk from threats like ransomware, but also ensure that your team can quickly respond and recover in case of an incident. Here are 3 key features to incorporate when planning your OT cybersecurity program:
- Adhering to a GRC Framework
Using a governance, risk and compliance (GRC) framework to guide OT network security implementation helps you do the right things in the right order. There are many different frameworks out there, including the NIST CSF, ISA99/IEC 62443, CIS Critical Security Controls and, if you work for a North American utility, the NERC CIP regulations. Despite the diversity of GRC options out there, one thing they all have in common is establishing hardware and software inventories as a critical first step.
As companies mature their security, they then advance to areas like vulnerability management, access control, threat detection and incident response. Whichever framework you choose, adhering to one can help provide specific guidance on what can often be a difficult task to successfully execute, securing critical OT systems.
- Establishing a Robust Asset Management Process
For an OT security strategy to be effective, you need to see the big picture first, so the foundation of any solid security program should begin with asset management (which is why every GRC framework starts with identifying your assets). Knowing what you have in your network means you understand what you’ve been tasked with protecting. Using this data, you can then piece together a complete picture of the current state of the network, including what is talking to what and where the riskiest devices lie. Keeping tabs on assets and their activity also establishes a baseline of “known good” that you can work towards reconstructing if there ever was an incident.
How you collect this information is likely a question of what resources are available to you. A smaller company may have to rely on more manual methods if they don’t have the budget to purchase tools or hire a security consultant, but a larger company may choose to invest in a security platform that can collect asset data automatically or hire an OT security consultant to help complete this critical first step. However you choose to implement it, once you’ve mastered asset management, you can then begin to execute more advanced network protection methods like identity and access management, network segmentation and intrusion detection.
- Tailoring Generic Security Controls to Your Specific Needs
Cybersecurity isn’t a “one size fits all” approach, which is why you’re going to need to tailor certain security controls within that GRC framework to work for your organization. For example, a manufacturer may be able to regularly patch different production lines, while a power plant may have to wait over a year for the next major maintenance outage and rely instead on alternative controls. Some companies may have a greater need for incident scoring and prioritization, especially if they have geo-distributed OT networks with a centralized SOC. Some may prioritize detecting cyberattacks because malware or ransomware has recently affected others in their industry. Apply the controls that make the most sense for you and adapt them for your needs.
The OT cybersecurity market has evolved to a point where there’s a tool for just about every security technique you would ever want to implement— network access control, network monitoring, network segmentation, security orchestration, etc. If you’re evaluating solutions for any of these areas, it’s important to consider not only whether they’re designed specifically for sensitive OT networks, but also that the maintenance and integration of multiple vendor’s products can hinder security efforts. Look for a platform that can deliver multiple security controls for OT networks to help streamline cybersecurity efforts and break down siloes, rather than create them.
For more of the latest trends, challenges and best practices in OT security, download Gartner’s Market Guide for Operational Technology Security.