Maximizing Limited Resources in OT Security
How transparency, accuracy and precision can improve operational technology security.
In this article, while Danielle Jablanski and Ted Gutierrez focus predominantly on IT business units, they also emphasize three traits found to be quite useful and straightforward: transparency, accuracy, and precision. They expand on Isles’s perspective, specifically through the lens of OT (operational technology) environments in critical infrastructure sectors.
Disruptions to OT environments can impact business outcomes such as human safety, operational downtime, and provision of revenue-centric goods and services. No question there. As vulnerabilities in industrial control systems equipment rise, so too has grown the number of competing philosophies on network segmentation, firewall rules, protocol parsing, credential authentication, incident response, and resilience.
Critical Infrastructure Security Leaders are overwhelmed.
Budget-strapped and forced to navigate an increasingly complex market of available solutions and regulatory mandates, site engineers and global CISOs often struggle to define sustainable, successful OT security programs with relative ease.
Considering many organizations in 2023 are struggling to deploy limited resources across a widening aperture of threats and vulnerabilities, we found Adam Isles’s recent HBR article “How to focus your company’s limited cybersecurity budget” to be insightful and timely.
Is the Threat Landscape the Same for All Sectors?
OT security has been a niche domain since its inception, but now it must be incorporated into larger discussions from facility managers to board rooms. When referencing threat landscapes, Isles states, “different defenses will apply depending on the type of attack surface: laptop operating systems, web servers, remote-user-assist technologies, cloud technologies, or user-productivity-software like browsers and email.” But how does one incorporate context in OT and ICS (industrial control systems) environments?
Today, criminal threat actors often overstate their ability to manipulate cyber-physical systems. However, sector-specific security mandates signal this trend may be reversing. As network probing, vulnerability scanning, weaponization and exploitation become increasingly automated by threat actors, CISOs in critical sectors know their OT systems have become increasingly lucrative targets.
They recognize opportunistic attacks across multiple sectors en masse are normal, but they fear the “worst-case scenario: an OT/ICS cyber-attack tailored for a sector-specific target they manage and secure. Global CISOs in critical infrastructure must do more with less, specifically addressing high-value OT security concerns while operating on likely decades-old IT, enterprise budget systems and processes.
See More: How SMBs Can Stay on Top of the Evolving Threat Landscape
Transparency: How Do Assessments in Critical Infrastructure Differ?
We agree with Isles’s perspective on transparency as the usage of “repeatable and auditable ” authoritative security frameworks drives collaboration across the asset-owning organization. They offer a prescribed, common set of recommended controls, which helps security and risk management (SRM) leaders point to limited resources to evaluate and secure them. Savvy SRMs perform assessments according to the chosen framework to understand the state of security controls in place across their ecosystem of facilities and/or assets. Conducting this point-in-time activity offers supporting evidence to build business plans to request resources to improve security.
However, success in critical infrastructure sectors may require an additional step: configuring the controls assessment to incorporate OT and IT environment context. For example, hardware and/or software integrity means wholly different things in commercial buildings versus chemical plants. In contrast to purely IT-centric organizations, CISOs of critical infrastructure must align with automation and operations teams to understand facility criticality, their unique zones & conduits, and potentially critical supplier constraints. In some cases, assessors may not even be able to access the systems to evaluate a control due to physical security, operational, or safety constraints.
Simply noting “not applicable” for a given control minimizes transparency and security. A shift is necessary in these environments from assessing “all recommended security controls” to “the right security controls that protect business outcomes.” When operating in a transparent manner, key stakeholders will collectively compare controls status (often dubbed “risk” or “compliance” scores) across their operational facilities with more context, positioning more buy-in to secure controls across people, processes, and technology.
Accuracy: How Do We Ensure the Right Security Controls Are in Place and Working?
Once the controls assessments are complete, owners and operators should deploy purpose-built OT security solutions for continuous monitoring & detection to assess, validate, and triage security risks and events in real-time. These solutions perform deep packet inspection and data capture at scale to identify vulnerabilities, anomalous behaviors, threat signatures, and process variables slipping off specification. This level of automation requires an asset inventory, often a key part of the purpose-built OT security solution. According to Isles, this type and level of automation “helps reduce the number of security findings in need of remediation.”
Once in place, these solutions offer dynamic data models that should be further mapped to the original controls assessment completed previously, specifically validating the technology component of the framework’s recommendation(s). Security teams should regularly (usually updated annually or quarterly or when a change in business processes occurs) reassess the status of the various controls present, but with solutions like these outlined, the validation happens continuously, positioning limited security teams to spend more time focused on people and process controls.
Precision: How Can Limited Security Teams Advance Their Priorities?
Big data and advanced analytics in OT are enabling owners and operators to deploy solutions with purpose-built intuition to deliver deeper insights and enhance the efficiency of automation. Automated high-level analytics allow security leaders to focus on fewer, prioritized actionable alerts to statistically reduce risk, which not only simplifies remediation plans but enables limited teams to focus more time on generally underinvested but vital control families: people and process.
When monitoring and detection solutions can automatically categorize vulnerabilities, threat actor signatures and activity, automated analytics prompt users to take risk reduction actions based on continuous monitoring and detection intelligence. Insights and suggested actions are human-readable and can be understood by less skilled security admins to accelerate response and reduce downtime. As previously mentioned, the foundation for critical infrastructure sector security is alignment across operations, automation, and security teams, and this applies to ensuring the precise activities monitored align with the most valuable assets responsible for business outcomes.
See More: How Cyber Threat Intelligence Provides Security and Value to Business
Intuitive Solutions & Methodologies: The Key To Maximizing Limited Resources
There are millions of industrial and hyper-connected cyber-physical sites and facilities worldwide, and the number continues to grow as digital transformation remains a top priority for CIOs globally. Also staggering is the personnel outlook: unfilled cybersecurity positions are anticipated to reach 3.5 million in 2025, without any clear demarcation for OT and ICS.
Context-rich assessments, automation and OT contextual intuition are the only answers for proactive OT security.
To drive transparency, collective teams must add OT context to their assessment activities. Hence, they focus their limited resources on the controls well-positioned to protect the company’s top business priorities. OT-specific solutions should be deployed effectively to monitor and validate those controls. Finally, to ensure a precise usage of limited resources, incorporating automation and analytics must be prioritized. Investing in these efforts reduces the need for more administrative overhead, closes the security skills gap and learns long-term behavior cycles.
Making a mountain out of a molehill is an obvious idiom referring to the overly dramatic reactions to the dynamic threat landscape and fear, uncertainty, and doubt swirling around cyber-physical sectors and operations. Even though there is no “easy button” for OT security, there are ways to walk, crawl, and run with effective tool deployment that aligns with the overarching objectives of transparency, accuracy, and precision. You do not have to dissect every protocol and packet or patch every vulnerability in your network on your own to defend OT successfully.
Despite the lack of a one-size-fits-all security program for owners and operators of OT networks, certain “basics” are repeated: Network segmentation is key, nothing can be accomplished without an updated asset inventory, OT should never be connected to the internet, MFA and encryption are nice to have where appropriate, etc. add program management – threat vs. security levels.
Although an associated common vulnerability score is published for each OT/ICS vulnerability, it is impossible to immediately understand how severe any vulnerability will be in any security leader’s organization. Real-time risk requires real-time context. Some vulnerabilities impact a relatively small number of assets and devices, applying to a specific interface or install base used in legacy systems. Others are difficult to replicate automatically and require victim interaction with the attack mechanism.
How are you improving operational technology security? Are you also focusing on the three pillars mentioned above? Share with us on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON OT SECURITY
