After decades of attacks targeting IT networks, the strategic importance of IT cybersecurity is now broadly recognized and nearly every enterprise has implemented some level of IT security protocol. By contrast, the recognition of cyber-risk to operational technology (OT) systems clearly lags. In the beginning of the 21st century, as enterprises deployed layer upon layer of security technology to protect their IT systems, there was little to no action taken to protect industrial control systems (ICS) against cyberthreats. I call this “the lost decade”, as one could argue that despite mounting signs of risk, most enterprises were no better protected against OT threats in 2010 than they were in 2000.
Coming out of the lost decade, we’ve seen targeted OT attacks such as Stuxnet in 2010, Triton in 2017, and the Russian infiltration of US energy in 2018. We’ve also seen significant damage from broad ransomware attacks such as WannaCry and NotPetya which spilled over from IT networks to the OT environment. With these examples, OT cyber-risk has become more difficult to ignore, and more action is being taken by industrial enterprises, but not quickly enough.
So what can be done to protect industrial plants? Securing these complex environments is very different from protecting an IT infrastructure and requires time, investment, and, above all, management engagement. With these seven steps, however, you can move towards better protection and significantly reduce the risk.
- Acknowledge reality. You understand that your OT environment is essential to your operations, but you also need to recognize that these networks are strategically important to attackers: they are critical to your processes and a failure has far-reaching consequences, resulting in a attractive goal. On this basis, an honest assessment must be made as to whether the current security status of your ICS networks is proportionate to their value as a target. For decades, security strategy and investment in most organizations have been driven by the protection of data stored in IT systems, and OT environments have been comparatively neglected. However, IT security solutions do not work on OT networks, and these networks are likely to be invisible and exposed to your security team than you think.
- Ask the difficult questions. The process of change in your company starts with you asking some unpleasant questions. And may well lead to some uncomfortable answers. Who is responsible for monitoring and protecting ICS networks? Are the right security and operational teams working together? Have these teams even met to develop an ICS cyber strategy? Have you conducted a risk assessment of these networks to identify and prioritize your vulnerabilities? Is the management aware of the danger at all?
- Identify your blind spots. Just because you haven’t seen any damage doesn’t mean your networks haven’t been attacked yet. Do not assume that there are no security issues because everything is running normally. Each attacker (this applies equally to IT and OT systems) tries to be as inconspicuous as possible and to remain undetected for as long as possible. Above all, be honest with yourself, especially in terms of what you really know about your OT environment and don’t trust what you think you know. Discover where your blind spots are and quantify the effects.
- Work on the basics. Improve transparency and understanding of the risks to the OT environment in your organization— even if you can’t address them all in the short term. Check the segmentation of your network. Solid segmentation is one of the most important things asset owners can do to protect their OT environment. However, this does not only mean segmentation between IT and OT networks, but also segmentation within the OT network environment. The former make it difficult for attackers to access the OT network and significantly reduce the likelihood of spillover damage from an attack on the IT network. The latter can make it much more difficult for an attacker to move sideways(lateral) in the OT network. Move, as soon as it has penetrated.
- Ensure transparency in the OT network. One of the most fundamental problems that prevents many organizations from effectively protecting their OT environments is a lack of transparency about the structure of their ICS networks. Our experience shows that by using appropriate solutions in almost any environment, endpoints are found that no one in the security team knew about, contrary to their own assumptions, connected to a specific network or that communicate in unexpected ways. You can only protect what you see and know. Therefore, broad and deep transparency is essential for effective protection. This transparency must span all levels of the OT network— including serial/field bus connections—and should be integrated into an OT-specific threat detection system.
- Create responsibilities. Increasing convergence means it is more important than ever to manage cyber risk holistically. This means applying the same monitoring, management, and reporting approaches to OT and IT environments. It is essential to designate a person who is safety of OT systems. A certain OT background is very helpful here, but above all this person has to be able to move things forward. Cybersecurity is always a way, never a goal, which can be achieved at some point, which is why it is important to set the right direction here with leadership qualities. It ultimately does not matter whether this person reports to the CISO or the manager. It is important that it has the appropriate expertise and competence as well as assertiveness.
- Increase awareness of the risks of every employee – right down to the management. Executives in particular need to be informed about the risks and impacts of a cyber incident, especially as they also have legal responsibility for the company’s risk management. However, while the industrial cyber risk is increasing daily, many executives here still lack knowledge. So you need to understand the threats and understand the impact of attacks on operations to drive the necessary changes.
Don’t get overwhelmed when you’re at the beginning of an OT security strategy. When assessing industrial cyber risk and prioritizing your defenses, it can be difficult to determine where to start. Don’t wait for the complete or perfect solution; start with these simple measures and build from there. The most important thing is that you start now.