This is part two of a series by Dan Ricci informing IT cybersecurity teams about the nuances of OT vulnerabilities and how to mitigate them. Part one delves into how OT threats and risks differ from those on the IT network. It can be found here.
With the interconnectivity between operational technology (OT) and IT networks being more commonplace, there is a growing need to encompass OT cybersecurity with organization-level IT cybersecurity. What that may look like can vary depending on the size of the OT environment and the IT personnel who become knowledgeable to support and assume OT cybersecurity responsibilities.
IT cybersecurity teams must collaborate and communicate with OT teams to address security risks effectively, starting with the network architecture. As stated, it can be assumed there are most likely connections between the OT and IT networks, but it's important for both IT and OT teams to know where they are and how they are connected, what ports, protocols, and services are permitted, and denied between these two different network environments.
IT professionals may not have the opportunity to collaborate with OT professionals to identify where every ICS/OT device (e.g., PLCs, HMIs, actuators, valves, sensors, etc.) are in the OT environment, but should know whom to contact on the OT teams. These asset operators will know what type of PLCs and HMIs are running in the OT environments, where they are located and which system they control. IT professionals should not assume securing PLCs and HMIs are as simple as deploying security patches in an IT environment.
Due to the technologies and operational priorities that demand consistent safety and availability, OT engineers may dismiss securing the OT network and control systems as an urgent priority. But there needs to be a balance between safety, availability, and security.
What follows are three ways to foster that collaboration between IT and OT security specialists that help understand threats, reduce risk, and ensure that critical services remain available and the safety of personnel and operations are not affected.
IT cybersecurity professionals can become more educated on OT systems through risk assessments. These assessments can be conducted with the OT team to assess vulnerabilities in OT systems. These assessments may also include evaluating the potential impact of cyberattacks on critical processes, interconnections between OT and IT enterprise networks, assessing the security posture of OT assets, and prioritizing mitigation efforts based on risk levels.
Also, a risk assessment may determine whether there is existing and previously unknown remote access to OT systems. Some third-party vendors may require remote access for maintenance and monitoring purposes, however, this type of remote access may introduce security risks, which, if not properly secured, could result in IT teams requiring to work with OT system engineers to develop robust access controls, multi-factor authentication, and encrypted communication channels to protect remote access to OT systems. There needs to be a balanced approach to security and operational availability to avoid disruptions to IT and OT systems.
IT cybersecurity teams and sysadmins may struggle with understanding the data produced by OT cybersecurity monitoring and detection tools. While it may be wise to implement comprehensive monitoring and detection mechanisms, the organization may not support a dedicated person to monitor for critical alerts and vulnerabilities associated with suspicious activities and potential security breaches in OT environments.
A tuned OT sensor, such as an intrusion detection system (IDS) integrated with a security information and event management (SIEM) solution with anomaly detection algorithms tailored to OT environments, can result in high situational awareness of potential attacks on OT systems and assets.
Monitoring of the OT environment would also help support incident response planning. IT cybersecurity and incident handling documentation may not have developed or incorporated incident response planning specific to ICS/SCADA/DCS systems. Development and regular testing of incident response plans specific to OT environments are essential for minimizing the impact of cyber incidents. IT teams should collaborate with OT personnel to update existing incident response plans in order to define response procedures, establish communication channels, and integrate recovery efforts in the event of a security breach.
OT system environments have been included to meet compliance with industry and federal regulations, depending on the industry sector for more than a decade. For example, OT environments in the energy sector within the United States may be subject to regulatory requirements and standards related to cybersecurity; therefore, IT teams should stay informed about relevant regulations (e.g., NERC, NIS2, DFARS, FARS, etc.) and ensure compliance with applicable requirements for their industry sector.
IT cybersecurity and IT professionals can benefit by understanding these key aspects of OT vulnerabilities and incorporating them into their cybersecurity strategies. IT teams working together with OT teams can better protect critical infrastructure and minimize the risk of cyber incidents in OT environments.
Establishing monthly meetings and consistent communication with IT and OT professionals to articulate risk to OT or how IT vulnerabilities could impact the safety and availability of ICS/OT devices and systems will help break down the barriers. This will encourage these teams to work together to achieve a holistic cybersecurity strategy to manage risk in critical infrastructure sectors.
Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.