When are we going to stop admiring the cybersecurity problems facing smart grids and other operational technologies?
I think after a few years of incessant media coverage on every conceivable way our critical infrastructure can be compromised, many within and outside of operational technology (OT) firms are likely to be desensitized to the problems outlined, from taking down power grids for millions to disabling water and sewage treatment plants, from diverting trains to disastrous collisions to destroying sensitive medical devices, from opening oil and gas pipelines to stopping assembly lines– the list just keeps growing. Desensitization to all of this news would be unfortunate, since we do need people who remain sensitive to the risk without wallowing in despair over the scale and occasional drama associated with the problem.
At the heart of it all is the realization that (a) the number of type of systems that can be compromised is more vast than we perhaps previously envisioned; (b) the increasing complexity of new technologies and their integration and interaction increases the threat surface and opportunity for compromise; and (c) what can be done to actually mitigate or prevent some of these threats from becoming reality is nowhere near as exciting to talk and write about as the threat itself. We appear to be a society long on admiring problems and their consequences and short on actually providing some good news about what can be done to solve problems. Let’s take a look at just a few simple, positive activities taking place that will help an enterprise an effective security and risk management plan for their IT/OT infrastructure.
1- The majority of the problems that have already been reported could have been prevented without new, sophisticated technologies. Instead old-fashioned best practices in security and risk management (that have been practiced for years), applied consistently across the enterprise would have prevented many of the headlines from being written. These practices include a top-down, risk-driven governance process, effective communications across engineering, management and operations and simple techniques applied to the use of threat intelligence, detection and response, access control and vulnerability management (among other domains). They include having a security architecture that has defined controls across all layers of IT and OT infrastructure– data, application, system, network and endpoint. They include a balance between prevention and detection that allows for reduced response times to compromises. Proven security and risk practice has been documented and available for a very long time. What has been missing is an appreciation of the risks taken in continuing with their absence and the mandate or will to apply them in many enterprises;
2- There are existing points of integration between IT and OT security that are available today, and using them as a starting point to engineer, manage and operate security requirements is efficient, cost-effective and can result in immediate early benefits against the threats described. One of those points is the network. For decades, IT and OT network architects, engineers, managers and administrators have worked together. In some cases they have shared network protection assets. In other cases they have provided support and maintenance for one another in key security areas. Unlike other areas of IT and OT, most OT-centric enterprises have network teams that as a rule respect and trust one another– a key criteria to move forward quickly in securing OT infrastructure. Ensure that your network planners play a key role in implementing IT/OT security process and technology early in the program;
3- There are a number of excellent forums for OT security and risk planning, management and operations information, and that number is growing monthly. Not only are such resources as ICS-CERT and vendor-sponsored reports and services available to report threat information, but there are peer forums, frameworks, checklists, templates and other information sharing and guidance tools available to enterprises that seek to improve their security and risk management posture. Most enterprise planners know how to filter out vendor-marketing speak for some of the available resources. Most of these resources cost nothing but the time to access and use them. In fact, if there is a problem with this activity it may be that there are almost too many resources, and sometimes enterprise planners have difficulty knowing where to start. That is a good problem to have, considering the alternative. Gartner can assist you in finding, filtering and using our tools as well as other available tools to assist in building or managing your security and risk management program;
4- There are signs of progress in the development of risk frameworks that encompass a more holistic view of security for the enterprise, where IT, OT and physical security considerations are incorporated into a more comprehensive digital security model for assessing, addressing and managing risk for the enterprise. More comprehensive and complementary security controls are being defined. Major industry players in security and risk management are moving to acquire companies that incorporate OT security functionality into existing IT security, to create partnerships with other providers to ensure that this comprehensive idea of digital security is addressed according to industry-specific and process-specific requirements. It is still early, but the momentum is there and OT-centric enterprises can expect better assistance soon.
Yes, the sky is dark. Yes, there are real threats, real problems, real risks. No, the sky is not falling. The news isn’t all bad. There are ways to address these threats. Keep that in mind the next time you read the next scary story about OT security.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.