“Don’t pay ransomware”, if that remains the US Department of Energy policy, it will get a grade of incomplete.1
Real investment in infrastructure is necessary to predict, prevent, detect and respond to threats in critical infrastructure. So, what should security and risk leader do to protect their operational technology environments?
Day 1 – Establishing Goals and Objectives From the Top
The cultural divide between OT and IT has been long standing roadblock to securing operational environments. Support for the board of directors and top executives is required from day.
Establish the road rules and vision for securing OT, include it into the goals and objectives of team members from OT, IT, supply chain, physical security teams and human resources. Roles must be clear and should include at the minimum the following personnel
- OT: Will be harness their business and operational knowledge to prevent, mitigate and respond to an evolving cybersecurity, and physical threat landscape by working in concert with IT, supply chain, human resources and EHS. OT will plan for the life cycle management and support.
- IT: Will own the architecture, infrastructure, security solutioning, risk mitigation and incident response. Provide training and cyber hygiene awareness
- Supply Chain Risk: Review and establish terms and conditions from suppliers that ensure secure by design principles and mitigation of supplier risk to operational technology environments
- Human Resources: Support training, hiring of professionals with converging skillsets needed to secure and managing OT.
- EHS: OT systems more than ever have cyber-physical consequence, and EHS will be responsible for physical security of environment and people.
In addition. the board of director should ensure cyber-physical risk are included in its due diligence process for operations go forward with joint accountability throughout the organization.
Day 2-30 – Organization Changes Required
Today, the knowledge needed to address OT threats are spread out throughout the organization, from supply chain, infrastructure, operations, risk management and cybersecurity. The convergence of IT and OT environments is driving the need to leverage traditional IT controls and architectures to better monitor and secure critical environments, which are increasingly connected to external services. SRM leaders tasked with coordinating the efforts to secure such converging environments cannot afford to disregard the highly critical requirements of safety and reliability. To achieve this, security must seek and establish collaboration and an organizational structure that involves both IT security and OT competencies. Take these steps to start:
- Create a Technical Advisory Board consisting of Staff from Both IT, HR, Supply Chain and OT
- Establish a meeting candidacy
- Determine a charter, mission, and roles and responsibility
Day 31 – 70 Evaluate the Risk
It is soon time to access the security risk, including environmental, health, safety, and cyber security risk. Accessing risk requires a few steps:
- Determine what connected systems exist in the environment, and what the risk profiles look like. Reach out to the teams supporting OT assets to find out what enterprise wide OT architecture and OT security policies and procedures might already exist.
- Review of infrastructure for segmentation of IT/OT/IOT
- Evaluation and adoption of network monitoring and visibility solution providers to access risk
- Establishing dynamic asset discovery
- Passive scanning for vulnerabilities
- Determining physical security risk and gaps to existing protocols
- Establish what does normal look like in your environment?
- Evaluation of supplier risk, including product testing, validation and on-going 3rd party risk assessments
- Accessing device security down to the sensor level
- Reality usually quickly sets in that there is lack of security visibility into brownfield operational environments that have been connected to improve productivity or control costs. There is also a lack of security controls within new CPS deployed via industrial Internet of Things (IIoT)/Internet of Things (IoT) efforts managed by business units seeking more digital transformation. Thanks to an increasing number of security vendors offering asset discovery and network topology mapping platforms, the next step often involves a proof of concept (POC) effort, with one or more solutions (see Note 1 below)
- Examination of physical controls for equipment and overall environment
- Configuration management and change control issues
- Talent Assessment, do you have the subject matter expertise?
Day 70-75 Oh Wow or the Gap Analysis
Most will discover that there are number of risks that must be remediated. These general include items in figure 2,
Figure 2. So Many Gaps
Day 80-100+ Redefine Policies and Implementation Changes
The last part of this one hundred days is just the beginning of an ongoing journey. Securing these environments from an evolving threat landscape will require solutions for identity management, securer product design, advance threat intel solutions to monitor insider threats, analysis social media and dark web chatter, and adoption of emerging technologies22.
10 Basic Steps
- Clear incident response plan with roles and responsibilities that leverage cross-functional expertise
- Customize and acclimate existing security policy against IT and OT roles and responsibilities by leveraging the responsible, accountable, consulted, and informed (RACI) matrix and by making sure policy is easily accessible and organized.
- Implementation of monitoring and visibility solutions
- Operationalizing alerts and incident management
- Budgeting and Planning for end of life
- Development of a vulnerability management program
- Invest in solutions and address physical security gaps and lapses
- Plan for integration of alerting back to SIEM/SOAR
- Ongoing planning and security strategy that aligns with your digital ambitions
- Planning for on-going training and governance at the c-suite
Going Beyond 100 Days – Network Monitoring and Visibility Isn’t Enough
A Demand for Converged Solutions
The past two years have seen a marked increase in links between IT security and OT security solutions. Examples include the many OT security vendors enabling data feeds to enterprise solutions, such as ServiceNow, Splunk, IBM QRadar or Palo Alto Networks, and a number of announcements around strategic partnerships, such as Microsoft Azure Defender for IoT Radiflow-Palo Alto Networks, SCADAfence-Rapid7, Claroty-CrowdStrike, Nozomi-Honeywell or Dragos-McAfee.
Must Have Security – Prevent & Predict
The next layers of production should enable organizations to not only detect and respond, but predict and prevent. The table below offers a list of sample vendors to consider along your next 100 days of your journey to securing CI.
|Footnote: Some vendors are emerging and are moving toward scalability and main stream adoption, specialized vendors are also emerging to target vertical industries. For examples in the medical field, see Market Guide for Medical Device Security Solutions.|
|Source: Gartner (January 2021)|
Confronting Threats on the Horizon
PNT (Position, Navigation and Timing)
Unfortunately, PNT security is an increasing concern. Although illegal, jammers can make use of a transmitter to interfere with GPS signals to scramble or alter location and time. They can be stationary or mobile (car or drone). While they used to cost thousands of dollars, some can now be bought for less than $100. Fake GPS location apps are freely available in app stores. On the spoofing front, attacks are also on the rise, with a number of incidents reported globally. Concerns are growing to the point in which an Executive Order on strengthening national resilience through PNT services was signed 12 February 2020 in the U.S. Positioning, navigation and timing (PNT) is a combination of three capabilities:
- Positioning, which is the ability to accurately and precisely determine one’s location and orientation
- Navigation, which is the ability to determine current and desired position, and correct course, orientation and speed to attain a desired position anywhere around the world
- Timing, which is the ability to acquire and maintain accurate and precise time from a standard (Coordinated Universal Time, or UTC), anywhere in the world
Sample Providers: Sample Providers: Booz Allen Hamilton; ENSCO; Microsemi (wholly owned subsidiary of Microchip Technology); Orolia; Satelles
DRPS (Digital Risk Protection Services)
The digital risk protection services (DRPS) market is composed of technology and service providers offering solutions developed to protect critical digital assets and data exposed to external threats. These solutions provide visibility into the clear (surface) web, dark web and deep web sources to identify potential threats to critical assets and provide contextual information on threat actors and the tactics and processes utilized to conduct malicious activity. DRPS provides support in four areas — mapping, monitoring, mitigating and managing the impact on critical digital assets — that ensure business operations are preserved.
Sample Providers: CloudSEK; CTM360; CybelAngel; Cyberint; Cyber Intelligence House; DeepCyber; Digital Shadows; Echosec; GroupSense; IntSights; Lookingglass Cyber Solutions; PhishLabs; Recorded Future; RiskIQ; SafeGuard Cyber; Terbium Labs; ZeroFOX
The journey is ongoing and can not stop at the one hundred day mark, as security threats continue to evolve well into the future.