Industrial Cybersecurity Pulse
  • SUBSCRIBE
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
SUBSCRIBE
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
Industrial Cybersecurity Pulse
Subscribe
Industrial Cybersecurity Pulse
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities

Five questions every CISO should ask about OT cybersecurity

  • Verve Industrial
  • March 3, 2021
The task of cybersecurity often falls to the IT department. But here are five questions every CISO should ask about OT cybersecurity.
Image courtesy: Brett Sayles
Total
0
Shares
0
0
0
0

Who should be involved in the OT cybersecurity program?

This is the first question for a reason. In many information technology (IT) organizations, the answer is clear. Security requires networking, endpoint, cloud, regulatory and other IT partners. In operational technology (OT) cybersecurity, however, getting the “who” right is critical and often more complex.

Depending on the organization, the who may include the head of process control technology; the SVP/EVP/VP of operations, manufacturing or supply chain; influential plant managers; or quality or similar regulatory personnel. This is on top of the more typical groups involved in IT security.

We have seen many organizations stall if key operations personnel are not included early in the process to identify bottlenecks or technical challenges. Successful chief information security officers (CISO) create a steering committee of IT and OT personnel in addition to the operations leaders who understand the technical challenges of the systems.

Without this joint team, organizations struggle to gain buy-in for the necessary technical changes and required support personnel to achieve success. Together, this group forms the right process for deciding aspirations, technical feasibility and more.

Where should you begin your OT cybersecurity journey?

Almost all industrial companies have some level of cybersecurity underway, but often the question is where to focus first to improve the security of the OT systems. Options usually include network protection such as segmentation and separation, endpoint protection, network anomaly detection, asset visibility, and inventory for improved vulnerability management, security event monitoring and analysis.

There is no absolute right answer to this. Some will argue for deploying network protection technology to create a barrier. Others will argue for vulnerability assessment or asset visibility and inventory.

The right answer depends on the organization’s starting point. However, the foundation of all these initiatives is a robust asset inventory with “360-degree” visibility on hardware, software, network connections, users and accounts, vulnerabilities, etc. To make network protection effective, you must know what you are protecting and how it needs to communicate. To make proper vulnerability management decisions, you need clarity of the comprehensive 360-degree risk, because not all assets in OT can be patched or upgraded. Alternative compensating controls may be needed, and prioritization is key. Security event monitoring requires knowledge of the assets to monitor, as well as their operations and asset criticality.

This 360-degree approach provides a comprehensive view of the risks and how they interact. For instance, two devices may have similar vulnerability or patch status, but one has application whitelisting locked down, a robust backup, hardened configuration settings and sits behind a well-configured firewall, whereas another does not. Or one operates critical operational processes, whereas the other does not. Even more so than in IT, these relative priorities are critical in OT given the challenges of taking rapid remediating actions.

Why do you need an OT security program?

This is the most obvious question. CISOs have protected IT systems for more than a decade. You likely have dozens of tools at your disposal to address cybersecurity according to Check Point, Gartner and others. So why in the world do you need a specific OT cybersecurity program?

The reality is these systems truly are different but perhaps not in exactly the ways OT folks or original equipment manufacturer (OEM) vendors often say. They are sensitive to change or traditional IT security scanning. They are highly integrated. They do operate many legacy operating systems due to long lifecycles. They include many embedded systems that cannot be scanned or managed in the same way a Windows PC or cloud server can. And the downside risk of acting on a false security alarm can be operationally devastating.

What security management actions should be included in the program?

Many organizations become hamstrung with the actions they can take to secure their OT/ICS environments. In part due to the fear, uncertainty and doubt raised by OEM vendors or some in OT, organizations limit what can be done to secure these systems. Perhaps they limit themselves to segmentation or network monitoring because of the fear of managing these sensitive systems.

Our suggestion is to employ OT systems management. These are the same techniques IT conducts on IT systems (and actually represent more than 70% of all IT security tasks). This includes functions such as patching, vulnerability management, configuration management, user and access management, and more.

This comprehensive set of management actions ensures protection and hardening of these devices in advance, as well as the detection of anomalies from ongoing attacks. They also align IT and OT security into consistent practice areas that can be monitored and tracked.

How should an OT security program be managed?

There is no one perfect way to manage a cybersecurity program. It depends on the way the organization is structured more broadly. Is the culture top-down with a drive for operational consistency, even if it may take longer to align different parts of the organization? Is the culture one where targets are set, but business units are left to determine how best to hit those targets? Is there a close working relationship between IT and OT? These subquestions inform how best to organize your approach.

There are several key elements regardless of the overall structure:

  • Establish a target early on that allows for measurement and tracking. We have seen great success leveraging the Center for Internet Security top 20, but there are other targets and models to use. Selecting one is key.
  • Gain alignment between IT and OT and leverage each for the strengths they bring.
  • Build traction early with visibility into key risks and by addressing key vulnerabilities and risks.
  • Create accountability by adding security into balanced scorecards to ensure results have an impact on performance.

This article originally appeared on Verve Industrial’s website. Verve Industrial is a CFE Media content partner. Edited by Gary Cohen, Senior Editor/Project Manager, CFE Media and Technology, gcohen@cfemedia.com.

RELATED ARTICLES

IT/OT collaboration must drive digitalization
https://www.industrialcybersecuritypulse.com/it-ot-collaboration-must-drive-digitalization/

Combining IT, OT with a security operations center
https://www.industrialcybersecuritypulse.com/combining-it-ot-with-a-security-operations-center/

Four OT, ICS security patching lessons to consider
https://www.industrialcybersecuritypulse.com/four-ot-ics-security-patching-lessons-to-consider/

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.

Verve Industrial

Related Topics
  • CFE Content
  • Featured
Previous Article
Verve Industrial CEO John Livingston discusses increasing industrial cybersecurity threat
  • Education

Increasing Industrial Cybersecurity Threat: CEO Interview Series, John Livingston, Verve Industrial Protection

  • Gary Cohen
  • March 3, 2021
Read More
Next Article
  • IT/OT

Six reasons why centralized cybersecurity doesn’t deliver value to OT

  • Resiliant
  • March 5, 2021
Read More
You May Also Like
Richard Robinson, CEO of Cynalytica Inc.
Read More

Using Machine Learning to Protect OT: Expert Interview Series, Richard Robinson, Cynalytica

Courtesy: Industrial Defender
Read More

Six ways to strengthen OT security

Courtesy of: Verve Industrial
Read More

Four benefits of OT endpoint security asset management

Courtesy: CFE Media
Read More

Adapting XDR for OT cybersecurity

Read More

How Conti ransomware took down operational technology

As threat increases, college cybersecurity programs are more in demand
Read More

Dragos YIR report shows rise in threat groups, vulnerabilities and ransomware

Courtesy: CFE Media
Read More

Using defensive deception to prevent IT/OT manufacturing threats

Many wonder where to start when attempting to protect embedded systems in OT cybersecurity? Here are some great places to start.
Read More

How ‘Think Global: Act Local’ can help manage OT security through COVID-19

SUBSCRIBE

GET ON THE BEAT

Keep your finger on the pulse of top industry news

SUBSCRIBE TODAY!
VULNERABILITY PULSE
  • Mitsubishi Electric - June 14, 2022
  • Meridian Cooperative - June 14, 2022
  • Johnson Controls - June 14, 2022
  • Microsoft - June 14, 2022
  • Citrix - June 14, 2022

RECENT NEWS

  • Protecting the power grid through cyber-physical threat response
  • How to secure Industry 4.0 in a highly connected world
  • Managing external connections to your operational technology (OT) environment
  • Webcast: Addressing Cybersecurity Challenges in Industry 4.0
  • How a desert water utility helped protect critical infrastructure

EDUCATION BEAT

Introduction to Cybersecurity within Cyber-Physical Systems

Cyber-physical systems serve as the foundation and the invention base of the modern society making them critical to both government and business.

REGISTER NOW!
HACKS & ATTACKS
  • Ron Brash Interview: Expert advice on finding the root of the ransomware problem
  • Throwback Attack: How the modest Bowman Avenue Dam became the target of Iranian hackers
  • Minimizing the REvil impact delivered via Kaseya servers
  • Key takeaways from 2020 ICS-CERT vulnerabilities
Industrial Cybersecurity Pulse

Copyright 2022 CFE Media and Technology.
All rights reserved.


BETA

Version 1.0

  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions

Input your search keywords and press Enter.

By using this website, you agree to our use of cookies. This may include personalization of content and ads, and traffic analytics. Review our Privacy Policy for more information. ACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT