It’s no secret that industrial organizations are at the forefront of cybersecurity attacks. A recent report by IBM X-force revealed the manufacturing industry jumped from the eighth most targeted industry to the second most targeted year over year (from 2019 to 2020). Energy also jumped from the ninth most targeted industry to the third in the same timeframe.
Why? These industries are targeted by ransomware groups because they have the highest likelihood of paying the ransom due to their investment in cybersecurity insurance. They also have the most to lose during operational downtime. Imagine just how catastrophic it would be if the U.S. power grid were compromised – It’s no wonder governments, insurers, customers and boards of directors are responding to these cyberattacks with greater emphasis and urgency on the security of operating technology – or OT – the systems that control the industrial processes.
But what’s the difference in protecting information technology (IT) assets vs. OT systems? Well, a lot actually:
- OS devices (those that run traditional operating systems such as Windows) run complex, networked controls applications with critical processes that cannot be interrupted without reliability issues.
- Typically, more than 70% of devices are embedded OS, proprietary to original equipment manufacturer (OEM) vendors such as GE, Honeywell, ABB, etc.
- Limited staff is even greater in OT than in IT.
- Complex network architectures require controlled access to different layers according to OEM design.
- Taking endpoint management actions is very challenging due to the nature of these critical devices.
OT security leaders have learned a lot from their IT counterparts but have also evolved over time and made OT-safe modifications to security processes to protect these sensitive systems. So what can OT now teach IT teams from their unique experience?
5 things CISOs and IT can learn from OT teams
- OT security standards: Leverage similar security standards with specific adaptations. Keep in mind, the right governance involves coordination and shared decision-rights across IT, security/risk management, operations and finance.
- Security can break stuff: OT systems are highly sensitive and have significant downside from Type II errors. By creating a centralized view of endpoint security, operators centralize endpoint detections, alerts, risks, etc. to a central team for analysis, response planning, etc. to enable the OT operator that understands his or her system best to be involved in approving and testing any security response. We understand to someone in IT, this may sound crazy – this extra step of including a “man in the middle” of the response action could slow response. Yes, it can. But it avoids the Type II error of stopping critical processes that may affect the safety of the overall system.
- Think global, act local: Scaled centralized analysis across hundreds of sites and all endpoints globally, with locally OT-controlled for remediation automation. Think global, act local is a direct response to the challenges of large volumes of complex assets and tasks, coupled with scarce OT security resources available in the market today. It is also why OT owner/operators can prioritize the endpoint management work that is desperately needed. Most importantly, it is centralized, automated, scalable and proven OT-safe.
- 360-degree security with compensating controls: Security requires comprehensive risk view with flexible protection options. A 360-degree view of risk allows the organization to define the most effective and efficient means of remediating risks and securing a given endpoint.
- “XDR” for OT (OTDR) is feasible: Use physics and LDR (least disruptive response) to your advantage. This refers to gathering a wide set of data from the systems – endpoint logs, user behavior, network flows, firewall logs, even physical process alarms – and using integrated analysis to identify potential threats. Never accept a single form of telemetry such as packet inspection as the answer to detection.
Want to hear more about strategies IT can learn from OT? This is just a taste of what’s to come in our ICS Pulse webinar on Oct. 27. Save your spot to hear John Livingston, CEO of Verve Industrial, dive deeper into each of the five areas IT can learn from OT practitioners to strengthen their overall cybersecurity posture. Follow this link to register.