Creating a comprehensive security strategy for your business requires a basic understanding that information technology (IT) and operational technology (OT) systems are inherently different. You may have a solid IT security program in place designed to manage and monitor your, but if you’re ignoring the operational side of the house, some of your most important assets are probably insecure.
This is even more essential with the proliferation of the Internet of Things (IoT) and as more legacy OT devices get connected. So how can you get your operational security up to snuff? According to Marty Wachi, product marketing manager for Moxa America’s industrial cybersecurity, network management and wireless networking products, when it comes to OT cybersecurity, too often the question is still, “Where do we start?”
“Hopefully, you’re in an industry or vertical that already has an established framework,” Wachi said. “There are a lot of them out there — industry standards like NERC CIP and NIST and 60443. All of them are frameworks, best practices. They all have some degree of focus on security requirement capabilities depending on the level of security you want. Other standards like 60443 are actually pretty balanced in that they include another aspect of lifecycle management as well as security capabilities.”
Operational lifecycle management
According to Wachi, operational lifecycle management is really about managing the supply chain. It deals more with what happens leading up to the development and delivery of your product, as opposed to understanding the security capabilities or feature requirements.
“This has to do with your supply partners, your factories, manufacturing partners — making sure that you actually have a secure development process in place,” Wachi said. “Some of that is not just to protect the supply chain from having things interjected into it that you don’t know about, but it also involves traceability. Something that most people would be familiar with, it’s very similar to drugs or food that have lot numbers so that you can go back if and when there is something that happened. You can go and trace what products were affected.”
This is incredibly important because, in the modern environment, nothing is 100% secure, and many people forget about traceability. If this is handled well, when companies do have an incident, they can notify people that are affected and let them know something has happened as quickly as possible.
This was thrown into sharp relief a few years ago when major companies Kaseya and SolarWinds made negative headlines for what was essentially an operational lifecycle management attack. In those instances, the hackers never actually penetrated the customer network directly.
“They backdoored it in through the lifecycle of the company,” Wachi said. “It’s not just from a prevention perspective of keeping people out, but it’s also, once you do have a bug or something that has to be addressed, it gives your customers peace of mind that there’s a way to address it.”
Product level security requirements
When it comes to product level security, there are generally two different types. The most common is what people think of as defense in depth, perimeter-based security — sometimes referred to as vertical security. Then, there’s threat detection and response, or horizontal security.
Vertical security has two fundamental buckets: authentication and restricting access. With authentication, you’re trying to determine that people are who they say they are when they’re trying to access the network. This is most prominently seen with multifactor authentication and effective usernames and passwords. Restricting access is also known as as segmentation, and it’s the most common form of security out there.
“A lot of customers have done a pretty good job of this for the most part,” Wachi said. “It’s really about establishing that perimeter, keeping people out of your network or out of your critical assets. But what we’re seeing as the networks are getting more complicated [is that] more things are getting digitized, the surface area of attack is getting bigger. Things like AI now where everything needs to be connected in order to take advantage of the data that you’re getting, make it very difficult to use some of the traditional segmentation strategies and scenarios to protect the network because everything has to be connected now.”
As a result, having threat detection and response from a horizontal perspective — being able to see what has penetrated the network, where it got in and how — is becoming more and more important. For public companies that need to worry about liability, it’s essential to have visibility so they can tell if they’ve been breached, when it happened and what consequences the breach is going to have
“The analogy I like to use for folks is you think about a bank or a retailer,” Wachi said. “There’s perimeter-based security, locked doors, maybe security guards, things like that to keep people out. But inside the store, they still have video surveillance to see what’s going on in case somebody breaches that. That’s kind of what that threat detection and response give you.”
Frameworks and customer implementation
For people still looking for where and how to start their cybersecurity journey, Wachi said
there’s a ton of information out there for all of these frameworks. The trick is figuring out which ones are right for you and tailoring it to your individual needs.
“It’s kind of like the advice that you should eat right and exercise. We all know that we should do that, but depending on your individual body type, depending on your individual metabolism, what you eat specifically, what kind of exercise you do to achieve the goals that you want is a very personalized and tailored plan for the individual,” Wachi said. “This oftentimes requires a nutritionist or a trainer.
“So if you were to use that analogy for security, especially for small and medium companies, finding yourself a good value-added resell partner or system integrator that specializes in OT security for whatever vertical you’re in is like gold. There are just not enough security specialists out there for everybody to be able to go hire their own, and it’s difficult, especially for the small and medium guys, to keep up with this in-house. So getting yourself a good partner that’s focused on this, that has experience, is probably the best way to tailor that “What do I do to eat right and exercise better?”
For more installments from our expert interview series, check out our Industrial Cybersecurity Pulse YouTube page.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.
