Convergence between information technology (IT) and operational technology (OT) networks requires a wide approach in order to ensure proper visibility and security. The need to control OT processes to optimize business has led to a series of integrations and connections that expose OT systems to IT risks and vice versa.
As a result, integrated tools for visibility have become even more critical to ensure these two fields are efficiently protected, avoiding a siloed approach.
On the other hand, OT systems are not at the same level as IT systems in terms of security. These systems are usually older, have not been updated over time and are not part of an organized, structured context in terms of networking and data flow organization.
Following the IEC 62443 best practices, all the life cycle phases required by industrial control systems can be covered by starting from cybersecurity risk assessment, vulnerability assessment and detection, and maintaining security over time against OT-related threats within an organized and systematic framework like the one found in management systems.
Across the three main phases dictated by the IEC 62443 scheme (assess, implement and maintain), it is possible to obtain substantial results only when asset inventory is as accurate and detailed as possible.
OT networks feature much longer system life cycles, lack of shared inventory and scarce visibility of the changes made to the devices compared to corresponding IT systems.
Unfortunately, there are often many devices connected to the company network for which there is no information (temporary access points left active by maintenance technicians, laptops, Internet of Things devices). These devices are often poorly configured and can become wide-open entryways for malicious attackers.
To solve any related issues, an absolutely indispensable piece for the cybersecurity risk assessment is a vulnerability identification tool able to search the endless vulnerability databases available online for the ones that correspond to the devices that are actually in the network being analyzed, separating them by category and prioritizing them by degree of danger.
Taking inventory and classifying devices meets the first security rule: You can’t protect what you don’t know.
For this reason, a solely passive approach does not guarantee the necessary level of visibility. It is not always easy to capture all OT traffic, and not all OT devices communicate with each other. The choice of the detection technology is indeed fundamental. It is strongly recommended to implement only tested and patented technologies, which give visibility of all the devices in the network and allow you to classify them and obtain information on their status, their configuration, any changes in configuration and vulnerability in order to reach the goal of end-to-end cybersecurity.
— This article was edited by H-ON Consulting in collaboration with Tenable.