Are you tired of hearing how industrial control systems (ICS) are “insecure by default,” but if you buy this widget or tool, all of your problems will go away? On April 24 — the first day of the RSA Conference in San Francisco — Diane Golden, system security architect at Rockwell Automation, and Ahmik Hindman, senior network and solution consultant at Rockwell, attempted to help with their session, You Too Can Secure OT (operational technology).
The session attempted to help traditional information technology (IT) security personnel get started securing their OT systems. The speakers briefly highlighted the differences between OT and IT systems and then discussed a structured approach for managing OT security risk.
Taking a proactive approach to OT systems
The overarching theme was that organizations must leverage a holistic and proactive approach to industrial cybersecurity. They recommended starting with tools like the NIST Cybersecurity Framework, which begins with asset inventory. As the old axiom goes, you cannot protect what you cannot see. That means companies need an effective OT intrusion detection system. This should utilize both passive and active scanning, and be protocol specific and vendor agnostic.
This combination of passive and active scanning can help minimize false positives and help provide an agnostic inventory of OT, IT and the Internet of Things (IoT). High-level risk assessment is essential to help prioritize patches and compensating controls based on the common vulnerabilities and exposures (CVE).
How to manage vulnerabilities
With vulnerabilities, organizations can’t just say, “Let’s go patch everything.” There are simply too many vulnerabilities out there. Therefore, you have to look at cyber-physical impact on the OT side and ask some basic questions. Is your current risk level an acceptable risk level? What creates a bad day for you if it breaks? What are your crown jewels, the impactful things that can cause you a lot of downtime if they go offline?
Health, safety and the environment are clearly high-risk areas. If something can cause a fatality or an environmental disaster, it should get a great deal of your attention.
Golden also mentioned that this risk assessment can help cash-strapped organizations get grants from federal and state governments for cyber resilience. There is money to be had for these efforts.
Hindman and Golden then walked RSA attendees through the basics of protecting OT/ICS systems. Many of their logical models employed commonly used industry standards such as the Purdue Model and IEC-62443.
Creating an incident response plan for OT systems
They concluded by talking about creating an incident response plan for OT. Most companies have an IT incident response plan, but many don’t have one for OT. That’s a problem. You need backup and recovery solutions that are proactive. You don’t want to be looking for them when something goes wrong because, by then, it’s too late.
Golden said tabletop exercises are a great idea because many key players haven’t been involved in an OT security incident before. It’s essential to know who is supposed to do what when a crisis occurs. For example, if you have to decouple your IT and OT systems, who is authorized to disconnect them?
They also suggested getting some third-party help. They recommended utilizing OT incident response retainers, or bringing in companies to help with OT response. But those companies give priority to customers who have them on retainer, so there is a need to plan in advance.
Golden mentioned that there are many free resources out there that can help. She specifically pointed out the Dragos OT-CERT platform.
The pair finished by imploring attendees that they too can:
- Automate OT asset inventory and vulnerability correlation
- Adopt an OT patch management strategy
- Implement mitigating controls supporting a defense-in-depth strategy
- Develop an OT incident response plan.