Why OT security is still poor and how an IT/OT SOC can help

Courtesy: CFE Media and Technology
Courtesy: CFE Media and Technology

Industrial organizations are being targeted by cybersecurity threats more often because they have a lot to lose during operational downtime. To truly protect industrial systems, information technology (IT) and operational technology (OT) need to work together. Organizations can forge a united front by creating a converged security operations center, or SOC. Already used regularly for IT security, a converged IT/OT SOC can give you greater visibility across your operations and help you defend against outside threats.

In this partial transcript from the Dec. 5, 2023, webcast, Five Essential Steps to Creating a United IT/OT SOC, sponsored by Fortinet and Tenable, two experts answered the following questions:

  • Why are industrial organizations under attack?
  • Why are IT and OT still divided when it comes to security?
  • What is a security operation center, and how is it used?
  • How can you get executive and organizational buy-in?
  • What are the benefits of a converged IT/OT SOC?

The speakers were Luis Narvaez, regional product manager for controllers and cybersecurity for Siemens Factory Automation, and Jim Cook, COO for Velta Technology. This is the second part of the transcript. To read part 1, click here. The following has been edited for clarity.

Why does OT security still struggle

Luis Narvaez: When we look at the number of published vulnerabilities at the end of 2022, we had over 23,000 disclosed vulnerabilities published. Looking at the connected devices, published vulnerabilities together have a little bit of a multiplication effect. You can look at this and see there’s a serious problem. There’s a lot of risk out there, and if we don’t really address the need for cybersecurity, this is only going to get exponentially worse. At the end of the day, asset owners are going to need help. They’re going to need help with services. They’re going to be need help with implementing solutions, and hopefully today gives you a little bit of insight as to some of the solutions, some of the ideas that can help move toward an SOC or a more robust cybersecurity program within your OT organization.

So let’s look at some reasons why OT is still poor. No. 1, asset lifecycle. The picture I have here on this slide actually is some, let’s say, mature, some even obsolete products from the Siemens industrial automation portfolio. These devices that are running our factories, running our industrial systems, typically have a life cycle of, like, 30-plus years, and even more if these factories, these plants are not necessarily modernizing them. So that has an effect. The older systems get, the less ability we have to secure the devices, because it’s just the way technology rolls. OT technology does not move as fast as IT technology.

Another reason why OT cybersecurity is still poor is heterogeneity. There are a lot of different devices serving a multitude of different purposes, and it’s very highly likely that OT environments have products from different vendors that, again, serve those different purposes and those different needs. An industrial control system is not just going to have a programmable logic controller. You’re going to have PCs running Windows operating systems, running applications that might be decades old, still running and still keeping the plant running and still making products, but because of that older life cycle, they may introduce more vulnerabilities into the OT space.

I mentioned earlier the CIA versus AIC methodology, and that still holds true. The focus for OT cybersecurity is availability. We have to keep operations running. We have to keep producing products, keep producing parts, making good parts. That way, we can still remain profitable. At the end of the day, that’s what keeps the lights on. Other aspects like integrity are probably as important on the IT side, as well, but that’s where the confidentiality is maybe not so important on the OT side. Maybe there needs to be a shift, or maybe there needs to be some overlap between the confidentiality and availability. But at the end of the day, that’s one of the reasons why it’s also poor today.

Then, of course, risk-based protection is another thing that we struggle with on the OT side. So what can you do? Well, maybe you hire some more people. The problem is trying to find somebody who has all the relevant skill sets and talents for protecting your OT system and implementing cybersecurity solutions. It’s like finding a magical unicorn in the matrix. It just doesn’t really exist. At least, not one person. That’s where a team comes into play. That’s where bringing in and working with the people, subject matter experts, who can help you through that journey, come into play. So let’s put ourselves through a little bit of role playing. Let’s say production has got a downtime due to a cyberattack. What’s going to happen? What’s the outcome? Production is lost.

There might be defective products on the line, but they have to go to scrap. They get wasted. So that’s cost. That’s expense. You could have intellectual property stolen, and maybe that’s not important for operations that have more discreet or commodity items being produced, but maybe if you’re a pharmaceutical, that could be very damaging if the recipe’s manipulated or anything like that. At the end of the day, these products can’t be delivered on time. Orders will be canceled. The integrity of your company is compromised. The public health and safety could be compromised, as well. And all that stuff is just a chain of events that can happen from these cyberattacks.

The benefits of multilayered cybersecurity and an IT/OT SOC

What tends to work out well is a multilayered cybersecurity program based on — you may have heard it before — defense-in-depth principles. I always like to refer to this as onion protection. You have different layers within an onion. At the core of it, it’s your manufacturing, or your ICS, your industrial control system. There might even be some layers within that that you can protect, but you’ve got asset protection. Other people like to think of this as a moat or a castle. Or classical defenses, where you’ve got different ways for attackers to attack your system. Make it more difficult. Layer your defenses, and you’ll be a little bit more protected against cyberattacks.

So let’s look at some aspects that every multilayered cybersecurity program should contain. From the data side, obviously, we need secure data exchanged between the OT and IT. I know some people are saying, “Hey, there’s no reason why my OT needs to talk to my IT or vice versa.” But there are organizations that have that interchange, where you have orders coming in that need to be placed or resources that need to be planned and be brought into your manufacturing, so that way we can produce the amount of quantities of products. That data exchange essentially happens a lot in manufacturing. However, that data needs to be secured somehow. In the cases where we need to service equipment remotely, or we work with contractors to service equipment, we need to make sure we have that connection secured, as well. From a system side, we need to make sure that we’re monitoring the industrial control system continuously and applying updates and patches when necessary.

I mentioned those published vulnerabilities. Vendors typically publish these vulnerabilities, and they assign mitigations, whether it’s a patch, or whether it’s protecting around the device, or whatever the case is. So keeping up to date with those mitigations, keeping up to date with those patches, as well as monitoring your ICS system for any anomalies, those kinds of things are very effective when it comes to a defense-in-depth program. Then, from a people standpoint, training. As simple as it sounds, cybersecurity training can be effective. It’s making people aware of the different risks that are available, different vulnerabilities within the organization. These can help limit the effect of insider attacks, whether intentional or non-intentional, bringing personalized access to your ICS rather than having shared access to assets on the OT side. That’s something that’s happened for a very long time and still happens to this day where there’s a password to access some assets or some machinery, and that password is written on a sticky note and slapped on the side of a cabinet. That needs to change if you want to have a really robust cybersecurity program.

Then, thirdly, bring in the experts. I had the privilege to work with Industrial Cybersecurity Pulse, and there was a podcast posted about implementing SOC in OT and things like that. One of my biggest things that I vouch for and champion is the need to bring in the experts. That expertise that’s on the OT side, on the factory floor, they understand the process. They understand the machinery. They understand the equipment.

Bringing those people to the table who have that understanding, that knowledge of the process, the equipment that’s on the factory floor, bringing them to the table when having those discussions of like, “Hey, what is the risk if this happens? Or what is the risk? How do we protect against these types of risks?” Those people have the knowledge. They have the domain expertise to really help you understand the effects of a cyberattack, but also effective mitigations that can bring you back to operations, as well.




Keep your finger on the pulse of top industry news