It’s no secret that industrial organizations are at the forefront of cybersecurity threats. A recent report by IBM X-force revealed the manufacturing industry jumped from the eighth most targeted industry to the second most targeted from 2019 to 2020. Industrial organizations are targeted because they have a lot to lose during operational downtime. Attacks on OT can also pose a threat to human life and safety. But a divide still exists between IT and OT when it comes to security. How can you bring these two sides together?
This webinar, originally aired on Dec. 5, 2023, helped attendees learn about how organizations can create a united front with a converged security operations center (SOC). Already used regularly for IT security, a converged IT/OT SOC can give you greater visibility across your operations and help you defend against outside threats.
The speakers were Jim Cook, COO of Velta Technology, and Luis Narvaez, regional product manager, controllers and cybersecurity, Siemens Factory Automation.
Additional questions were answered by Cook.
Question: This sounds good in theory, but what if we don’t have internal resources to implement something like this?
Jim Cook: Many information technology (IT) departments do not have their own SOC and use one of many external SOC services. Those services can be leveraged (with proper OT cyber support) or an emerging OT specific SOC service.
Question: What options are there besides trying to build a business case and waiting months for approval?
Cook: Smaller, targeted “point in time” assessments/studies usually generate quantifiable findings to address immediate risks and support future actionable budgets.
Question: Who are usually the internal champions to help something like this get put in place? IT or OT people?
Cook: Both! It may start from one side or the other, but both need to be working together at some level to make real progress. Remember, the OT team members are the owners of the assets.
Question: What from your experience are things to look out for that can halt something like this from being explored or put in place?
Cook: Silos staying firmly put with no movement to explore the divide, or disagreement on who owns that divide.
Question: What are some best practices to integrate IT/OT incident response?
Cook: One key is to share OT cyber knowledge so IT understands what is relevant to OT production.
Question: What cybersecurity features are available for power plants and pumping plants regarding operational technology? If the power plants and pumping plants are not tied to the internet, what additional cybersecurity features can be applied?
Cook: Most OT security products will cover critical infrastructure, as the underlying technology is used in most OT environments. While true “air gap” is rare, there are on-premise solutions as well as cloud-enabled solutions.
Question: What would be an ideal phased approach?
Cook: Depends on your starting point. That being said, you will need an OT-specific cyber tool first to provide some level of visibility to a SOC.
Question: What are the main obstacles to bridging the gap between OT and IT?
Cook: Sometimes, it’s from historically bad interactions and the belief from each silo that it’s the other guy’s job.
Question: In terms of visibility across operations, can you provide examples or case studies illustrating how a converged IT/OT SOC has enhanced cybersecurity measures and incident response capabilities?
Cook: From my direct experience: user client MFA credentials compromised in the evening, foreign access overnight, by overnight able to disable while determining no access into a combustible OT environment, thereby avoiding a “shutdown out of an abundance of caution” scenario.
Question: What are some common misconceptions or challenges organizations might face when transitioning to a converged IT/OT SOC, and how can these be addressed proactively?
Cook: IT-only SOCs have access to data but don’t have the exposure to OT needs. The OT cyber knowledge would have to drive the requirements up to the SOC.
Question: Indeed, the organization must have a united IT and OT SOC. However, in contrary, IT and OT networks must be built separately and NEVER converge!
Cook: I agree that “converge” is not the best term, but unfortunately it’s widely used. As presented, there are options for IT/OT SOC convergence with separate networks. Those IT and OT networks are connected, which needs to be better managed, while an OT-specific approach should be applied in the proper realm.
Question: IT/OT integration … increase the risky.
Cook: I agree, but it’s happening. That’s why it’s important to avoid the “collision.”
Question: We have undertaken a very granular analysis assessing our entire OT operations utilizing the NIST CSF. It has been proving extremely helpful to detailing risk and communicating it to the business for strategic investment. We are taking what is often a subjective topic and making it objective and actionable. I suggest that EVERY company should undertake a professional and granular (site-by-site and corporate) assessment of their OT cybersecurity. Otherwise, the business heads will never have the confidence to fund efforts, and those that do will have unstructured strategy.
Cook: Great to hear! I would like to call out the “site-by-site” portion to emphasize that each site will have its own uniqueness.
Question: What are some courses that will help me develop the skillset needed to transition into a network security engineer specific to ICS networks and OT from a controls engineer?
Cook: There are a few sources on the web, but nothing beats hands-on work in the field if you have the opportunity.
Question: Is there a safe way to vet a remote user? For logins, we have MFA, but I believe we can’t just block remote users. Something needs to help that.
Cook: There are OT-specific remote access products that allow the proper security granularity and tracking for OT networks. IT remote access wasn’t built for OT.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.