On October 14, 2021, I had the chance to participate in the NightWatch 2021 conference, which was organized by security firm Applied Risk. The theme of this year’s iteration was “Architecting the Next Generation for OT Cyber Security.” The event featured many interesting and insightful presentations from companies that are leading the field of industrial cybersecurity.

As our communities depend on critical services supplying reliable power, water, transport amongst other essentials, the question that is to be answered is “What is next on OT security?”

OT security has got people’s attention

In his keynote speech, Eric Byres, CTO of aDolus Technology, argued that although opportunistic attacks seem to be making the news, it is the targeted attacks that present the real risk to OT. Attackers are leveraging the vast and complex supply chain as the primary vector for targeted attacks against OT.

The convergence of threat and technology requires the industrial sector to review how they operate and secure critical infrastructures. This is crucial if we reflect on the Colonial Pipeline attack, President Biden’s Executive Order 14028, the Oldsmar water plant incident, EKANS, and the TSA security directive for pipelines.

However, there is always the flip side of any coin, and according to Byres, this is a golden opportunity for the critical infrastructure sector. The attacks making the headlines have increased the world’s awareness on the need to secure OT. Executives need to listen to clear answers on how to manage the real risk to OT and they are willing to support security initiatives and strategies that protect the entire OT chain.

How to prioritize OT security

So, the question that arises is how to prioritize the investments on OT security. As Marty Edwards, VP of OT Security at Tenable, highlighted in his presentation, “in order to prioritize we need to understand what threats we are concerned about.”

A recent survey by SANS on OT/ICS Cybersecurity indicates that ransomware, extortion, and other financially motivated crimes is the top threat vector that industries need to be mostly concerned. If what your process makes, produces or controls has value to you and the community, then it has value to criminals as well. What is also worrying is that 70% of these threats are perceived as either severe or high.

Therefore, top priority for all sectors, including energy, oil and gas and water supply, is to develop and enforce a disaster recovery plan, which should entail:

  • A comprehensive inventory of all mission critical systems and applications
  • ISO/image files for baseline restoration of critical systems and applications

Another factor that ICS entities need to consider for prioritizing their security investments is to understand what components are at greatest risk and need to afford robust protection. The SANS survey findings indicate that engineering assets running on commercial OS (i.e., Windows, Unix) are at greatest risk for compromise. Hence, the next priority should be on having a clear visibility into converged IT/OT systems and networks. As everyone says, you can’t protect what you can’t see.

Who’s responsible for OT security?

Everyone agrees that OT security is different than IT security for many credible issues. However, the reality at the factory floor is quite different. That was evident in Edwards’ presentation of the SANS ICS/OT survey findings, as well as in the presentation by Jules Vos and Dr. Larry Ponemon on the preliminary findings of a survey to be published soon.

In accordance with both surveys, it is the CISO that sets the policy of control systems. When it comes to the monitoring and implementation of OT system security, more than half of the organizations reported that this is the responsibility of the IT department – in partnership with the OT engineering department. One obvious reason behind this might be the fact that OT staff do not have the capacity to implement cybersecurity controls to protect OT systems. Either way, OT staff should get to know their CISO or the IT security department. On the other hand, IT security teams should walk out into the factory and get to know the OT engineers. This is what collaboration is about in converged IT/OT environments.

OT cyber risk management

Speaking at another session at the NightWatch 2021 event, Mike Firstenberg, Director of Industrial Security at Waterfall Security, stressed that the goal of OT risk management is not to avoid all residual risk. Rather, it is to take reasonable risk when necessary to serve the stakeholders and the community. To do so, industries have the options to either avoid, transfer, mitigate or accept the cyber risk.

Firstenberg then highlighted three innovative cyber risk management approaches and examined their effectiveness against the pervasive threat of targeted ransomware focusing on the risk of disrupting operations. He defined a simple and robust approach to managing OT cyber risks, including Security PHA Review (SPR), Consequence-Driven, Cyber-Informed Engineering (CCE), and Secure Operations Technology (SEC-OT).

As targeted ransomware emerges as a top threat to industrial operations and OT systems, the trend is only likely to worsen since targeted attacks use tools and techniques comparable to those used exclusively by nation-states, said Firstenberg.

Conclusion

When we consider OT security, availability and safety are paramount, highlighted Andrea Carcano, Co-Founder and CPO at Nozomi Networks. Although different sectors may have different challenges, the threats are common. Critical operations run at 24/7/365 basis with significant risks due to the heterogeneous nature and the legacy systems of industrial networks. In addition, industrial proprietary protocols are inherently insecure and often obscure to the IT world.

Some enterprise security mechanisms are very costly to apply in OT systems because of extended safety, equipment protection, and other OT risk management requirements. What organizations need is a unified visibility and security across OT and IT, while the deployed solutions must not be intrusive and should have multiple integrations to reduce complexity.

If you would like to hear how ITEGRITI can help you with securing your OT systems, you can reach out to us. We will be glad to listen to your needs.