Effectively Securing Operational Technology

Summary

In 2023, three-fourths of operational technology (OT) organizations reported at least one intrusion in the previous year. Nearly one-third reported being victims of a ransomware attack (unchanged from 2022), but intrusions from malware and phishing increased 12% and 9%, respectively.

The frequency of attacks against industrial production systems has increased for several reasons, including the converging of OT systems with information technology (IT) systems, the emergence of cybercrime-as-a-service, the greater availability of attack kits on the dark web and the increased vulnerability to interruption of high-value production systems and critical infrastructure. At the same time, the range of targets that represent OT and cyber-physical systems has increased as well.

Critical infrastructure assets related to water and electricity are increasingly targeted, and it’s critical that they be safeguarded. When considering the dangers associated with these threats, it’s vital to remember that many OT subsectors continue to depend on legacy hardware and software. Additionally, manufacturing continues to grow as a target. In recent industrial events, the adversaries have monetized production loss as part of their ransomware target selection.

Today, leading-edge cybersecurity strategies and solutions are essential. For many OT organizations, safety, dependability and uptime are their top priorities, so it’s more difficult than it might seem to manage OT cybersecurity risks. By learning from the past and taking proactive measures, industrial firms can negotiate the current OT environment while keeping security in mind.

Learning from the past

When it comes to OT security, cybersecurity knowledge is significantly higher than it has ever been. The C-suite and boards across industries are seeking information and doing their own research. With that said, a network breach isn’t just a possibility—it’s an inevitability.

Every organization should have an incident response plan and playbooks in place to prepare for the inevitable. Executives also require a communications plan and an understanding of their responsibilities. When an event occurs, everyone should be aware of any regulatory reporting obligations and put plans into practice rather than merely relying on theory. Assessments are part of the planning process. Assess the technology, be forthright about what you can do, and make sure to cover any gaps.

Getting a better handle on OT security

The damage from a network breach is considerably more expensive than the capital outlay for security and proactive incident response planning. In business environments, a data breach typically costs more than $4 million, but in OT environments, the costs can be much higher because of production and supply chain concerns. To keep OT systems secure, organizations should:

• employ network segmentation to shrink the threat landscape
• adopt a zero-trust methodology
• implement network access control (NAC) technology
• develop a vendor and OT cybersecurity platform strategy
• incorporate cybersecurity awareness training for all employees. Let’s dig deeper into the first two recommendations.

Network segmentation

Industrial organizations can use network segmentation to stop unauthorized users from accessing their most important industrial assets, including programmable logic controllers (PLCs), industrial controls systems and human-machine interfaces (HMIs).

Network segmentation enhances security by keeping attacks from propagating throughout a network and attacking vulnerable devices. It also lessens congestion, which frequently causes a decrease in performance. Network efficiency is crucial for resource-intensive services like those provided by factories, power plants, water treatment facilities and oil rigs.

Network segmentation can be particularly challenging in an OT context because of the possibility of unintentionally affecting production during the segmentation process. The difficulties may be compounded when trying to segment an environment with devices from many providers. But with the right tools and processes in place, it is possible to successfully segment the network and even divide it further to take advantage of microsegmentation.

With microsegmentation, security architects can further segment an environment to provide lateral views of all assets in the same broadcast domain. Logically segmenting the network environment into unique security areas all the way down to the level of a single task achieves granularity. Because policies are applied to specific workloads, microsegmentation increases attack resistance by inhibiting a hacker’s ability to migrate between compromised applications in the event of a breach.

Adopting zero trust

Zero-trust approaches are similar between IT and OT, but the risk mitigation strategies are quite different. In IT, the major worry is someone hacking into systems and taking data. But in an OT environment if a key piece of equipment or system fails, millions of dollars could be at stake. An organization should have a risk mitigation plan that fits its requirements and allocate its resources accordingly.

Supporting a zero-trust approach requires building a strong asset management program. Industrial organizations are aware of the difficulty involved in creating an asset list and a configuration management database (CMDB). In some cases, multiple departmentspecific views of what an asset is may exist, and teams should have visibility into all of them. Consequently, the IT team may be able to view the environment differently with the use of tools and cabling capabilities that enable them to manage IT and OT assets more effectively.

The zero-trust security model involves more than just technology. Although the planned technologies should be evaluated, organizations also need to determine who is in charge of asset management and understand the data inventory. How is data stored and what databases are used? Where in the environment is that data going? To increase the effectiveness of technology, it’s important to consider all of the people and processes involved.

Because all teams have a part to play, roles and relationships within the organization also must be defined. Most teams are likely to have some level of operational responsibility. For example, cybersecurity teams need visibility. Data needs to be accurate, timely and of high quality. Yet the cybersecurity team does not own the data all the time. Asset management and even access management are foundational to the security team’s function and essential to solving some problems, but that team doesn’t ultimately own them. Larger organizations with many functions also generally have an internal audit function, and it’s important to ensure that the assets are tracked and that the policies and procedures are being followed.

Fail fast and partner often

Technology advances like the Industrial Internet of Things (IIoT) and 5G are affecting OT architecture, but it’s important to be proactive and consider the security measures required for new technology.

To deal with advanced persistent threats, manufacturers also need to employ behavioral-based detection that incorporates the most recent, real-time threat intelligence. Threat actors are concentrating on reconnaissance, looking for ways to transform new technologies into weapons, and bypass security roadblocks, so it’s important to have machine learning and artificial intelligence (AI)-based behavioral defense.

Even though no one can accurately forecast the future of OT cybersecurity, it’s a good idea to embrace resilience and include partners in the equation. Adopt the “Fail fast, partner often” strategy. Without partners, scaling at the breadth and speed necessary today is impossible.

Navigating the complex, converged OT cyber landscapes

Escalating cyber threats to critical infrastructure and lessons from past breaches underscore the inevitability of attacks. Collaborative C-suite leadership, proactive planning and the right technology are pivotal. To secure OT networks, it’s important to take advantage of network segmentation strategies and zero-trust approaches along with resilience and adaptability. Securing today’s networks requires integrated solutions, robust partnerships and unwavering CISO-led commitment. Because to succeed against relentless cyber adversaries, organizations must be both prepared and agile to present a united front.

_{This feature originally appeared in the AUTOMATION 2023: Cybersecurity & Connectivity ebook published in September.}