Tag Archive for: Operational Technology

Expert Insights: Building a World-Class OT Cybersecurity Program

In an age where manufacturing companies are increasingly reliant on digital technologies and interconnected systems, the importance of robust cybersecurity programs cannot be overstated. While attending Manusec in Chicago this week, RedSeal participated on a panel of cybersecurity experts to discuss the key features, measurement of success, and proactive steps that can lead to a more mature OT (Operational Technology) cybersecurity posture for manufacturing companies. This blog provides insights and recommendations from CISOs and practitioners from Revlon, AdvanSix, Primient, Fortinet, and our own Sean Finn, Senior Global Solution Architect for RedSeal.

Key features of a world-class OT cybersecurity program

The panelists brought decades of experience encompassing a wide range of manufacturing and related vendor experience and the discussion centered around three main themes, all complemented by a set of organizational considerations:

  • Visibility
  • Automation
  • Metrics

Visibility

The importance of having an accurate understanding of the current network environment.

The panel unanimously agreed – visibility, visibility, visibility – is the most critical first step to securing the network. The quality of an organization’s “situational awareness” is a critical element towards both maximizing the availability of OT systems and minimizing the operational frictions related to incident response and change management.

Legacy Element Management Systems may not be designed to provide visibility of all the different things that are on the network. The importance of having a holistic view of their extended OT environment was identified in both proactive and reactive contexts.

The increasingly common direct connectivity between Information Technology (IT) and Operational Technology (OT) environments increases the importance of understanding the full scope of available access – both inbound and outbound.

Automation

Automation and integrations are key components for improving both visibility and operational efficiency.  

  • Proactive assessment and automated detection: Implement proactive assessment measures to detect and prevent segmentation violations, enhancing the overall security posture.
  • Automated validation: Protecting legacy technologies and ensuring control over IT-OT access portals are essential. Automated validation of security segmentation helps in protecting critical systems and data.
  • Leveraging system integration and automation: Continue to invest in system integration and automation to streamline security processes and responses.

Metrics

Measuring and monitoring OT success and the importance of a cybersecurity framework for context. 

One result of the ongoing advancement of technology is that almost anything within an OT environment can be measured.

While there are multiple “cybersecurity frameworks,” the panel was in strong agreement that it is important to leverage a cybersecurity framework to ensure that you have a cohesive view of your environment.  By doing so, organizations will be better-informed regarding cybersecurity investments and resource allocation.

It also helps organizations prioritize and focus on the most critical cybersecurity threats and vulnerabilities.

The National Institute of Standards and Technology (NIST) cybersecurity framework was most commonly identified by practioners in the panel.

Cybersecurity metric audiences and modes 

Different metrics may be different for very different roles. Some metrics are valuable for internal awareness and operational considerations, which are separate from the metrics and “KPIs” that are consumed externally, as part of  “evidencing effectiveness northbound.”

There are also different contexts for measurements and monitoring:

  • Proactive metrics/monitoring: This includes maintaining operational hygiene and continuously assessing the state of proactive analytics systems. Why would a hack want to get in? What is at risk and why does it matter to the organization? 
  • Reactive metrics/monitoring: Incident detection, response, and resolution times are crucial reactive metrics. Organizations should also regularly assess the state of reactive analytics systems. 
  • Reflective analysis: After incidents occur, conducting incident post-mortems, including low-priority incidents, can help identify systemic gaps and process optimization opportunities. This reflective analysis is crucial for learning from past mistakes and improving security. 

 Organizational Considerations 

  1. Cybersecurity risk decisions should be owned by people responsible, and accountable for cybersecurity.
  2. Collaboration with IT: OT and IT can no longer operate in isolation. Building a strong working relationship between these two departments is crucial. Cybersecurity decisions should align with broader business goals, and IT and OT teams must collaborate effectively to ensure security.
  3. Employee training and awareness: Invest in ongoing employee training and awareness programs to ensure that every member of the organization understands their role in maintaining cybersecurity.

Establishing a world-class OT cybersecurity program for manufacturing companies is an evolving process that requires collaboration, automation, proactive measures, and continuous improvement. By focusing on visibility, collaboration, and a commitment to learning from incidents, organizations can build a strong foundation for cybersecurity in an increasingly interconnected world.

Contact RedSeal today to discuss your organizational needs and discover how RedSeal can provide unparalleled visibility into your OT / IT environments.

IT/OT Convergence

Operational Technology (OT) systems have decades of planning and experience to combat threats like natural disasters – forces of nature that can overwhelm the under-prepared, but which can be countered in advance using well thought out contingency plans. Converging IT with OT brings great efficiencies, but it also sets up a collision between the OT world and the ever-changing threats that are commonplace in the world of Information Technology. 

A Changing Threat Landscape 

The security, reliability, and integrity of the OT systems face a very different kind of threat now – not necessarily more devastating than, say, a flood along the Mississippi, or a hurricane along the coast – but more intelligent and malicious. Bad actors connected over IT infrastructure can start with moves like disabling your backup systems – something a natural disaster wouldn’t set out to do. Bad actors are not more powerful than Mother Nature, but they certainly are more cunning, and constantly create new attack techniques to get around all carefully planned defenses. This is why the traditional strategies have to change; the threat model is different, and the definition of what makes a system “reliable” has changed. 

In the OT world, you used to get the highest reliability using the oldest, most mature equipment that could stay the same, year after year, decade after decade. In the IT world, this is the worst possible situation – out of date electronics are the easiest targets to attack, with the most known vulnerabilities accumulated over time. In the IT world of the device where you are reading this, we have built up an impressive and agile security stack in response to these rapidly evolving threats, but it all depends on being able to install and patch whatever software changes we need as new Tactics, Techniques and Procedures (TTP’s) are invented. That is, in the IT world, rapid change and flexible software is essential to the security paradigm. 

Does this security paradigm translate well to the OT world?

Not really. It creates a perfect storm for those concerned with defending manufacturing, energy, chemical and related OT infrastructure. On the one hand, the OT machinery is built for stability and cannot deliver the “five nines” reliability it was designed for if components are constantly being changed. On the other hand, we have IT threats which can now reach into OT fabric as all the networks blend, but our defense mechanisms against such threats require exactly this rapid pace of updating to block the latest TTP’s! It’s a Catch-22 situation. 

The old answer to this was the air gap – keep OT networks away from IT, and you can evade much of the problem. (Stuxnet showed even this isn’t perfect protection – humans can still propagate a threat across an air gap if you trick them, and it turns out that this isn’t all that hard to do.) Today, the air gap is gone, due to the great economic efficiencies that come from adding modern digital communication pathways to everything we might need to manage remotely – the Internet of Things (IoT).

How do we solve this Catch-22 situation?

So, what can replace the old air gap? In a word, segmentation – it’s possible, even in complex, blended, IT/OT networks to keep data pathways separate, just as it’s essential for the same reason that we keep water pipes and sewer pipes separate when we build houses. The goal is to separate vulnerable and critical OT systems so that they can talk to each other and be managed remotely, but to open only these pathways, and not fall back to “open everything so that we can get the critical traffic through”. Thankfully, this goal is achievable, but the bad news is it’s error prone. Human operators are not good at maintaining complex firewall rules. When mistakes inevitably happen, they fall into two groups:

  1. errors that block something that is needed
  2. errors that leave something open

The first kind of error is immediately noticed, but sadly, the second kind is silent, and, unless you are doing something to automatically detect these errors and gaps, they will accumulate, making your critical OT fabric more and more fragile over time. 

One way to combat this problem is to have a second set of humans – the auditors – review the segmentation regularly. Experience shows, though, that this just propagates the problem – no human beings are good at understanding network interactions and reasoning about complex systems. This is, however, a great job for computers – given stated goals, computers can check all the interactions and complex rules in a converged, multi-vendor, multi-language infrastructure, and make sure only intended communication is allowed, no more and no less.

In summary, IT/OT convergence is inevitable, given the economic benefits, but it creates an ugly Catch-22 scenario for those responsible for security and reliability – it’s not possible to be both super-stable and agile at the same time. The answer is network segmentation, not the old air gapped approach. The trouble with segmentation is it’s hard for humans to manage, maintain and audit without gaps creeping in. Finally, the solution to resolve this Catch-22 is to apply automation – using software such as from RedSeal to automatically verify your segmentation and prevent the inevitable drift, so that OT networks are as prepared for a hacker assault as they are for a natural disaster.