Managed security services must be appropriately balanced in ICS, OT environments

managed security

The increase in volume and sophistication of cybersecurity incidents, coupled with a severe shortage of trained cybersecurity professionals who can deal with the challenges of working in the ICS and OT environments, have led to industrial owners and operators often turning to managed security services. It is vital for industrial organizations to continuously monitor their networks, to reduce downtime risk from cyber or operational threats.

Managed security services work towards gaining greater control of the operational technology (OT) elements of the organization and integrating them into the organization’s cybersecurity fabric, such that a cohesive approach is better able to withstand and safeguard organizational infrastructure from adversarial threats and attacks.

These services provide outsourced monitoring and management of security devices and systems, such as managed firewall, intrusion detection, and vulnerability scanning. These providers use high-availability security operation centers, either from their facilities or from other data center providers. The centers typically provide remote 24/7 monitoring of security technologies and security-related events across various platforms to identify, advise on remedial action, and (where appropriate) respond to threat exposure and security incidents on behalf of clients.

The evolving threat landscape has provided managed security service providers with a macro view across potentially thousands of clients, enabling them to see the overall picture and the threats that are out there. This in-depth analysis can bring about agility, a deeper understanding of potential risks and threats, the ability to access the right tools and adopt streamlined processes to embed the answers cost-effectively.

Donovan Tindill, Senior Cybersecurity Strategist, HCE Cybersecurity

A managed security services offering for the OT environment provides outsourced security monitoring and management of distributed control systems (DCS) and process control networks (PCNs), Donovan Tindill, senior cybersecurity strategist at Honeywell, told Industrial Cyber. “This offering can include managing intrusion detection, firewalls and virtual private networks (VPNs), anti-virus configuration, and vulnerability testing. The MSS solution can also provide enterprises with 24/7 monitoring services, thus significantly reducing the need to hire and train a large security staff,” he added.

Tindill identified that with the right MSS solution, plant operating companies can augment their IT SOC infrastructure. “The managed service provider simply takes over the OT-related aspects of the overall cybersecurity program. This approach complements a company’s current IT-OT security resources and helps the customer to extend the value of existing security assets,” he added.

Tindill also drew attention to the fact that a managed security service provider can apply everything it has learned from previous incidents or threat intelligence across other clients. “When security operations center (SOC) resources identify suspicious behaviors or an indicator of compromise, they can assist the customer in considering potential remediations and pass mitigations on to all participants. The MSS provider has the unique advantage of leveraging threat intelligence across multiple clients while all individual industrial operators remain anonymous,” he added.

Cybersecurity expert Larry Leibrock, however, said that the question of efficiency is quite problematic given that the availability of managed cybersecurity services for complex profit-making organizations with both information technology and operational technologies constitutes a very short list.

Larry Leibrock, Visiting Professor Idaho State University and Research Affiliate CyberCore – Idaho National Lab

“Operational technologies and their interface with differing levels of information technology are closely aligned with each firm’s unique business strategy and value proposition. In effect, there is no one-size-fits-all for managed cybersecurity services, which include both operational technologies and information technologies,” he added. Leibrock is a visiting professor at the Idaho State University and holds a joint appointment with the Idaho National Laboratory (INL).

“The contracting process and my experience is very complex provides considerable flexibility for outside service providers. This is coupled with an overarching scarcity of cybersecurity expertise, who have a comprehensive understanding of each firm’s unique business operations,” according to Leibrock.

He also said that outsourcing managed cybersecurity services seems to be an attractive value proposition however comparisons are again problematic in that many firms have a highly incomplete understanding of the total cost of ownership for both information systems and complex operational technologies used to manage cyber-physical systems. “A second-order problem is that there’s frankly very poor quality of engagement between information technology specialists and those specialists manage shopfloor operational technologies,” Leibrock added.

Using Honeywell’s experience of providing managed security services to its global customers, Tindill said that the cost of ‘build your own’ could take between one to three years from zero capability to highly effective. Using three large sites as an example, a five-year period could cost over US$ 3 million to ‘build your own’ early detection and incident response capability. In comparison, by partnering with an MSSP, the cost estimate reaches one-fifth or less of the cost to build your own, and it could be up and running faster between the three to twelve-month time period. The actual costs may however vary depending on the facts and circumstances of a specific engagement, he added.

Many of the CIOs in these firms typically prefer to firewall their responsibilities and simply focus on information technologies while ignoring the interface between cyber-physical systems and information technologies, Leibrock said. “This is a classic example of a denial which does not constitute a river in Egypt. I think that too often we seem to focus on cost as an overarching paradigm for managerial decision-making and ignore the construct of total value of ownership,” he added.

“It’s interesting that accountants seem to ignore the total value of ownership for all information technologies which include enterprise-level interfaces to production systems. Cost comparisons in many cases are simply specious and do not stand rigorous, evidence-based analysis,” Leibrock said. “Many organizations simply focus on acquisition costs and do not consider the entire lifecycle costs of acquiring, deploying, operating, maintaining, and lastly retiring the systems. Too often, legacy systems are simply ignored and not replaced despite extraordinary costs operations,” he added.

“Establishing an effective OT early threat detection and response capability in-house is extremely challenging for most companies,” Tindill said. “Acquiring the security experience, technology, and intelligence required for an in-house cybersecurity function is not something every enterprise can facilitate or manage. Many facilities are in locations that struggle to acquire and retain cybersecurity professionals. Even after an internal cybersecurity mechanism has been put in place, it cannot run itself,” he added.

Companies are faced with constant maintenance and fine-tuning to make the system smarter, triage more accurately, and respond faster day after day, according to Tindill. Ongoing updates to cyber threat intelligence are mandatory if the company expects new vulnerabilities to be quickly identified and mitigated.

Tindill further identified that there is no question that finding and retaining the right cybersecurity team is difficult, with each individual having different skill sets. “As OT cybersecurity is very specialized, companies must train their own or compete to entice the few available professionals from other organizations,” he added.

When evaluating MSS providers, “It’s also important to ask about local and remote collaboration. If the MSS provider identifies a risk or action that is required, it may need to be communicated and coordinated with the local onsite team to collaborate and resolve the issue,” according to Tindill. “A company needs to inquire how the provider intends to handle this local and remote collaboration, and how they overcome situations when onsite personnel may not share the same cybersecurity skills and experience,” he added.

Leibrock said that he believes that to evaluate managed security services, it “is important to look beyond the internal organization and higher-skilled competent consultants to help evaluate and engage in vendor questioning about managed cybersecurity services.”

The review and evaluation of cyber-physical systems should include detailed, evidence-based responses to focused issues, he said. “Too often, the vendor salesforce is not prepared to effectively respond to technical interrogatories. I also note that frequently prospective buyers of managed cybersecurity services do not engage in questioning other users and clients of cybersecurity services. This question needs to be open and honest and based upon highly structured cybersecurity technical and business questions,” Leibrock added.

Given the role played by the managed security service providers, it is important to ascertain how much responsibility the MSS provider has when there is a breach, and how is the blame apportioned.

“MSS providers can be an effective tool for enhancing security operations, but they’re not an insurance policy against cyberattacks”, Tindill said. “By outsourcing Managed Security Services to a third party, you are relying on that third party to help identify threats early. It is a joint effort that requires joint support. The reality is that for all industrial companies, it’s not if they will get attacked, but when and an ability to detect & respond quickly and effectively will affect its severity,” he added.

“The challenge is whether or not the asset owner has invested in security controls to help safeguard against and reduce the likelihood of the breach and respond in a timely manner to help reduce the severity of impacts,” according to Tindill. “The MSS provider is important in assisting the asset owner in reducing the owner’s risk by helping them proactively identify suspicious or malicious behaviors before an incident occurs and assisting the owner in timely response to an incident and coordinating the incident response efforts in coordination with the customer’s onsite staff to reduce impacts.”

Having come up against such situations, Leibrock said that, “​in two of my experiences dealing with catastrophic breaches the cybersecurity service firm seeks to not take responsibility and point to supplier problems or problems that are related to personnel in the host firm. Many cases this resulted in a legal dispute and the canceling of the cybersecurity contract.”

It’s important to understand that these cybersecurity services vendors are risk-averse, according to Leibrock. “The risk premium is typically not included in the contract and the cybersecurity firm will seek to avoid any direct or contingent liability. In my experience, the only winners in these situations are attorneys and outside counsel who are brought in to deal with legal disputes and the avoidance of any public trials. Unfortunately, this is a fact of our lives in our US legal system. In effect the only winners in these matters are expensive legal counsel,” he added.

One of the ways of being in greater control is for industrial and manufacturing organizations to work towards improving their inefficiencies, to better protect themselves when using managed security services in ICS (industrial control systems) and OT environments.

“More and more industrial companies are making the move to a managed security services (MSS) model for their security needs,” Tindill said. “This way, asset owners can have the security of their networks monitored by a managed security services provider, which allows them to spend more of their time focusing on their primary mission (e.g., making products, energy, etc.).”

“A high-quality MSS provider should be using best-in-breed practices, like ISO-27001 and ISO-20000-1 certifications, by highly qualified OT cybersecurity professionals across the globe to assist a customer in protecting its ICS/OT systems 24 hours a day, 7 days a week,” Tindill added.

Think a first step is to spend time and gain executive-level support for really rigorously framing what problem are we trying to solve, Leibrock said.

“Attacks against cyber-physical systems are simply a fact of our lives and we need to do rigorous problem framing and thoughtful risk analysis based upon qualitative and quantitative tools to really better frame our set of feasible options,” according to Leibrock. “Too often, many firms seek to avoid this problem and think they can outsource cybersecurity to limit the associated risk to their information systems be it operational or information technologies. I think risk analysis is necessary prior to engaging any managed cybersecurity services whatsoever,” he concluded.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related