According to research by IBM, last year, operational technology security incidents rose by 2000 percent. Yet despite this increase and the continued frequency of reports regarding cyber attacks on industrial environments, many operations have failed to establish a comprehensive OT security program.
At the Cyber Security for Critical Assets virtual Industrial Cyber Security Summit USA earlier this month IBM’s Rob Dyson provided insight on building an OT security program, based on his experience working with various business leaders in industrial environments.
“Security awareness within OT environments is very low. This is an area where the employees, contractors, vendors did not have to think about cybersecurity years ago, but today they do,” said Dyson, Global OT/IoT Security Services Business Development Leader at IBM. “There’s often very good physical security, but very limited cybersecurity. All the experts are typically over in the corporate IT security team and very limited OT security professionals are available to work in the OT environment, and those security professionals in the corporate side don’t understand the OT environment. So you really have a disparate situation where you need to cross-train or find people who are skilled in the area of OT.”
Dyson said that oftentimes, organizations think they’re not vulnerable to attacks because they aren’t looking for them. Without an OT security plan, identifying attacks is difficult, which leaves organizations with minimal understanding of the risks they face.
“Most companies with industrial environments don’t have a risk mitigation and remediation plan,” Dyson said. “They really haven’t done the risk assessments to know what the risks are so they can’t align controls to those risks.”
As digital transformation continues to revolutionize industrial environments, organizations are tasked with securing more assets than ever before, including an increasing number of Internet of Things devices. As a result, 67 percent of those interviewed in an IBM survey said they experienced a security incident related to IoT devices.
“In OT environments what we’re finding is there’s limited asset visibility. You can’t secure what you don’t know you have. Asset management itself is a challenge no matter where you look but it needs to be focused on in the OT environment so you can start understanding what those devices are, whether they’re changing or being attacked and so on,” Dyson said. “Seeing all of those devices across the environment, you’ll notice they’re from different vendors, they have their own unique proprietary protocols, making all of this security management even that much more challenging.”
Adding to the challenge, Dyson said, is the fact that traditional security tactics aren’t always suited to industrial environments.
“Some of the techniques we use in our corporate IT environments, where we’ve been working on security programs for years, do not work in OT environments. It’s hard to test some of these OT devices. Some of these devices are very sensitive and we try to probe those with our traditional testing techniques, it can bring an environment down,” Dyson said. “In the OT environment many of the devices don’t even have patches. The vendors don’t even support many of the devices in there because they’re so old so there’s no patching to do. You have to come up with other mitigating controls. So some of these techniques that are very common in our corporate environment just cannot be applied to the OT environment, creating risk.”
In 2018, Bloor Research released the results of a survey of 370 industrial companies. According to the report, 74 percent of the companies surveyed didn’t have a current OT risk assessment, 78 percent didn’t have OT specific security policies, and 81 percent didn’t have an OT specific security incident response plan.
“Even if companies have been focused on OT security for years, we’re finding that their incident response capability is very limited,” Dyson said. “So all the work they’re doing to even identify if they had some cybersecurity attack, they have limited means to go and mitigate that attack in such a way that it doesn’t impact the business severely.”
According to Dyson, an OT security program must include an overall OT security strategy and plan, security risk management and assessment, a governance and compliance component, device discovery and management, network discovery and security architecture, role based access controls, security event and incident monitoring, and security incident response. Dyson says, in order to be effective, programs must also include data discovery, classification and protection. When formulating your OT security program, Dyson recommends following the National Institute of Standards and Technology cybersecurity framework.
“An OT security program is the practices your organization implements to protect critical industrial processes, data, and IT/OT assets,” Dyson said. “It identifies the people, processes, and technology required to mitigate the impact of a cyberattack to industrial process safety, availability, reliability, and predictability.”
Next week, CS4CA will host the European leg of its Industrial Cyber Security Summit. The virtual summit gives parties around the world the chance to tune in for insight on how they can better protect their organizations.
“The impact for these environments is very severe for a company. Industrial environments are where companies make their money,” Dyson said during the USA summit. “So this is super important that we focus on this and that companies start investing appropriately in these OT environments and getting those environments secure.”
For more information on CS4CA Europe visit europe.cs4ca.com/