As it is well known, Operational Technology (OT) environments and industrial cybersecurity are two fundamental concepts in the field of security. This applies not only to critical infrastructures but also to the protection of industrial systems in general.
When we refer to OT environments, we are talking about the systems and devices used to control and monitor operations in industrial environments, such as power plants, chemical plants, water supply networks, and manufacturing systems. These environments include technologies such as Industrial Control Systems (ICS), automation systems, sensors and actuators, and specialized equipment. The main objective of OT environments is to ensure the safe and efficient operation of industrial processes.
Any company operating in the aforementioned environments should have a good OT responsible. These types of companies are a common target for attacks from both internal and external sources. We can cite examples such as the successful cyberattack on liquefied natural gas producers just before Russia’s invasion of Ukraine, the temporary shutdown of 14 Toyota factories after a compromised supplier incident, or the breach of ICS and SCADA systems in a nuclear power plant. Therefore, it is crucial to understand that merely isolating the production areas of our business is not an efficient or effective solution in most cases.
Researching the complexities and scope of OT environments has led to the identification of many potential risks. Consequently, we now know that defense systems implemented in isolation are mostly inefficient. They overwhelm security teams with surplus information that they struggle to handle and fail to prioritize alerts based on risk, context, and potential impact. These standalone solutions do not mitigate the risk or prevent malicious attacks that can disrupt business continuity and industrial operations unless they are placed in the hands of qualified personnel who can interpret and configure them properly.
Consider all areas and elements affecting the OT network
Most existing solutions in the market lack a comprehensive understanding of the risks involved in the OT environment and all OT-IT-IIoT assets. It is necessary to have an integrated view.
For example, when considering the use of an Intrusion Detection System (IDS) exclusively, we must be aware that the visibility of our asset inventory is likely to be quite deficient. It is essential to complement this information with data from other security and industrial sources to obtain a complete view of all OT assets and ensure effective risk mitigation. We must understand that security teams cannot solve what they cannot see. Additionally, the following factors should be taken into account:
- The business impact of each asset, operational context, and organizational hierarchy
- Visibility of security controls
- Industrial sources such as OPC, DCS, and project files
- Firewalls
- Web proxies
- Detailed views of each asset and its security configurations
- Management systems
- Servers
- Network devices and IDS/IPS
- SIEM
- Coverage of the operational network
Be attentive, proactive, and assess contextual risk
A good OT responsible must ensure proper vulnerability management and have the ability to reduce risks in the face of potential breaches since acting after an attack would be too late. This includes:
- Reducing the operational attack surface of an organization through appropriate segmentation.
- Mitigating OT-IT-IIoT vulnerabilities to prevent exploitation by cybercriminals.
- Strengthening critical assets and systems against ransomware.
- Providing practical recommendations for proactive actions.
- Ensuring continuous backup of critical systems for recovery, as there is no guarantee that unauthorized access can be completely blocked.
Develop a strategy to reduce potential risks
Given that most SOC analysts lack OT and operational skills, another essential characteristic to provide effective industrial cybersecurity solutions is to provide these teams with clear, precise, and user-friendly mitigation guides.
These guides should be suitable for operational environments where downtime is not an option. The idea is that analysts and operational staff do not need to be cybersecurity experts to use the guides, while these tools must also be adaptable to each organization’s specific industrial environment.
Mitigation guides should provide context to train operational and security teams to immediately reduce exposures and security vulnerabilities in the OT network. We must consider that simply applying patches may not be enough, or even possible, especially for inherited OT systems. Therefore, using mitigation guides strengthens the operational resilience of an industrial organization against cyber risks.
Increase ROI in OT security investment
Regardless of the OT security tools our organizations are already using, they should provide a comprehensive assessment of security controls. In other words, they should provide valuable, detailed, and efficient information while filtering out less useful solutions that would yield delayed results.
Improving return on investment also optimizes ideas within the OT field and categorizes them according to their level of necessity. Knowing that our focus is industrial cybersecurity, teams should have an operational and risk prevention-oriented approach. This requires flexibility and adaptability to the current needs of the business. Being proactive with risks will prevent unforeseen expenses to address avoidable breaches.
Continued collaboration between IT and OT
One of the biggest problems we face today is the lack of alignment between OT and IT teams. Considering that these teams need each other to work efficiently, a good OT responsible should act as a bridge between both teams, managing risk reduction and implementing timely and effective responses to security incidents.
To develop effective collaboration, they need to work within a known context. Security teams need to understand the security risks that impact operations, the level of damage, and the pathways through which they occur. Furthermore, both the OT and IT teams must have the authority to make decisions and enjoy flexibility within the organization’s bureaucratic processes.
All teams should separate “high-priority” alerts from the rest within their established roles and understand the necessary actions to mitigate those risks.
A good OT responsible should encourage coordination between the two teams, enabling them to benefit from a platform that allows transparent and effective collaboration. They should develop the ability to delegate tasks and monitor department progress. Organizations should consider the differences in existing workflows of the teams, enabling them to easily and effectively integrate OT security tools and processes, which will enhance collaboration among stakeholders.
