Information and operational technology are unlike in many ways, but the biggest difference stems from their purpose, not their design, Robert M. Lee, CEO and co-founder at Dragos, said Tuesday at Forrester’s Security & Risk 2022 conference.
“It’s not about the convergence of technologies, it’s the fact that an operations environment has to deal with physics at the end of the day,” he said.
Industrial control systems can treat wastewater, generate electrical power or run a manufacturing plant, and this creates distinct requirements for each from a security perspective.
While IT security is largely focused on data and systems, OT security involves systems of systems and physics, Lee said. “ When you have different impact, different risks, different threats, and different manifestations of that risk, then your security answer is probably going to be a little bit different.”
He and his colleagues studied previous industrial control system attacks, and here is what they found.
While each industrial sector is unique and control systems for that infrastructure have specialized security requirements, there are five critical controls that, broadly applied, create the best value for organizations to confront threats that are common throughout OT, Lee said.
These are the five security musts for every OT operator, according to Dragos.
1. Establish an OT incident response plan
Start with the end in mind. Too many organizations don’t think about response until an incident has already occurred, leaving architecture, logs and detections misaligned, according to Lee.
Consider the details that need to be disclosed in Securities and Exchange Commission filings or shared with members of the operations team. This will inform how architecture should be built, the type of data that needs to be collected and what’s required of your organization’s security tools.
2. Maintain defensible architecture
Organizations must ensure critical control systems can be defended. “There is no such thing as a secure product, there’s no such thing as a secure architecture, but I like stuff that’s defensible,” Lee said.
“You’re not going to be defended until you add a human operator or human defender into that environment,” he said. “Tech isn’t going to be the answer … I need good humans to go against human adversaries.”
3. Use network security visibility monitoring
Architecture that was good at one point can atrophy, and organizations can consistently validate their architecture by using security visibility monitoring and identifying tactics that need to be detected.
A collection of dedicated systems requires cybersecurity professionals to understand what’s occurring in industrial control system protocols. This insight, Lee said, can help an organization determine if an insider or adversary used one system to manipulate another.
4. Secure remote access
Multifactor authentication is the most common way to secure remote access today, but not every system supports it and MFA might eventually be replaced with something better.
Secure remote access is critical, Lee said.
“Most of the compromises we see in operations comes from that third-party access, whether it’s the third party themselves getting compromised or just the access that was setup is now facilitating access to that environment,” Lee said.
5. Implement a key vulnerability management program
“You as a CISO cannot get away with saying ‘I don’t care about vulnerabilities,’ even if it’s true,” Lee said.
“There are some vulnerabilities that matter, but less than you think. In the world of industrial, all we care about is those vulnerabilities that can actually add net new functionality into the environment or help us get access into the environment,” Lee said.
That amounts to 4% of all known vulnerabilities per year, according to Lee.
Through its work tracking vulnerabilities, Dragos found the percentage that could impact industrial control systems holds steady on an annual basis at 4%.
Put another way, operations staff can ignore 96% of all known vulnerabilities.