Owners and operators of operational technology are still figuring out best practices in cybersecurity. Best practices may not be universal across companies as security operations centers and resources vary from organization to organization.
OT security is becoming more infused with IT security, but experts warn the two environments need some level of dedicated expertise. As air gaps disappear between IT and OT and cyberattacks could simultaneously threaten both, companies need a better understanding of what is ok in IT but not OT.
For companies with IT SOCs covering OT security, it could be easier to train personnel with industrial process experience in security, according to Ed Parkin, senior security architect at Keysight Technologies, during a SANS Institute webcast Tuesday. "They don't have to become a security expert, they just need to know who to call, and what data is going to be asked, and then how to respond."
This is especially important as about one-fifth of respondents in a recent SANS Institute survey implicated engineering workstations as an initial attack vector.
Engineers unintentionally bypass security controls when they plug into different equipment or perform program changes, said Michael Hoffman, principal industrial consultant at Dragos, during the webcast. Engineering laptops are notoriously difficult to secure because they move around with the engineer.
Improving security at the engineering level might deter some of the risks OT is exposed to. External remote services were the root of 37% of security incidents in industrial control systems (ICS) environments, according to the survey. Exploitation of public-facing applications and internet accessible devices rounded out the top three initial access vectors.
Engineers are more primed for cybersecurity training, but it begins with an overall culture shift, making it so engineers question whether it's even necessary to connect to equipment in the first place, and if it is, what the appropriate policies are they have to follow.
Engineering workstations are "where the more advanced adversaries are going to have to go for that predictable, repeatable effect," said Mark Bristow, SANS instructor, during the webcast. "That's where you can really create process control impacts."
One-third of respondents said their CISOs set policies for ICS security, but at least 15% don't know who sets the policies, the survey found. The role of the CISO is beginning to increase in OT/ICS environments, shying away from the IT or OT management making those policies.
As the security community reevaluates how it does cybersecurity, the way data is collected must also change.
"We're getting a lot of data in, but we're getting a lot of data in from most of the types of devices that are more IT in our control systems networks," said Bristow. "We're not getting in a lot of the OT data, we're not doing a lot of integration of the IT and OT data." The two environments need a degree of cross-analysis for cybersecurity, to enable more robust threat hunting, for example.
But security for OT/ICS environments has been evolving in recent years. Active monitoring traditionally had more of a role in IT, but has shifted into OT security, too. Two in five respondents reported using continuous active vulnerability scanners, which indicates OT operators are turning a corner, said Michael Rothschild, senior director of product and solutions marketing at Tenable, during the webcast.
"It is a dynamic environment where people are considering different ways of being able to detect threats and take action," he said.
The majority of respondents, 61%, said they monitor for software or hardware vulnerability notifications through vendors or CERTs, the report found. Half of respondents rely on passive monitoring using a network sniffer as part of their vulnerability management.
The survey indicated that a lot of the security monitoring in OT/ICS environments is performed by IT. Whether it's an IT- or OT-specific SOC, it doesn't actually matter, according to Hoffman. What does matter if the leading SOC has the context of the environment because what might appear normal in IT could be concerning in OT.
Oftentimes, SOCs will say they are monitoring the demilitarized zone (DMZ) of their OT, including the servers, firewalls and switches. "That's great," said Hoffman, but "if there's an alert that happens on that machine, does the SOC analyst have the context to understand what it was tied to?" The further removed a SOC is from its company's OT will hinder its ability to understand the context of abnormalities.
"A lot of times [OT analysts] will get pulled over to IT-type incidents," said Hoffman. "So they spend most of their time tracking down on the enterprise side versus on the OT side." If companies can effectively combine their IT and OT SOCs, they could be better equipped to uncover a fuller view of the kill chain.