Why bridging cultural chasms is key to securing operational technology

You’ve heard about the importance of protecting your information technology (IT) systems from attack, but what about your operational technology (OT)? Operational technology is the infrastructure that directly controls our factories, water treatment plants and electrical grids. Securing it is critical to protecting the services that underpin society, but those responsible for it are not the same people who secure enterprise IT. Their focus is different, and so are their priorities.

 

Acknowledging and navigating these differences is a vital part of protecting your OT alongside your IT. That means rethinking fundamental concepts including risk and technology deployment.

 

Operational technology security is becoming increasingly important. The SANS ICS/OT Cybersecurity Survey found almost seven in ten respondents consider cyber-security threats against OT as high or critical. This number has been increasing year-on-year.

 

Two cultural chasms

 

Cyber-security teams must court specific stakeholders to get support in their quest for OT cyber-security. The first group is OT engineers. These are the people tasked with ensuring that the sensors and physical controllers responsible for operating our oil well drills, manufacturing equipment and water pumps continue to work properly.

 

IT cyber-security professionals focus on IT security first. They want to protect information from theft, prevent unauthorised access to IT systems and stop phishing attacks on their users. OT engineers are less concerned with these things. Instead, their focus is on controllers and sensors that affect physical processes and systems. As such, they’re preoccupied with operational uptime, physical security and safety.

 

Cyber-security staff must also build bridges with senior business executives. In many cases, this group is just now getting to grips with cyber-security, driven by imperatives such as regulation, the spectre of personal liability and the realisation that a major cyber-attack is an existential threat for many organisations. Now, they need help understanding the implications of OT security risk too.

 

Practicality is key

 

Setting up relationships that allow you to report on OT security risks at board level is paramount. However, opening a channel of communication alone is not enough. Whether you’re helping the board understand the need for OT cyber-security investment or persuading engineers to let you near their programmable logic controllers, you must position cyber-security risk in a broader context.

 

Cyber-security is important, but as far as OT engineers are concerned it’s just one risk among many that might well be sector-specific, such as safety, environmental and performance risk.

 

Similarly, for senior executives, cyber-threats are part of a far broader set of business risks. These range from the financial cost to the legal risk or the effect of an outage of critical business operations on revenue.

 

All conversations with these stakeholder groups should be in their language. Talk to OT engineers about how a digital disturbance could take a PLC offline and what that might mean to the overall control infrastructure. Explain OT risk to senior executives in the context of business/operational resilience, not threats to your firewall, malware strains or threat actor names designed to create fear, uncertainty and doubt. Cyber is just another business risk that should be considered as part of overall risk management discussions.

 

Show, don’t tell

 

In my experience as CISO at BP, I found that the best tools for communicating cyber-security risks to stakeholders in engineering and the C-suite were demonstrative. Red teaming, for example – using offensive security exercises to identify paths to disrupt OT systems – can bring home the importance of securing industrial infrastructure.

 

The C-suite doesn’t need to see things at that technical level, but business-focused demonstrations can win you valuable traction. Conduct a simulation that demonstrates how a compromise of key OT infrastructure could affect the organisation’s most important business outcomes. Then explain how likely such a compromise currently is, using the quantitative risk data at your disposal, and how you could drive it down with the right controls.

 

When you can’t patch or replace, mitigate

 

Simulations like these can help make the case for the mitigating controls that organisations need to protect their OT systems. These controls are important for layering in security protections for infrastructure that might be decades old. Cyber-security controls in OT differ from those used in the enterprise IT infrastructure.

 

For instance, deploying security patches is challenging in OT environments. Many OT vendors do not support deploying the latest security patches until they have been approved, which can take many weeks. Equally, the continuous running of the environment means the only downtime to perform patches is during maintenance windows, which could be months or even years away.

 

Therefore, one must consider mitigating controls – controls that reduce the likelihood of a vulnerability being exploited. This includes segmenting networks to reduce the ability for an adversary to laterally move from the IT networks into OT. This has traditionally been thought of as an “air gap” but in reality, network connectivity exists, and with the increasing digitalisation of operational processes, more and more data passes between OT and IT, which is used for things such as optimisation to improve performance or reduce cost. It is therefore critical to have defence in depth, including continuous monitoring for anomalous behaviour.

 

Managing identity and access is a critical control. The SANS survey showed that compromised IT systems are the biggest attack vector in OT technology incidents, along with compromised engineering workstations. Secure user and equipment identities are important when enforcing strict access policies for people and equipment alike in IT and OT environments.

 

Identity information is valuable to attackers, who use it to access OT systems either directly or through connected IT infrastructure. Security teams must protect the underlying identity storage and management systems from compromise. For most companies, the identity system of choice is Active Directory. Organisations must protect their AD implementation from attack, both on-premises and in the cloud, especially given the increasing connection of OT systems to cloud infrastructure.

 

Time for a centre of excellence

 

One measure that will help to bridge the divide is a cross-disciplinary centre of excellence for OT security. This can bring together OT engineering and cyber teams, to deliver an achievable, pragmatic program of security improvements to reduce cyber-risk, while maintaining the operation.

 

This centre can be internally focused at the beginning, but there is plenty of opportunity for extending it to external stakeholders, including regulators and peers in your sector. Sharing information and best practices in OT security is a powerful step in getting ahead of attackers, and industry-specific ventures such as information sharing and analysis centres (ISACs) are an excellent place to begin.

 

Put identity at the centre of your security strategy

 

Companies using OT to run their businesses must pay attention to security now, because the stakes are rising. While attacks on OT systems are still relatively rare, they do happen. For example, Triton, first identified in 2017 as malware that disrupts safety shutdown procedures in energy plants, is still a threat, according to the FBI. The UK also worries about attacks on OT and has alerted organisations of threats to infrastructure from state actors.

 

The identity management system is at the very heart of operational resilience. Put simply, for most organisations, if your identity system is unavailable, you will not be able to continue to operate and deliver business outcomes to your customers. To be operationally resilient, one must be able to withstand, or recover quickly from an adverse event such as a ransomware attack. 

 

Act now to fend off attacks that promise to grow in importance and reach over time. Getting it right could be the difference between keeping the lights on and stumbling in the dark.

---

To find out more about protecting your OT systems from an identity-based cyber-attack, visit www.semperis.com/blog/active-directory-security/what-is-active-directory-security/ 

 

By Simon Hodgkinson, Strategic Advisor, Semperis