As the disciplines of IT and Operational Technology (OT) continue to converge, organizations find themselves challenged to provide threat protection, risk management and asset monitoring. It all starts with a strong asset discovery and detection plan.
For years now, CISOs have tried to come to grips with the convergence of two equal but distinct parts of the business — IT and Operational Technology (OT) — and what it means for the overall cybersecurity posture of industrial enterprises.
The first question is: Where to start?
How best to address this question was the central premise of the Tenable webinar, Practical Industrial Control System Cybersecurity: IT and OT Have Converged, Discover and Defend Your Assets. Hosted by SANS, the webinar featured: Doug Wylie, Director, Industrials & Infrastructure Business Portfolio, SANS Institute; Dean Parsons, Information Security Officer, Nalcor Energy; and Ted Gary, Senior Product Marketing Manager with Tenable. The three discussed how the disciplines of IT and OT have changed over the years and explored what is needed to reconcile the two in order to improve threat protection, risk management and asset monitoring.
For decades, OT systems remained outside the control of IT, effectively "air-gapped" from interacting with systems connected to public internet services. By mid-2005, much of that changed as Ethernet became the standard network gear connecting all manner of endpoints, including those within industrial systems.
By late 2010, IT and OT systems had started to converge as businesses began to see the early benefits of digital transformation. Converged IT and OT systems can ease the sharing of information and provide granular data from industrial machinery to help organizations uncover new operational efficiencies.
So, what’s the downside? Connected IT and OT systems expand the attack surface, and businesses need to rethink their risk assessment practices within this converged world.
Securing converged IT and OT systems is easier said than done. In an ideal world, an organization would build its converged IT and OT network architecture from the ground up, using a reference architecture suggested by the US Department of Homeland Security or another entity. This would take into account the need for features such as a "DMZ" between the IT and OT systems to ensure greater cybersecurity.
"This is certainly the ideal situation, and if we were going to build an Industrial Control System cookie factory today, this is where we would start,” Parsons said.
In reality, most businesses are faced with trying to secure OT systems which were designed as closed networks years ago and retrofitted repeatedly over the years to meet business needs.
So, how can a security team even find all the OT assets running on the network?
Wylie and Parsons draw their inspiration from the Center for Internet Security (CIS) and its security control list for Industrial Control Systems (ICS). Specifically, the first three controls, which include inventory and control of hardware assets, inventory and control of software assets and continuous vulnerability management.
From there, security teams can use four different methods to discover assets:
- Physical inventory
- Passive monitoring and discovery
- Active scanning
- Additive sources
While each of these methods alone can't discover all the assets on the network, when taken together, these four tactics can produce a holistic picture of the converged system, while creating a comprehensive inventory. The key is knowing which method to use for which assets to avoid any unintended downtime. For example, physical inventory and passive monitoring and discovery pose less risk of downtime for OT systems than active scanning, which is best reserved for non-operational systems.
Once all the assets are discovered, the question becomes how to assess the risk and determine which vulnerabilities are worth patching first.
In most cases, risk assessment is based on the CVSS score assigned to a given vulnerability. However, Wylie suggested security professionals would do well to consider all the various elements used to arrive at a final CVSS number; you might find some of the elements used to calculate the score are less relevant to your particular business, which can help as you look to prioritize your remediation plans.
Additional monitoring and controls can also allow for smarter patching. Parsons cited as an example a situation that might happen at a large industrial energy facility: "An energy organization in the middle of winter finds a vulnerability in software that they are using, and this vulnerability could be exploited by attackers that [are] publicly known at this point. Do they patch? In the middle of winter in an area that is north like Canada, we have a lot of storms and cold weather. It's not an ideal time to change the process, to increase the risk of the system going down because of the patch. Yet, the vulnerability remains, so how do you work around that? [P]atching smartly in this context is really about understanding what is there and how you do controls between now and the middle of winter and perhaps in spring … to keep the actual ICS process up, and patch smartly when you can so you won't disrupt the system. The idea here is to maintain the safety and the ability of operations and that's the utmost."
Risk Management as Part of The Maintenance Lifecycle
How can organizations assess risk when trying to maintain converged IT and OT systems? As Tenable's Gary noted, the risks companies face change over time as new vulnerabilities are discovered and the threat landscape evolves.
Gary said, "When you make changes to devices on your network, you can introduce new risks that need to be mitigated. But I think a key point is, even if you don't change anything, the environment from a risk point-of-view can change. There can be new vulnerabilities that are discovered that weren't there a month ago or a week ago. There could be ones very important to you … there can be new exploits to them, so the threat landscape can change as well."
For these reasons, Gary recommended making risk management part of the maintenance lifecycle of your OT equipment.
- Watch the on-demand webinar: Practical Industrial Control System Cybersecurity: IT and OT Have Converged, Discover and Defend Your Assets
- Read the blog: IT/OT Cybersecurity Convergence: Start Strong with These Six Controls
- Download the whitepaper: Practical Industrial Control System Cybersecurity: IT and OT Have Converged – Discover and Defend Your Assets