The 2018 Verizon Data Breach Investigations Report (DBIR) reported and analyzed 649 breaches in utilities, transportation, healthcare, and other verticals that employ operational technology (OT) systems in addition to traditional IT for their main operations. In total, that represents 29.2% of reported breaches (not incidents) in industries considered part of infrastructure verticals—and that doesn’t even include financial services. So what exactly does that mean?
Even if an incident hasn’t happened in your infrastructure environment, that doesn’t mean it won’t or that you can postpone or underfund cyber security efforts in your organization. Many commentators believe we are facing a Cyber Pearl Harbor. I don’t agree, but I do believe we should put more conscious effort into securing these OT systems, not only from a security perspective but from a quality, safety, and reliability aspect as well.
The OT industries listed above face a similar set of problems as traditional IT systems, though the overall application of security programs and technologies is quite different because of the characteristics of each vertical. Regardless of your vertical, here are some questions you should ask—and a few activities you can perform—to make sure you’re managing your OT security risk appropriately.
Have you inventoried your systems and assessed your security posture for each of your environments? You’re at a serious disadvantage if you haven’t. It’s nearly impossible to secure an environment if you don’t know what’s in it, how everything is connected, what data it uses or generates, and how it affects your bottom line.
What to do: If you have a large installed base or many infrastructure environments, pick a representative sample (one environment) and apply lessons learned from the security activities conducted on that environment to other facilities. This effort will generate follow-on activities that you can customize to your organization. Once you have selected an important or representative environment, move forward by cascading the lessons you’ve learned to the rest of your environments.
Have you implemented technical solutions and organizational practices for patching the bulk of your OT infrastructure? Having these practices and solutions in place is especially important if your applications sit on a commercial OS (as most do). The average number of remote code execution vulnerabilities I see on host operating systems alone in OT environments is around 55! Though maintaining a strong patch management strategy is quite a daunting undertaking, it is by and large one of the most impactful activities you can perform.
What to do: Start by interacting with your system vendors. If your vendor representative isn’t familiar with that vendor’s patching solutions, press deeper into the organization. Most major automation manufacturers are working toward solution sets compliant with standards such as IEC 62443, and customer pressure can convince niche vendors to address this problem as well.
How much control do your vendors have in your OT environments? In many OT environments, vendors retain some control over the technical implementation of the solutions they provide. They do this through support contracts and changes that must be validated and certified to ensure the safe operation of a given system.
What to do: Include security requirements for both the procurement of new systems and ongoing maintenance efforts in your vendor management program. Industry standards such as IEC 62443 offer guidance in this effort.
IT security personnel are increasingly becoming involved in OT security efforts at both the leadership and execution levels. But the differences in priorities and technology understanding can lead to organizational stalemates and differing opinions on how to address security in operational environments.
What to do: Work to bring your IT and OT security personnel together with a common goal. Foster a culture of cooperation between the two groups to address cyber threats. To develop a common understanding of objectives and development of solutions that work for your organization, provide security training for both IT and OT security personnel.
In your OT system, do you have segmentation between systems that should not be able to interact? Or is your OT system deployed in a flat network topology? If the latter is true, it’s probably a result of both a misunderstanding of which systems need to communicate with one another and the simplicity of deploying systems from multiple vendors or integrators over time.
What to do: The first step is to assess your network topology and dataflows. Then you can develop network segmentation, similar to standards language describing the zones and conduits concept, to mitigate the damage potential of breaches or issues such as anomalous network traffic. In all, only required traffic should pass between systems, and your system should enforce restrictions on communication paths between various zones.
These points outline the key efforts that you should undertake to mitigate cyber risks in infrastructure environments. In short, you need to
It’s critical that you stay the course on the overall objective, because many factors can influence these programs. Always remember that your purpose is to improve the overall resiliency and safety of your infrastructure systems.