An online poll conducted by NTT Security claims that risks to Operational Technology (OT) are increased due to a lack of skills and visibility. Exacerbating the problem is confusion inside the enterprise as to who is responsible for security of OT. The result is that many organisations are failing to secure critical OT systems, increasing the risk of a serious cyber attack.
According to Tim Ennis, Senior Operational Technology Consultant, Cyber Security Consulting at NTT Security: “It’s clear that arrangements for securing OT are a huge challenge for organisations, especially when it comes to identifying exactly what those risks are and the potential impact they may have on the business. With greater connectivity and convergence with IT comes greater risks and these have to be managed accordingly.
“Having the rights skills in place is fundamental, as are clear lines of responsibility within the business. There is no one-size-fits-all solution for OT security. It might be right that the CISO has responsibility, but equally it could be that the engineering director is best placed to do this. What is important is getting the right organisational structure in place that can empower and support the OT team to improve security, and to enable the business to achieve its objectives.”
Why are IT and IT Security ignoring OT?
OT system design and deployment has historically been led by engineering teams. The focus of these teams has been on management of systems and equipment and not IT. When deciding on OT the decisions were about can I control the pumps, waste water, generators, manufacturing equipment, etc.
In addition, access has been freely given to engineers of those organisations installing or maintain the systems. Today, the embedding of sensors means that external suppliers have greater insight into complex manufacturing and engineering systems than IT.
Many of these systems live in their own networks and were not connected to the main IT systems. As such network access control, updates and IT security have not been part of the planning.
Before IT and IT Security teams can begin to engage with OT systems they need to find them. The reality is that few organisations have any realistic, let alone a complete, map of all the OT technology in the business. Without visibility then it is hard to secure and defend against attacks, especially in critical national infrastructure (CNI). In the NTT Security survey 29% of survey respondents admit to the lack of visibility. Based on other studies, this is an understatement.
Who owns OT?
The disconnect between IT and OT teams directly affects who is responsible for any OT related issues. From a day to day management perspective, IT is happy to leave it to the engineers. But should they?
The NTT Security survey showed that 25% of respondents are worried about the disconnect between IT and OT teams. When it comes to direct responsibility, 42% say it is down to the Engineering Director while 38% believe it is the CTO who should take ownership. Interestingly, despite the potential serious nature of the problem, only 20% believe the CISO should have any responsibility.
The latter shows the problem of securing OT across complex enterprises. The CISO is responsible for setting security standards and policy. If the CISO office has little to no responsibility for OT then who does set security controls for manufacturing or industrial equipment?
Four ways to manage OT risk
Both manufacturing and CNI are under constant threat of cyber attack. This means there is a need for better controls over OT and that, for many organisations, means an overhaul of controls and processes.
In the press release, NTT Security listed four approaches to managing OT risks. They are:
- Establish a programme of work for securing operational technology (OT), including:
- Forming a multi-discipline team
- Reviewing roles and responsibilities, ensuring people are suitably trained and briefed
- Establishing security context, ensuring that security enables the business to achieve its objectives
- Assess the risks associated with OT:
- Identify OT assets, increasing visibility into OT networks
- Identify a baseline and target risk profile
- Assess risks
- Identify prioritised tasks required to reach target profile
- Implementation of risk reduction measures:
- Review architecture
- Identify security concept for OT environment
- Establish network baseline, i.e. “normal behavior”
- Implement security controls and review effectiveness against risks
- Improve security operations:
- Regular review of risks and opportunities
- Review and respond to detected anomalies
- Practice incident response plans
Enterprise Times: What does this mean
Last year, Enterprise Times spoke to Christian Koch, Senior Manager GRC & IoT/OT at NTT Security GmbH about the issue of IoT and OT security. Koch told us that: “OT is more focused on availability than security.” He went on to say that: “In a SCADA environment you need to know what is in the environment and what is normal behaviour.” When it came to CNI Koch said: “Critical Network Infrastructure is a typically a decentralised network which is hard to protect.”
A year on and this latest NTT Security survey shows that little has changed except the threat level. That keeps on rising, while understanding of OT, its risks and making it safer seems to be going nowhere.
Organisations need to significantly overhaul their OT environments to make them more secure. If they don’t then they risk a significant cyber breach. For manufacturers that breach could be business threatening. For those operating CNI this could have far more serious consequences.