Operational Technology (OT) includes all the systems and equipment involved in running manufacturing and critical infrastructure processes. Common OT applications include Industrial Control Systems (ICS) in utility providers and critical national infrastructure operators. It also includes Supervisory Control and Data Acquisition (SCADA) for manufacturers and Distributed Control Systems (DCS) for industrial processes. Our daily lives rely on these systems being operational and secure.
These applications provide essential data for decision making, whether this is for manufacturing products or for power generation. However, this rush to connect up more systems runs into a significant problem – security.
Traditionally, OT networks were secured using internal firewalls and demilitarised zones between OT and the rest of the enterprise. Using the Purdue Enterprise Reference Model, ICS systems would run at level 1 and 2. Enterprise applications run separately at level 5. Each of these levels would have firewalls and systems between them to prevent unauthorised access. Particularly sensitive systems would have air gaps and run on completely separate networks.
Understand your gaps
Getting data from OT systems might be essential to the business, but it can open up security risks if it is rushed. At the same time, many teams have not looked at their OT networks with the same rigour as they had to for other areas, like enterprise IT.
For example, Dragos estimates that 80 percent of companies have little to no insight into their OT networks. For IT security professionals, this represents another area where attacks can come in, alongside the cloud services and containerised applications, endpoints and mobile devices they are already responsible for.
OT and IT teams will have to collaborate around their goals and bring security processes up to speed. The starting point is knowing what you have and what gaps in security might exist. With OT networks getting connected, IT security teams will have to learn more about what is implemented and how it operates.
At the same time, OT teams will have to get up to speed on modern best practices for IT security. For both sides, knowing what is in place and what assets are installed will be essential. This is a basic requirement for all effective security planning. You can’t secure what you don’t know about.
From this, you can establish where you have potential security risks and what are your main priorities for the short and medium term. For example, are all your OT assets patched and updated? Or, was this ignored because systems were not connected to the Internet or other networks?
This can flag other areas where you may have problems too. For instance, your OT systems may include software or hardware that is at end of life status, but can’t be replaced. One example would be an application that relies on an out of date operating system, where replacing it would be prohibitively expensive.
For OT and IT teams, your security audit should flag these systems and help you to update your risk strategy. It may find significant gaps in your security, so you will need to create mitigation plans for them.
Building support around managing risk
You then have to keep all these systems up to date. Patching is a necessary step for all technology systems. This is particularly relevant as the number of software issues on OT and ICS components continues to grow. CISA has reported 97 security advisories for ICS systems in the first quarter of 2023. Some rank as extremely critical because they are simple to exploit and can be accessed remotely. These kinds of problems have to be fixed immediately.
However, you may get some pushback from the business. Taking systems down for updates will affect productivity and – potentially – profitability. However, this is a necessary process. In order to get past this, you will have to build support across the business based on how to understand and manage risk.
Many boards at companies now recognise the importance of security. They have seen enough reporting on data breaches, ransomware and company fines that they take security extremely seriously. However, most boards don’t want to look at IT and OT security in granular detail, but in context. The question these teams will ask is, “Should I stop my production lines which will definitely affect service and lead to lost production, or fix the problem?”
The challenge here is to avoid this being a ‘zero sum’ game between security and productivity. Instead, look at how you can express the degree of risk for the business as a whole. Would they rather be in charge of the process that they have to carry out, or face uncontrolled risk due to an attacker accessing their systems?
Plan ahead with the business
By thinking in terms of risk, you can help your management team to understand the potential threat and the consequences for taking the wrong approach. It can also make the business aware of exactly what their responsibilities are based on any regulations that apply.
As businesses connect up more of their OT assets and processes, IT Security teams will have to catch up with an area of technology that might be very different to what they are used to looking at. Conversely, OT Teams will have to get used to the pace of change driven by new advances in cloud and data technologies. Both sides will have to work together to get their best practices in place, so that the business as a whole can benefit. By building more understanding of risk for the business, you can also get the support you need to ensure that security is managed effectively.
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions with over 19,000 active customers in more than 130 countries, including a majority of each of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and consolidate their security and compliance solutions in a single platform and build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings.
The Qualys Cloud Platform and its integrated Cloud Apps deliver businesses critical security intelligence continuously, enabling them to automate the full spectrum of auditing, compliance, and protection for IT systems and web applications across on premises, endpoints, cloud, containers, and mobile environments. Founded in 1999 as one of the first SaaS security companies, Qualys has established strategic partnerships with leading cloud providers like Amazon Web Services, Microsoft Azure and the Google Cloud Platform, and managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, DXC Technology, Fujitsu, HCL Technologies, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance. For more information, please visit www.qualys.com.