Operational Technology (OT) systems encompass Industrial Control Systems (ICS), Critical Infrastructure Systems (CIS), and Industrial Internet of Things (IIoT). OT environments face threats similar to those that traditional enterprise IT systems do, as well as threats unique to each type and implementation.
ICS environments are those found in manufacturing facilities and warehouses, and may involve dedicated Human-to-Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), sensors, valves, actuators, etc. Critical Infrastructure includes regional and municipal power plants and distribution grids, water treatment plants, traffic and navigation systems, etc. IIoT devices include various sensor types, cameras, and other IP-enabled devices. Though the settings in which these systems operate and the equipment types comprising OT environments are diverse, the consequences of cyber-attacks can often be more severe than attacks against isolated corporate targets.
Ransomware attacks against manufacturing plants have set back production not only in their facilities but throughout other members of their supply chains. Ransomware incidents have halted overland and overseas shipments for weeks while IT teams scramble to eliminate the malware and restore from backups so that businesses can get back up and running. Cyber-attacks against power generation facilities have turned out the lights temporarily in some cases. Ransomware attacks on hospitals and other medical facilities threaten not only patient data but lives. Even compromises of enterprise IT systems at companies running OT can have severe impacts for those companies and national economies.
It is clear that the risks of OT compromise extend far beyond the organizations that are initially impacted. KuppingerCole recently published a Market Compass on Industrial Controls Security. We identify several key components for securing these environments:
Asset discovery – you can’t protect it if you don’t know it’s there. Asset discovery can involve active and passive methods. ICS security solutions need knowledge of a wide range of device types, identifiers, addressing schemes, and communications protocols.
IAM – Some ICS systems leverage LDAP or Microsoft Active Directory for user, group, permissions, and administrative management. Others have rudimentary or proprietary IAM and need integration work to properly lock down access.
Event monitoring – SIEM systems have been the foundation for enterprise IT event logging and correlation. The same principle and often same solutions work in the OT world as well. Ensuring that security analysts have maximum visibility of security information in OT and ICS is crucial.
Facilities management – Physical Access Control Systems (PACS) aligned with enterprise IAM can make it easier to control access by employees and contractors to sensitive equipment and remote facilities.
Threat detection – Network Detection & Response (NDR) tools can identify malicious activities at the network layer that may be otherwise go undetected in ICS and OT environments. Not all assets in OT can run endpoint security agents, thus NDR may be the only solution set for uncovering malicious activities. Distributed Deception Platform tools can emulate specific types of ICS gear with an intent to lure would-be attackers away from real assets and to study their TTPs. Both NDR and DDP tools require device and protocol level understanding of ICS equipment to be effective. NDR and DDP are increasingly being packaged in eXtended Detection & Response (XDR) solutions.
Disaster recovery – comprehensive backup and restore functions and processes must be in place to more quickly get back up and running after cyberattacks. Backups need to be performed regularly, and though testing restoring from backup isn’t fun, it’s something that needs to be done as well.
At the KuppingerCole Cybersecurity Leadership Summit, we’ll address topics pertinent to OT security. We’ll have a track on Building Resilience, a session on Zero Trust for OT, security in the energy sector, endpoint security for ransomware prevention and mitigation, securing data in IoT realms, and strategic approaches to securing ICS environments.