Best Cybersecurity Practices for the IT/OT Environment
In the world of IT/OT cybersecurity, there is no silver bullet. What you can do in your organization is to minimize the attack surfaces and threat vectors, and be vigilant and proactive in your defense against adversaries. To that end, we suggest that you implement a multilayered defense-in-depth cybersecurity strategy and stop the cyber threat early in the kill chain across both the IT and OT environments.
What is OT Cybersecurity?
OT Security (Operational Technology Security) is defined by the hardware and software used to monitor, detect and control any changes to phisical devices, processes and events. The main role of OT Cybersecurity is to protect Industrial Systems from cyber attacks.
IT/OT Cybersecurity Guidelines
Below are some basic guidelines to help in your planning. As this digital transformation continues to take shape with the convergence of IT and OT, there are some fundamental security best practices that we recommend for organizations across all industries. The specific network architecture might vary across the different verticals, but the general approach is the same.
- The vision, strategy and execution of the business plan need to include security for IoT devices, reliability and safety. These should be part of the business planning process at all levels of the organization (regardless if you are an IoT solution provider or a customer).
- Security should be “owned” by one person at the executive level who is responsible for both IT and operations. Security policy, governance and end-user education need to extend across the IT and OT environments as systems are interconnected.
- Technologies and threats across the IT and OT environments should be clearly understood. Technologies that work in the IT environment may not necessarily work in the OT environment. Additionally, threats may be different in the IT and OT environments.
- A threat intelligence framework needs to be set up so that the organization can be up to date on the latest information on threats and be prepared to deal with them.
- Baseline security controls should be deployed across all layers of the organization’s environments. (See Figure 2 below for the security reference diagram that provides guidance on where and how to best deploy security controls across both IT and OT.)
- Regular risk assessments across all environments must be performed to identify vulnerabilities and ensure that the appropriate security controls are in place.
- The organization and customers should consider NIST 800-5310 for IT and NIST 800-8211 and ISA/IEC 6244312 for ICS and OT.
- Establish or update the security patch process to better address vulnerabilities. Follow the recommendations laid out in IEC 62443-2-3, which describes requirements for patch management for control systems.
- Develop ICS-specific policies and procedures that are consistent with IT security, physical safety and business continuity. Further reading: Security is a shared responsibility between the end user and the cloud provider
To learn more about IT/OT Convergence and Cybersecurity, Security Challenges for IIoT, Cybersecurity Framework, Technologies to Consider and how to Choose a Security Vendor, download this free whitepaper.
OT Cybersecurity Best Practices
Some of the OT security best practices for implementing a reliable protection system include:
- Network mapping and connectivity analysis
- Detection of suspicious activities, exposures, and malware attacks
- Implementing a zero-trust framework
- Aligning the right remote access tools
- Controlling identity and access management (IAM)
Network Mapping and Connectivity Analysis
Understanding the physical and digital locations of all devices mapped within a network should be a primary concern of operational technology managers.
For example, if a programmable logic controller (PLC) is communicating with a different PLC due to an error or a hack, it is crucial for the manager to be able to discover this issue, as well as implement a mitigation strategy as soon as possible. This can only be accomplished if the connections of all assets are accurately mapped.
Detection of Suspicious Activities, Exposures, and Malware Attacks
Figuring out the kinds of activity that you will label as “suspicious,” including problematic exposures and malware attacks, is important because you do not want your team to be distracted by false flags. At the same time, underreporting can allow threats to sneak through.
Detecting these kinds of activities and threats is often handled by a security information and event management (SIEM) system. Because the people and technology involved in SIEM systems have a deep familiarity with the threats on the landscape, it is easier for them to assess the kinds of attacks and activity that may impact your operational technology.
You can also identify threats using next-generation firewalls (NGFWs), which can scan data packets streaming into your network from the internet. If a threat is detected, the packet of data associated with it can be discarded, protecting your system and its assets.
Implement a Zero-trust Framework
A zero-trust framework is built on the principle of “never trust, always verify.” Within this kind of system, every person, device, application, and network is presumed to be a threat. Therefore, each of these entities has the responsibility of proving its legitimacy before it is allowed to connect.
This often involves multi-factor authentication (MFA) tools, which require more than one form of identity verification. For example, a team member may be required to present a password, answer a security question, and submit a fingerprint scan. This significantly decreases the likelihood of an attacker finding a way to penetrate your system. In this and other operational technology examples, the focus should be on securing the system while minimizing the amount of extra work required of employees and others. Providing brief training sessions when necessary can streamline the implementation of a zero-trust framework.
Align the Right Remote Access Tools
Ensuring the right people and systems have access to your operational technology is essential, especially because they may be pivotal to the flow of business. An OT system is often different from an IT system because it usually does not have a full selection of tools that can be granularly configured to enable remote access. To account for this difference, administrators should ensure the following receive attention:
- Managing identities and credentials
- Controlling passwords and security
- Multi-factor authentication
- Making sure the right people have the access they need
- Monitoring and managing the access privileges of current and former employees
Control Identity and Access Management
Controlling who is able to access your system plays a big role in your cybersecurity posture, particularly because allowing the wrong person inside may make it easy for an attacker to penetrate. At times, a well-meaning employee may leave their login credentials exposed or otherwise insecure, enabling a hacker to get inside a critical system. Therefore, you should take into consideration the following:
- Educating employees about how to safeguard their access credentials
- Ensuring that a least-privilege policy is maintained across the organization, which limits access rights only to those who absolutely need them
- Canceling the access privileges of former employees as soon as possible
- Revoking access that was temporarily granted to visitors and other guests
Even though it is possible to revoke access privileges too early, it is typically easier to remedy this than it is to recover from a cyberattack.
FAQs about OT Cybersecurity?
What is OT in cyber security?
Operational Technology (OT) in cybersecurity refers to the hardware and software systems used to monitor and control physical processes, such as industrial machinery and infrastructure. It focuses on protecting critical assets and ensuring the reliability of industrial operations.
What is the difference between IT and OT cybersecurity?
IT (Information Technology) cybersecurity primarily deals with protecting data and digital information in traditional computing environments. OT (Operational Technology) cybersecurity, on the other hand, focuses on securing physical control systems and processes used in industries like manufacturing, energy, and utilities.
What is an example of OT in cyber security?
An example of OT in cybersecurity is safeguarding a power plant’s control systems. This involves securing the equipment and software responsible for generating, transmitting, and distributing electricity to ensure uninterrupted operations and prevent unauthorized access.
What is cybersecurity in OT networks?
Cybersecurity in OT networks involves implementing measures to protect the systems that control industrial processes. This includes strategies like network segmentation, access controls, regular patching, and intrusion detection to safeguard critical infrastructure from cyber threats.
Richard Ku has over 23+ years of hands-on experience working in the hi-tech and security industry in a number of leading roles, as individual contributor and management. Currently served as Sr. Vice President of Product and Services Management for Trend Micro Enterprise and Small Business Foundation Security Product and Services.
Joe Weiss, PE, CISM, CRISC, ISA Fellow, IEEE Senior Member, MD ISA99, is an industry expert on control systems and electronic security of control systems, with more than 40 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI) where he led a variety of programs including the Nuclear Plant Instrumentation and Diagnostics Program, the Fossil Plant Instrumentation & Controls Program, the Y2K Embedded Systems Program and, the cyber security for digital control systems.