OT Cybersecurity Best Practices
Some of the OT security best practices for implementing a reliable protection system include:
- Network mapping and connectivity analysis
- Detection of suspicious activities, exposures, and malware attacks
- Implementing a zero-trust framework
- Aligning the right remote access tools
- Controlling identity and access management (IAM)
Network Mapping and Connectivity Analysis
Understanding the physical and digital locations of all devices mapped within a network should be a primary concern of operational technology managers.
For example, if a programmable logic controller (PLC) is communicating with a different PLC due to an error or a hack, it is crucial for the manager to be able to discover this issue, as well as implement a mitigation strategy as soon as possible. This can only be accomplished if the connections of all assets are accurately mapped.
Detection of Suspicious Activities, Exposures, and Malware Attacks
Figuring out the kinds of activity that you will label as “suspicious,” including problematic exposures and malware attacks, is important because you do not want your team to be distracted by false flags. At the same time, underreporting can allow threats to sneak through.
Detecting these kinds of activities and threats is often handled by a security information and event management (SIEM) system. Because the people and technology involved in SIEM systems have a deep familiarity with the threats on the landscape, it is easier for them to assess the kinds of attacks and activity that may impact your operational technology.
You can also identify threats using next-generation firewalls (NGFWs), which can scan data packets streaming into your network from the internet. If a threat is detected, the packet of data associated with it can be discarded, protecting your system and its assets.
Implement a Zero-trust Framework
A zero-trust framework is built on the principle of “never trust, always verify.” Within this kind of system, every person, device, application, and network is presumed to be a threat. Therefore, each of these entities has the responsibility of proving its legitimacy before it is allowed to connect.
This often involves multi-factor authentication (MFA) tools, which require more than one form of identity verification. For example, a team member may be required to present a password, answer a security question, and submit a fingerprint scan. This significantly decreases the likelihood of an attacker finding a way to penetrate your system. In this and other operational technology examples, the focus should be on securing the system while minimizing the amount of extra work required of employees and others. Providing brief training sessions when necessary can streamline the implementation of a zero-trust framework.
Align the Right Remote Access Tools
Ensuring the right people and systems have access to your operational technology is essential, especially because they may be pivotal to the flow of business. An OT system is often different from an IT system because it usually does not have a full selection of tools that can be granularly configured to enable remote access. To account for this difference, administrators should ensure the following receive attention:
- Managing identities and credentials
- Controlling passwords and security
- Multi-factor authentication
- Making sure the right people have the access they need
- Monitoring and managing the access privileges of current and former employees
Control Identity and Access Management
Controlling who is able to access your system plays a big role in your cybersecurity posture, particularly because allowing the wrong person inside may make it easy for an attacker to penetrate. At times, a well-meaning employee may leave their login credentials exposed or otherwise insecure, enabling a hacker to get inside a critical system. Therefore, you should take into consideration the following:
- Educating employees about how to safeguard their access credentials
- Ensuring that a least-privilege policy is maintained across the organization, which limits access rights only to those who absolutely need them
- Canceling the access privileges of former employees as soon as possible
- Revoking access that was temporarily granted to visitors and other guests
Even though it is possible to revoke access privileges too early, it is typically easier to remedy this than it is to recover from a cyberattack.
This is an excerpt from an article published by Fortinet. Read the full article here.