Building Comprehensive OperationalPart II: Building a new schemaTechnology Cybersecurity Programs for Critical Infrastructure Industries: Learnings From an IBM Security Architect

Operational technology (OT) refers to industrial systems and controls that perform physical work. Companies need to be sure that OT cybersecurity measures are structured in such a way as to prevent network breaches and give a planned response in the event of a cyber attack.

In this article, an IBM Security architect Krishna Tata shares his learnings on building comprehensive OT cybersecurity programs for critical infrastructure industries. We discuss the importance of identifying and assessing risks, implementing security controls, and continually monitoring. He also provides examples of how these strategies can be applied in real-world scenarios based on his experience working with clients in the energy, transportation, and manufacturing sectors.

By following the advice in this article, organizations can help ensure that their OT systems are better protected against cyber threats.

What Does It Mean to Be "Comprehensive"?

As industries become increasingly reliant on operational technology (OT) to maintain critical operations, it is essential that comprehensive cybersecurity programs are in place to protect these systems. Unfortunately, many organizations have not yet adopted proper OT security measures, leaving them vulnerable to attack. Therefore, end-to-end OT cybersecurity programs are critical in the same way they are for cloud environments or traditional data centers.

Why Is Operational Technology Cybersecurity Important?

As the world becomes more interconnected, the need for operational technology (OT) cybersecurity increases. OT systems are often responsible for controlling physical processes and assets, making them a prime target for cyberattacks. A successful attack on an OT system could result in serious physical damage or even loss of life. "Imagine a scenario where a group of hackers can get into the network of a remote power plant and exploit vulnerabilities to cause serious outages!" cautions Krishna

That's why it's so important to have a comprehensive cybersecurity program in place for critical infrastructure industries. 

Building a Comprehensive Operational Technology Cybersecurity Program

Operational technology (OT) cybersecurity is a top priority for critical infrastructure industries because of the increased risk of cyberattacks. Here are some learnings from an IBM Security architect on how to build a comprehensive OT cybersecurity program: 

The first step is understanding the operational technology landscape and identifying the key assets and risks. The next step is to develop a security strategy that takes into account the unique aspects of OT systems. Once the strategy is in place, the next step is implementing security controls to protect against known risks.

One of the challenges in implementing OT security controls is that they often conflict with other safety and reliability requirements. For example, some security controls may impact production or affect equipment availability. As a result, it is important to work closely with OT personnel to ensure that security controls are implemented in a way that does not adversely impact operations.

Another challenge is that many OT systems are legacy systems that were not designed with security in mind. As a result, it may be necessary to implement workarounds or compensating controls to mitigate risks.

In summary, building a comprehensive OT cybersecurity program requires careful planning and coordination with OT personnel. It is also important to consider the potential impacts of security controls on operations when making decisions about which controls to implement.

IBM's OTCY Approach

IBM's Operational Technology Cybersecurity (OTCY) Approach is a holistic, cyber-physical security program that helps customers build comprehensive operational technology (OT) cybersecurity programs. The OTCY approach addresses the full spectrum of OT cybersecurity risks and vulnerabilities, from device to data center. It helps customers manage and monitor devices, networks, and data; identify and protect critical assets; and respond to incidents quickly and effectively. The OTCY approach is built on IBM's proven Security Transformation Framework, which has been used by hundreds of organizations worldwide to improve their security posture.

"IBM's approach is very closely aligned to the Purdue model, which is a standard used in industrial automation and building cybersecurity solutions to the OT networks across the world. Alignment to the Purdue model is critical in understanding networks and designing suitable cybersecurity programs," says Krishna

Two Principles for Successful OTCY Programs

Assuming that the reader has some level of familiarity with operational technology (OT) and cybersecurity, these are three high-level principles that are critical for success when implementing an OT cybersecurity program:

1. Understand the OT Environment and Architecture

This is absolutely essential in order to properly assess risks and design controls. One must have a good understanding of the overall architecture, system components, how they interact with each other, what protocols they use and what vulnerabilities exist in them. Additionally, it's important to understand any legacy systems and how they might interface with new OT technologies.

2. Define Clear Roles and Responsibilities for OT Cybersecurity

Just like any other organization, it's imperative that there is a clear understanding of who owns what and who's responsible for particular tasks. Therefore, someone should be assigned as the OT cybersecurity program owner (or champion), given responsibility for defining roles/responsibilities and overseeing the program. Other critical roles include:

• OT cybersecurity teams: These teams should have an intimate knowledge of the OT environment and architecture in order to properly assess risks, develop controls, and support incident response. This can either be a dedicated OT security team or security staff that works within an industrial automation group or control systems group.
• IT security teams: While IT may not have as much overall visibility into OT assets as OT/controls staff or cybersecurity teams (due to segmentation between IT and OT networks), they still need to be involved in policies/procedures, system updates/patches, access controls, etc. It's essential that both IT and OT departments work together so that security improvements wrap around both environments adequately.

Highlighting Best Practices in OT Security 

Operational technology (OT) security is critical for protecting industrial control systems (ICS) and the critical infrastructure industries that rely on them. However, OT security is often overlooked or not given the attention it deserves.

There are a number of best practices that should be followed to ensure OT security. First, ICS should be segregated and segmented from corporate IT networks. This segregation will help to prevent inadvertent or malicious changes to ICS devices and systems.

Second, ICS devices should be inventoried and their configuration management controlled. This will help to ensure that only authorized changes are made to these devices.

Third, ICS networks should be monitored for unusual activity. This monitoring can be accomplished through the use of network intrusion detection and prevention systems (IDS/IPS).

Fourth, physical security controls should be in place to protect access to ICS facilities and equipment. Access should be limited to authorized personnel only.

Finally, OT staff should receive training on security best practices and procedures. They should also be aware of the potential consequences of insecure actions.

By following these best practices, organizations can improve their OT security posture and better protect their critical infrastructure assets.

Threat Landscape

Operational technology (OT) refers to the hardware and software that are used to run industrial control systems (ICS). These systems are responsible for managing critical infrastructures, such as power plants and water treatment facilities. 

OT systems have been traditionally air-gapped from the rest of the company's networks and also the internet. However, cloud services and IoT sensors are proliferating extensively, resulting in even OT systems being connected to external networks and even the internet. This has tremendously increased the number of threat vectors and their risk of being hacked. In fact, there have been several high-profile attacks on OT systems in recent years, such as the Stuxnet virus that targeted a nuclear facility in Iran and the Colonial Pipeline hack that impacted a major oil pipeline in the US.

The threat landscape for OT is constantly changing as new vulnerabilities are discovered, and new attack techniques are developed. Unfortunately, this makes it difficult for organizations to keep their OT systems secure. 

To address this challenge, organizations need to have a comprehensive security program in place. "The program should include policies, procedures, and technologies that are specifically designed for OT systems. It should also be tailored to the unique needs of the organization's ICS industry. For example, an OT cybersecurity program for an Oil and Gas company will be distinct from one built for a Power company. Though there are overall commonalities, there are also important distinctions based on the industry," added OT Cybersecurity expert Krishna Tata. 

Organizations can learn from the experiences of others when it comes to building their own OT security programs. IBM has worked with many different organizations on this issue, and their security architects have gained a lot of insights into what works and what doesn't.

The Future of OT

The future of OT security is an important topic for critical infrastructure industries as the world becomes increasingly digital. As industries move towards Industry 4.0 and the Internet of Things, it is important to consider how these technologies will impact security.

There are many potential benefits of Industry 4.0 and the IoT, but there are also new risks that need to be considered. For example, as more devices are connected to the internet, there are more opportunities for cyberattacks. In addition, as data is collected and shared across organizations, there is a greater risk of data breaches.

In order to address these risks, it is important to have a comprehensive security program in place. This program should include both IT and OT security measures. Some examples of IT security measures include firewalls, intrusion detection/prevention systems, and anti-virus software. OT security measures might include physical security, process control monitoring, and device configuration management.