Operations technology (OT) cybersecurity is finally getting more of the attention it deserves, but Dragos Inc. reports that executive buy-in and five control policies/procedures are needed for a successful cybersecurity program. To gain executive understanding and support, a cybersecurity supporter should present them with real-world examples of cyber-attack impacts and how much they cost, research prior incidents including U.S. Security and Exchange Commission (SEC) filings by firms that were impacted, and explain the difference between information technology (IT) and operations technology (OT) and stress that they must support OT cybersecurity as well as IT.
The five controls for cybersecurity are:
- Create a dedicated industrial control system (ICS)-specific incident response plan that addresses OT device types, communication protocols, procedures, tools and languages. Include points of contact, such as employees with cybersecurity skills in each facility, and add thought-out steps for specific cyber-scenarios at each location. Consider performing tabletop exercises to test and improve response plans.
- Establish a defensible architecture by hardening the environment—remove extraneous OT network access points, maintain strong policy control at IT/OT interface points, and mitigate high-risk vulnerabilities. Invest in training people in skills for adapting to new vulnerabilities and cyber-threats.
- Maintain visibility and monitoring with an inventory of assets. Map vulnerabilities against assets and mitigation plants, actively monitor network traffic for cyber-threats, and respond as needed. Visibility of assets validates implemented security, and threat detection enables scaling as networks grow.
- Implement multi-factor authentication (MFA) across OT’s systems for an extra, low-cost layer of cybersecurity. If MFA isn’t possible, consider using a jumphost with focused monitoring to manage devices in a separate security zone. Focus on connections in and out of a network, rather than links within the network.
- Perform key vulnerability management by maintaining timely awareness of vulnerabilities that apply to the environment with correct, updated information and risk ratings. Also, maintain alternative mitigation strategies to minimize exposure, while continuing to operate.