Cybersecurity can seem scary and overwhelming, but it just requires performing some basic tasks, following some essential best practices, and using some helpful tools. Oh, and operations technology (OT) and information technology IT) must work together.
Mike Ehlers, global senior security manager at Olin Corp. in Clayton, Mo., reports that planning to deploy IT and OT cybersecurity controls begins with securing data and network footprints, and the best model for this is the well-known, five-pillar National Institute of Standards and Technology (NIST) Cybersecurity Framework, which the Center for Internet Security expands into 22 "CIS controls" coverage areas and tasks (Figure 1).
“There's other ways to do this, but if you look at NIST’s model and CIS controls I believe they marry together very well,” says Ehlers. “NIST is what a cybersecurity platform should include, and CIS is how to do it.”
Ehlers presented “IT/OT cybersecurity best practices” on Feb. 6 at ARC Forum in Orlando, Fla.
Separate and segment
Ehlers reports that two of the most crucial cybersecurity tasks to do first are making sure that a company’s plant-floor OT network is sufficiently separated from its business-level IT network, and recruiting someone on staff, who can advocate for change, and help OT and IT staffers cooperate to implement secure network zones and conduits. These are shown in the equally famous, seven-layer Purdue Open System Interconnect (OSI) model (ANSI/ISA-95) for networks and control hierarchies, which recommends that communications to go through multiple firewalls between field devices, operations, enterprise and public networks.
“If OT and IT networks aren’t separated, it leaves users open to email as the largest vulnerability vector because many users may be clicking on links they shouldn’t be clicking on, and opening attachments in phishing emails,” explains Ehlers. “This is where an industry standard like the Purdue OSI model that I certainly recommend can help users separate their OT and IT networks to securely manage their data
Ehlers adds that each cybersecurity effort must also address its “people, processes and technology” issues. These typically include developing existing personnel and/or adding managed security service providers (MSSP), developing and publishing policies and standards, and procuring tools to implement security controls.
“If you have more money in your security department budget than I do, it may be easier to hire more security staff or an MSSP,” says Ehlers. “In either case, you’ll need plenty of funding because it will have to go 24/7 and be always on."
Ehlers adds he can’t overemphasize how important it is to have a change advocate, who is crucial for supporting early and even mature cybersecurity programs. “If you're the chief information security officer (CISO) and you're responsible for cybersecurity across an entire organization, and you're only worried about the business side, that's an obvious gap,” explains Ehlers. “If you’re accountable for crossing the boundary into levels 2, 1 and 0 of the Purdue model, how are you going to implement any ideas? Are you just going to go walk into the production people one day, and say ‘Here’s the standard. Go do it’? That probably won't fly well, which is why you need that advocate. What we’ve experienced over the years is that you generally need someone in management, such as a VP on the operations side or a couple of people who understand the operations going on.”
Organize for maturity
To migrate toward and achieve greater cybersecurity, Ehlers agrees that users and organizations can start with the NIST framework’s five pillars to develop their first line of defense, but he stresses they must also use it to develop a plan that meets their unique requirements.
“There needs to be a mindful, thought-out plan and approach to cybersecurity, or you’re just throwing darts at a board, trying something new every year, and likely to get lost in the mire of not knowing where to start,” says Ehlers. “I think everyone knows about governance, access control, security awareness, training and monitoring, so those may be easier tasks, while others are harder to grasp. Traditional cybersecurity was driven by all the things that cyber-criminals might do and everything that might go wrong. However, CIS controls cut through this fog to focus on the fundamental and valuable actions that every enterprise should take, and consolidates them into a process that you can follow, and check off boxes as you go. In addition, they’re referenced by NIST’s framework as a recommended implementation approach, and consist of a short list of high-priority, effective, defensive, must-do, do-first actions.”
CIS controls are applied by grouping 18 tasks in the NIST Cybersecurity Framework, and organizing them into three implementation groups:
- Basic consists of key controls that should be implemented in every organization for essential cyber-defense readiness, and includes inventory and control enterprise assets, inventory and control software, data protection, secure configuration of all assets, account management, access control management, continuous vulnerability management and audit log management.
- Foundational consists of technical best practices that provide clear security benefits, and includes email/web browser protections, malware defenses, data recovery, network infrastructure management, and network monitoring and defense.
- Organizational concentrates on people and processes, and includes security awareness and skills training, service provider management, application software security, incident response management and penetration testing.
Progressing from basic to foundational to organizational is how users can fully establish the NIST Cybersecurity Framework in their operations and organizations. “It’s always people, processes and technology, so what’s needed for malware defenses?” asks Ehlers. “One of the more common tasks is antivirus (AV), so you start mapping and filling in these bubbles. Once you understand it, you literally have this map in front of you that starts with the basics, and moves into the foundational and organizational. As you get going, the map begins to show up in somewhat of an importance order, and becomes a heat map of green bubbles that have been implemented, yellow bubbles that are in progress, and red bubbles that are gaps that need funding. This makes it very simple to identify and track what needs to be done.”
Build better bubbles
Ehlers adds that he and his colleagues fill in tasks in the basic foundational and organizational groups by asking what people, processes and technologies each of them requires, and developing answers for each. (Figure 2)
“For instance, if you need malware defense and an AV tool, you may also need to consider endpoint detection and response (EDR). Sometimes it’s a tool, sometimes it’s a person and a tool, and sometimes it’s a process. Sometimes a bit of all three is needed to fill in a bubble,” says Ehlers. “If all your bubbles are red, then you’re probably at high risk, but it goes down as more turn green.
“If you want to add numbers, you can add measurement vectors under each bubble,” explains Ehlers. “To measure if you have a good AV deployment, you may find you’ve got 10,000 end points and you’re deploying to 9.000 on any given day. This 90% deployment is one of the little vectors you can add to the malware defenses bubble. You can then build three or four more vectors for each bubble, and bring them all together to build a risk score you can use at your company, and determine if you’re in the green, yellow or red. This is one way to help answer the overall ‘Are we secure?’ question. This gives my team focus and goals they can march towards every year. We’ve also presented this to our board to show we have a plan that’s underway and that we’re continuing to reduce risk. The risk meter we built based on vectors relative to out CIS controls model can show risk scores every quarter.”
Protect the OT side
To achieve similar cybersecurity gains on its OT level, Ehlers reports that Olin relies on the Purdue OSI model, maintains firewalls between its IT and OT networks, and segments its other networks, too. Its business network connects to an industrial demilitarized zone (iDMZ) at Level 3, which can only initiate contact with the OT network at Level 2 by using two-factor authentication (2FA), However, the OT network at Level 2 can initiate and push data to the iDMZ, though no Internet access is allowed.
Olin also uses NIST framework and CIS controls approaches on the OT side that are similar to those it employs on the IT side. The seven key CIS control concepts crucial for the OT side are network visibility, vulnerability management, patching cadence, antivirus/malware protection, hardware and software asset management, standard incident response, and data backup and recovery.
“The biggest takeaway is that you’ve got to have a firewall cluster between your business and OT networks. If that isn’t there you have a high risk, period, because the Internet has access to your OT side,” says Ehlers. “The other key takeaway is that you don’t allow communication to be initiated from the business network to the OT network without two-factor authentication (2FA). In fact, you probably need two forms of 2FA, one to access your business network and another to get through the firewall, and not ones that use the same Microsoft authenticator app. If you want to push data from OT to the business, only Level 2 should initiate—and only outbound to the business, never back to OT
To gain OT network visibility and evaluate what’s happening, Ehlers adds that Olin uses passive-monitoring software from Armis. It establishes a baseline of what devices and good behavioral traffic are on its networks, and quickly alerts users if anyone unexpectedly plugs in.
“This is a passive tool, so it takes in data, but there’s no longer anyone who can go to a switch port on our network and plug something in that we don’t know is there within about 15 minutes,” says Ehlers. “It can’t get baselines overnight, but it does happen quickly, and now we can get an alert if someone plugs in. We’re no longer in the position of just hoping we’re secure.”
Ehlers also encourages users to ask what’s the source of truth for servers on their networks. “Do you think it’s active directory? Are you sure your engineers aren’t building servers, and not adding them to the active directory sometimes?" asks Ehlers. “I’ll guarantee that if you ask an infrastructure team that hasn’t discussed these topics, they’ll say they know how many servers are on their network. However, I’ll bet $100 that I can prove them wrong with Armis on their network because there’s stuff being built that they have no idea about. Especially in huge companies, engineers will build and turn on a temporary server that never gets turned off, or they don’t need active directory to manage a server. Visibility is so important because it leads to vulnerability management. This is how we ensure our cybersecurity program is accurate.”
