Image credit: Samara Lynn / MES Computing
Organisations need visibility into operational technology (OT) as well as information technology, said Gartner analyst Paul Furtado during a keynote speech.
IT environments are interconnected between SaaS apps, cloud and also physical systems. Furtado, speaking at MES IT Security in Indianapolis, focused on the need to lock down physical infrastructure.
Many of the leading security vendors address OT. Palo Alto Networks defines OT security as securing the "hardware and software systems that execute monitoring and/or control over industrial equipment and processes," while Cisco says, "OT security...refers to cybersecurity practices that help to ensure operations continuity, integrity, and safety in industrial networks and critical infrastructures."
Meanwhile, according to Fortinet, "Operational technology is the use of hardware and software to monitor and control physical processes, devices, and infrastructure."
Collectively, the industry determines that these frameworks include SCADA (systems and distributed control systems); Industrial Internet of Things (IIOT) devices, including sensors, monitors, actuators, and other technologies; building management/automation systems; physical access controls, and more.
"We spend all our time focusing on the IT side," Furtado said. "A lot of the risk is over on the cyber-physical centre, and the bad actors know it. The reality [is] you carry more tech debt on your OT side of the business than you do the IT side of the business."
Furtado spoke about locking down the physical environment, not just IT operations, and the reasons why:
Shared credentials
One thing that happens in OT that we really don't allow on the IT side are shared credentials. Furtado cited an example: "You got three shifts a day. You've got a number of people who come in using the exact same machine. They don't all have a different username and password. They all log in as ‘operator'...so we've got a lot of shared credentials sitting in that environment."
Remote access
"We have uncontrolled remote access. You know why? Because the folks that are responsible for facilities or plant operations, they signed a contract with Siemens or Honeywell, or Schneider Electric, or whoever, pick your vendor.
"And part of that contract was that they will do maintenance. Part of that maintenance means they just connect in. No control. Direct into that device. What does that mean? What sort of controls [do] we have in there?"
Many of these devices also have a long shelf life, which can be a weakness. "We're not replacing them [and] we're not doing a good job of configuration tracking that we need to do."
Untraditional equipment
Hackers are not going after the traditional things that you might expect, Furtado said. "Now, they get into your HVAC system… They're going to turn off your cooling in your data centre… They've also disabled the alarm, so you don't know. Now you've got a thermal alert on your server.
"By the time you can get to those machines, they're too hot. They're going to shut down. You now have an outage That's why you've got to start caring about these things," he added.
Adhere to the Purdue Model
Furtado said that the Purdue model for industrial control systems (ICS) is a good template for locking down physical systems. He called it a "game plan and model to adhere to." The model refers to securing multiple layers. "Visibility is important. You have to know what you are trying to protect," he said. Facilities, plant operations and all other physical infrastructure must be part of the security strategy."
Stick to what you need
Resist the temptation to chase shiny new cybersecurity objects, Furtado advised. "We see these vendors are always coming out with this new magic button. How many of us have had the magic button work? … Make sure that we're using the right tooling [for] your overall security governance to fit the needs of [your] [operational technology] environment."
Create the right security policies and use free resources
Finally, you don't have to always create new security policies, but you should make sure the ones you have in place are all-encompassing. That means, for example, including existing vendors.
SANS, the professional cybersecurity organisation, offers advice on industrial control systems for companies around the world. It also includes manuals and guidance on its site.
Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.
