Recent regulatory changes mean that CISOs are now expected to assume liability along with responsibility for enterprise cybersecurity risk. For industrial organizations, that encompasses risk from OT devices and networks. With the lines between IT, IoT and OT networks blurrier than ever, comprehensive oversight of risk is long overdue.
Most cyberattacks originate on the business network, but if they reach production areas and cause harm to health, safety or the environment, that’s part of enterprise risk. Because of this, there’s a growing awareness at the board level that continuing to ignore OT security is a bad bet.
Often when we ask IT executives in large industrial organizations what they’re doing about OT security, they reply, “Nothing, we don’t know who owns it or where to start. What are other organizations like us doing?”
The shift to an enterprise approach to risk is positive, but it raises questions about who should own the purchasing, deployment and maintenance of cybersecurity solutions for unfamiliar (to IT departments) cyber-physical environments. Often when we ask IT executives in large industrial organizations what they’re doing about OT security, they reply, “Nothing, we don’t know who owns it or where to start. What are other organizations like us doing?”
Unless you have a unicorn on staff who understands your IT security framework, industrial environment, regulatory requirements and the fundamental differences between IT and OT security practices, you’ll need to assemble a team to cover all the bases. For example, cybersecurity policies for OT engineers, technicians, process operators and control room operators often don’t exist. Who will write the policies, and who will train the affected Individuals? Likewise, who’ll create incident response plans? Typically they can be quite different in OT because of physical safety consequences.
Answer: You need a cross-functional “dream team” with the expertise, drive and follow-through to bridge the OT/IT cultural divide, nurture adoption and take responsibility for OT security in the long run.
Here’s some practical advice based on what we’ve seen work at industrial organizations that have successfully built OT security into their enterprise framework. To get the same outcomes, start by drafting the right talent for your dream team.
The Role of the CISO: Executive Sponsor
In an org chart, the CISO is the natural choice to own enterprise risk. They usually have at least two decades of experience evaluating and implementing solutions... for IT environments. Most CISOs know enough about OT security to know it’s outside of their wheelhouse. You can’t just add more hardware and licenses and expand your InfoSec technology, policies and controls into an industrial production environment, where security measures are often seen as a nuisance if not a threat to safety and reliability. Among the many differences between OT and IT security, in OT patching is often irrelevant (due to insecure protocols and living off the land tactics) or impossible, and network and device monitoring cannot pose any risk to the operating environment.
Because CISOs are responsible for enterprise risk and have broad influence over both technical and business decisions, they are best suited to be executive sponsors for the project. Their guidance includes:
- Providing strategic direction
- Securing people and monetary resources
- Building organizational awareness
- Demonstrating the company’s sustained commitment to risk management
- Regularly checking on project milestones
- Managing escalations
- Communicating progress to executives and the board
CISOs are pros at most of these functions; that’s what they do. For an OT security project, recruiting the right people to evaluate solutions, deploy them and provide ongoing oversight is the big challenge they must tackle.
Drafting Your OT Security Dream Team
You can’t talk about dream teams without revisiting the original Dream Team: the 1992 U.S. men’s Olympic basketball team. Charles Barkley, Larry Bird, Patrick Ewing, Magic Johnson, Michael Jordan, Christian Laettner, Karl Malone, Scottie Pippen, John Stockton — the team was bursting with superstars, but every player had to pull their weight. They may have been fierce rivals on the NBA courts, but for Team USA they put their egos aside, practiced together for hours and went undefeated in eight games to win the gold medal in Barcelona.
You don’t need world-class athletes (though maybe that would help) to launch your OT security program. In business the term "dream team" refers to a group of people who are recognized as the best at what they do, have complementary skills and work well together.
If key OT stakeholders aren’t invited to weigh in on the technology purchasing decision, you're likely to face delays or be prevented from installing it altogether.
The ideal dream team includes plant managers, engineers and operators who understand industrial control systems inside and out, even if they might be unsure or skeptical of cybersecurity. On the cyber side, you’ll want to recruit security and network managers, analysts and administrators, even if several of them have never set foot on the plant floor. For companies subject to cybersecurity regulations, you’ll want to include a compliance expert to ensure the solutions you install cover key requirements, including reporting.
If any of these roles is missing, you may still make an informed purchasing decision, but internal challenges will likely surface down the road and cause delays. For example, if no one from the networking team is at the table, when you try to implement SPAN traffic monitoring, they may need additional persuasion or propose a different idea altogether that sends you back to the drawing board. If key OT stakeholders aren’t invited to weigh in on the technology purchasing decision, you're likely to face delays or be prevented from installing it altogether.
Overcoming the OT-IT Cultural Divide
Unlike many business teams (except perhaps those involving mergers and acquisitions), your dream team is also going to have to deal with cultural rivalry. When OT stakeholders push back on deploying security solutions because “something might break,” too often that view comes from experience with an IT security solution they were told could be safely deployed but caused disruption. It’s not rare to hear “their last update broke our process,” when that was a decade ago!
The best way to overcome such views is for InfoSec teams to learn the peculiarities of this very different environment from OT experts on the team and proceed with caution when recommending cyber solutions. Some eye openers they’ll encounter include:
- The number of legacy OT devices with decades-long lifecycles that run outdated or proprietary operating systems and apps, with no documentation.
- Industrial processes that run 24/7/365, with a narrow maintenance window once a year. Cybersecurity upgrades (including patches, if they’re even possible), must fit into that window and be scheduled around other critical fixes.
- The Purdue Model, a five-level reference architecture somewhat akin to the OSI model that’s used to indicate permissible data flow within industrial control systems. For example, a DMZ separates the corporate and manufacturing networks, and downward traffic between these levels is restricted.
It’s not rare to hear “their last update broke our process,” when that was a decade ago!
OT experts on the team must also learn to bend. They can meet their IT counterparts halfway by acknowledging that (1) OT devices and protocols are insecure by design, (2) cyberattacks on critical infrastructure are real and on the rise and (3) cyber resilience is good business. As they learn more about safe passive and selective active monitoring that matches the scanning tolerance of sensitive OT assets, they will appreciate benefits such as:
- An automated asset inventory that provides 100% visibility into what’s on their network, what assets they’re talking to and whether they’re connected to the internet
- Detection not just of cyber threats but of process anomalies and device misconfigurations that deviate from baselined normal behavior and could impact production
- Access to previously unavailable, highly accurate data about every connected asset that is useful well beyond detecting cyber threats, such as device type and function; hardware manufacturer, model and serial number; operating system or firmware version; network address; Mac address and hostname; communication protocols used; applications running; and vulnerabilities and risk. Use cases for this information include inventory optimization, license management and more.
Finding the Natural Team Leader
There’s no shortage of advice about how to choose a team captain, whether in sports or in business. Besides natural leadership and bridge-building skills, your dream team captain (and ideally all team members) must have change-management chops.
Introducing OT security onto the shop floor means introducing very different behavior. There will be new policies, configurations and controls, such as tighter access management, that change how operators do their everyday jobs. Many of these changes won’t be popular. Can this person champion the changes as not only necessary but also in everyone’s best interest? As executive sponsor the CISO will also lead this charge, but you want a trusted peer answering detailed questions, working the room and winning over naysayers. By the time the security vendor or system integrator shows up, you want educated employees who know what to expect and are ready.
Post-Implementation: Let the Games Begin!
Let’s assume your team successfully selects a cybersecurity solution and gets it implemented, with finely tuned controls backed by well-documented policies. Now it’s time to ensure all those hours of practice — in this case, learning how to devise joint strategies and work together — pay off with long-term product and process ownership.
To enable enterprise risk management, data from your OT environment must be fed into your security information event management system (SIEM) or otherwise integrated with your existing IT security platform so the security operations center (SOC) or managed security services provider (MSSP) can identify issues. It’s critical for OT experts (ideally OT security experts) on the dream team to keep educating these groups about the sensitivity of OT networks and why remediation efforts must involve personnel who are knowledgeable about your industrial processes and network.
What Not to Do
When offering advice, sometimes it’s more helpful to say what not to do than what to do. OT security projects that go sideways do so for any number of reasons, many of them familiar to IT security:
- Don’t go it alone. In any team sport, rarely does one star score all the points without an assist. A quarterback needs a wide receiver, a rebounder needs a shooter, a forward needs a midfielder. And all teams need a coach — usually several. Coaches are everywhere: consult with your peer network, industry analysts, ISAC or regional industry group.
- Don’t engage in analysis paralysis. Gather your facts; do your research, check references, select a solution and move forward. There’s is neither a perfect product nor a perfect time to wait for.
- Don’t just hire an outside OT security expert to make the purchasing decision and deploy the solution for you. Even if the consultant is experienced and can help you compare solutions, the decision and buy-in need to come from in-house experts who know your organization.
- Don’t try to win without a playbook. Developed by the International Society of Automation, the ISA/IEC62443 series of standards is the leading international consensus-based standard for industrial cybersecurity. Part 2-1-2009 provides detailed guidance on how to establish a high-quality industrial automation and control systems (IACS) security program.
Even if the consultant is experienced and can help you compare solutions, the decision and buy-in need to come from in-house experts who know your organization.
Lean on Nozomi Networks to Build Your OT Security Program
There’s one more indispensable source of help waiting for CISOs and dream teams: your vendors. We’re eager to share our knowledge. An educated buyer has a much better chance of adopting and optimizing the solution they purchase — and recommending it to peers.
Nozomi Networks has deployed OT security solutions into thousands of environments across every industrial and critical infrastructure sector. We’ve seen projects run smoothly, and we’ve seen them get stalled at each step. As part of every implementation kick-off, we review common OT-IT cultural challenges and offer ways to overcome them that we know work, including a proven governance structure. We can also help ensure that you’re in compliance with the IEC 62443 Part 2-1 standard.
Contact us to discuss how to get started with your OT security program, overcome cultural challenges and go for the gold.