OT Security: What Makes It Hard & How Can I Master It?

OT Security: What Makes It Hard & How Can I Master It?

Operational technology (OT) presents unique security challenges for industrial and critical infrastructure operators.

 

What Makes OT Security Challenging?

Cybersecurity programs extend oversight and capabilities to people, processes and technologies covering each organization’s entire digital landscape – enterprise content management, email security, internet and application security, software development and vendor component security, OT and industrial control system (ICS) equipment in processes and operations – and their overall upstream and downstream supply chains.

 

OT and ICS are niche domains where cybersecurity best practices are continuing to take shape for industries which dominated society after the industrial revolution but before the age of the internet. Where IT systems face many more known vulnerabilities that are likely to be exploited in similar ways across mainstream and ubiquitous systems, OT security is often a proprietary, case-by-case distinction with potential configurations often analogous with multiple combinations of Lego blocks (hardware permutations) and Rubik’s cubes (software and configuration permutations).

 

OT Cyberattacks Come Predominately in Two Forms:

  1. Tailored attacks designed for a single target with the intent of establishing prolonged, undetected access and exploitation that could result in physical disruption or destruction.
  2. Opportunistic attacks involving common denominators across organizations based on established tactics, techniques, and procedures (TTPs) and living off the land activities.  

Concerns fluctuate between high-value OT targets likely operating on decades-old IT infrastructure and interdependent enterprise systems and business processes. Several attack trends have emerged:

  • Industrial sectors and hyper-connected facilities have unique interdependencies between physical and cyber infrastructure which makes them vulnerable to exploitation, from billing fraud to manipulation of IoT sensors, the commandeering of operational-technology (OT) systems to stop processes and cause business interruptions and/or physical destruction.
  • The attack surface for most asset owners and operators with OT assets and networks is vast and growing, with geographic and organizational complexity, and the decentralized nature of many organizations’ operations often leads to gaps in security.
  • The number of threats and actors targeting OT has increased: nation-state actors, cybercriminals who understand the economic value represented by each sector, and hacktivists seeking to publicly advance their objectives or broad agendas.
OT Security Threat Matrix
OT Security Threat Matrix

What Are the Cybersecurity Risks to OT Systems? 

  • Legacy technologies with known vulnerabilities and end of life status
  • Open-source availability of technical information assets and configurations
  • Connectivity of assets and networks to enterprise or public networks
  • Human error, accident, oversight, and frivolous internet connectivity
  • Lack of visibility into OT asset communications and network connectivity

Drivers for OT Security Products

OT is increasingly network connected and a top priority in risk management discussions for stakeholders in board rooms, facility managers and informed engineers. Security leaders are pressed to do more with less, addressing thousands of vulnerabilities in hundreds of systems while deploying and maintaining numerous security products. Regardless of commonalities, no two attacks on OT/ICS systems are ever the exact same, making automated response and remediation difficult.

Three drivers are critical for the OT security market:

  1. Prevention of incidents increasingly requires the ability to parse logs for forensic and protocol information ahead of exploitation. This requires continuous monitoring, vulnerability management, access control, network segmentation, and threat detection capabilities.
  2. IT risk management leaders and CISOs are increasingly required to demonstrate clear understanding of OT threats, risks, and vulnerabilities, dedicating new authorities to teams and leaders to get a handle on assets and networks.
  3. Government regulations and standards bodies are increasing across industrial and critical infrastructure sectors, to include OT, and mandates for information sharing about cyber incidents continue to emerge (already passed in the US and Europe).

 

Challenges for OT Security Products

 

Mature cybersecurity programs invest in people, tools, and processes to enforce security policy, review security information, and build more resilient digital targets. Any “set it and forget it” approach to cybersecurity will eventually fail. It requires knowing the nature and behavior of the assets within the environment, monitoring for threats, and having a measurable way to track, report, and reduce risk.

These are the three challenges teams face when implementing OT security tools:

  1. Budget scarcity, competing business priorities, funding structure considerations, and difficulty in demonstrating exact ROI (calculating prevention in terms of business impact) for security tools make selecting and purchasing products a burdensome process.
  2. There is a large gap for personnel and expertise required to utilize continuous monitoring and threat detection products, and fewer outsourced managed service providers are prepared to analyze OT asset and network traffic as compared to IT.
  3. Buyers have more OT security and industrial cybersecurity product options than ever before.Data complexity from sophisticated solutions and understanding of available market solutions and competitive differentiators sometimes creates more confusion than clarity in the market.  

 

Solving the OT Security Problem

 

If OT network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not, these assets cannot be protected without the necessary visibility into their day-to-day functionality. While threats and risks become increasingly apparent to business stakeholders, owners, and operators, how to build defensible architectures, manage vulnerabilities, and build resilience requires four main capabilities.

OT Asset Visibility

Asset discovery in OT and IoT environments can be completely passive based on observing mirrored traffic to not disrupt critical processes, trigger alarms or generate additional traffic. Beyond discovery of OT devices, the ultimate benefit is reducing the mean time to recover from any security incident in your environment.

Network diagrams offer a high-level map of static configurations but lack the ability to continually monitor traffic and timestamp network or data changes. The Nozomi Networks solution helps you get a complete view of communicating devices and traffic patterns to build a visualization map that can accelerate investigations and quickly identify ways to better segment networks and monitor assets and communications.

OT Vulnerability Management


Thousands of known product vulnerabilities exist in OT/ICS and IoT systems from vendors that produce machinery and equipment used in critical infrastructure.

While each vulnerability is published with an associated common vulnerability scoring system (CVSS) score, it is impossible to immediately understand how severe the vulnerability will be for one entity’s risk profile based off of the designated severity of the vulnerability.

Nozomi Networks’ OT vulnerability management feature automatically identifies and scores vulnerabilities on your devices. Utilizing NIST’s NVD (National Vulnerability Database) for standardized naming, description and scoring, it rapidly determines which devices are at risk. Plus, it offers drill down on each vulnerability for deeper troubleshooting and remediation assistance.

Threat Intelligence

Scanning may identify vulnerabilities, but many steps are then required to access and exploit these vulnerabilities.Threat intelligence is available to categorize known TTPs and code signature from previous incidents and is used to build out detection capabilities for alerting security teams to a potential recognized TTP or signature detected somewhere in their network.

Threat intelligence feeds are updated with the newest IOCs and are delivered continuously in near-real time. Threat risk indicators include Yara rules, packet rules, STIX indicators, threat definitions, vulnerabilities, and an extensive threat knowledge base.

OT Anomaly Detection & Analytics

Components and connections continue to increase with multiple OT vendor systems and integrations. Reliance on patches that might not be feasible given the environment and its dependence on legacy technologies produces inadequate security coverage.

Simply having and storing reems of data is not particularly useful for any risk mitigation. Behavioral analysis and anomaly detection for network operations can augment threat intelligence and overall security postures. Anomaly detection can alert on both deviations from normal communications patterns, as well as variables within the process – like sensor readings and flow parameters.

Data analysis in our product engine correlates threat intelligence information with broader environmental behavior to deliver maximum security and operational insight. Our solution immediately baselines and profiles every device and its behavior, including process variables, to quickly pinpoint abnormal activities.

To learn more about the trends and challenges in industrial and critical infrastructure cybersecurity, as well as what to look for in an OT security solution, read our Buyer’s Guide below.