Accelerating OT security for rapid risk reduction

It’s fair to say that events like these are probably just the tip of the iceberg. Whether the motive is financial - installing ransomware to extort large payments - or whether it’s simply to cause disruption and danger to the performance and safety of critical infrastructure, we can expect to see more of this threat to industrial businesses in the future.

Certainly, attackers are becoming more professionalized and organized – and have the tools at their disposal to reach OT systems. IT malware and some OT malware are easily available on the dark web that can enable a hacker to get through the ‘front door’ and into an organization’s systems. With the right skills and knowledge, attackers can then apply other malware to move laterally and reach the OT environment. Attackers will be doing their due diligence too – researching what software an organization’s industrial control systems (ICS) run on and assessing what malware they may be susceptible to. In our experience, some software commonly used to run ICS have potentially severe vulnerabilities.

Against this backdrop, hardening OT security should be an absolute priority. And it is something that must be addressed at pace – cyber attackers won’t wait to give organizations a decent chance to prepare first!

It is also an imperative because OT is increasingly being converged with IT as new technologies are introduced to realize efficiencies, productivity gains and smarter operations. Whereas going back a decade or so, OT was segregated and inaccessible, now it is being connected to other systems. Standalone, non-connected OT simply doesn’t meet today’s performance and other needs. One analogy would be to the financial services industry: 10-15 years ago, banks’ mainframe systems were locked away, but they have had to re-engineer and digitize them to meet various modern needs including Open Banking and regulations such as PSD2, requiring new security protocols and protections.

 Now, the convergence of OT and IT means that organizations must bridge the gap between the two environments’ people, processes and systems to build a smarter, more secure network with high visibility to monitor and control both environments.

This brings us to an important point: to what extent is it useful anymore to distinguish OT from IT? As the two domains get closer to each other, a lot of OT is IT. After all, 80% of industrial plants have more servers and IT than an average bank. It is perhaps more useful – and will likely become more necessary in the future as operations become ever more digital – to think simply in terms of technology. Whether you look at OT or at IT, it’s technology that they both come down to. The choice to keep them as separate environments will increasingly diminish.

This blending is becoming more visible in some interesting ways, such as the rise across industrial organizations of the Chief Technology Officer (CTO). In many senses this is still an emerging role – the responsibilities of a CTO vary from business to business in our experience. But as Boards place an ever-higher priority on digital transformation, it is CTOs to whom they are often looking to lead the change, comprising both IT and OT. The Chief Information Security Officer (CISO) remains a key role for security, and as OT security becomes a priority, it is extending to cover that too. In some ways, the CISO is moving from protecting IT (usually, the domain of the CIO) to protecting all the organization’s technology (the domain of the CTO). Alternatively, some businesses have a specific OT CISO who reports into the overall CISO. The patterns vary – it’s a developing picture – and it will be fascinating to see the direction of travel as this plays out.

Whatever the case, clearly an essential component of securing OT is to have a top-down governance framework setting out roles, responsibilities and reporting lines, while not deferring a bottom-up detection and defense mechanism implementation. The definition of OT can be very broad, and it is found right across an organization’s operations meaning that usually there is no single person with responsibility for all of it. So, coordinating efforts to address OT security is essential. This requires a clear governance structure and operating model. A strong mandate from the very top of the business is also a pre-requisite, to drive OT security as a strategic priority. That said, a bottom-up detection and defense approach must proceed almost in parallel, since threat actors won’t wait until a governance framework is set. While the governance and operating model is instrumented, detection technologies (ideally, integrated into a security operations Cerisano (SOC)) should be implemented, response playbooks for common scenarios must be defined (e.g., ransomware) and basic cyber-hygiene measures should be taken care of.

Mature governance and operating model structures are geared towards delivering sustainable improvements over the longer term, helping also to future proof the organization as new technologies (and threats) emerge. But it’s a simple fact that while organizations appreciate the value and importance of these top-down structural approaches, at the same time what we almost always get asked is: “What can I plug in today to make an immediate difference? What can I do to rapidly deliver OT risk reduction?”

These are valid questions – and they point to the fact that there are a number of bottom-up measures that can be taken alongside the top-down framework to make a fast and significant difference.

In many ways, it’s a simple case of not reinventing the wheel: import best practices from IT security into OT (just as IT can import best practice from OT in other ways such as safety consciousness). So, there are three immediate areas that should be assessed and addressed:

• Endpoint protection of OT assets
• Perimeter firewalls around OT assets
• Network segmentation, within OT and between OT/IT

Alongside this, organizations should implement OT network visibility in the early stages of their OT security journey. There are a number of technologies that allow monitoring of the OT network for either known threats or suspicious behavior. Ideally, these technologies should be integrated into the organization’s existing monitoring and response framework (which typically would include a SOC and computer security incident response team).

Additionally, organizations need to strive for integrated asset management, at least for the most critical assets. Most businesses have a wide number of assets and several asset management systems, from IT’s configuration management database to specific asset management systems the OT areas may have. The ability to manage these assets means firstly getting and then maintaining visibility of them – so this should be a priority. There are a number of tools available in the market that can instill asset visibility.

To understand the current state and then implement controls and processes that can make a speedy difference, we recommend asking yourself these eight questions:

1 Have you identified the cyber-related risks to which your control network is exposed and are you actively working to mitigate them?

An OT security risk assessment and cyber maturity assessment can provide you with a high-level view of what needs to be addressed at both the technical and governance levels.

2 Does an up-to-date inventory of your control network exist?

It’s vital to know what needs protection within your production environment. Many commercial solutions for automatic asset detection are available which combine discovery and threat-detection capabilities.

3 What is the integration level between OT and the corporate network?

Ransomware commonly spreads through the network it attacks. Segmentation can limit its movement such as from the corporate network into OT and vice versa. Industrial intrusion detection systems (IDS) tools have features that can help with the modeling of a segregated network.

4 How is remote access to the network managed?

Secure remote access is a vital topic when it comes to maintaining and repairing assets from a distance, especially in the COVID and post-COVID world. Common remote access types include Remote Desktop Protocol (RDP) and virtual private network (VPN). Secure remote access software is now commonly available on the market and should be considered.

5 Is a solid back-up mechanism in place and consistently tested for security?

If OT assets are infiltrated, the only options may be to either pay whatever ransom is being requested (and, increasingly, it is becoming more common for organizations to take out ransomware insurance) or to restore a backup. Backups can be complex and the medium where they are stored is critical to prevent them becoming infected with malware too.

6 What methods are used to apply security patches?

Patch management is essential – and can be difficult if an asset is in use 24/7. Critical assets must be regularly updated. However, for assets with low criticality, it may be possible to apply a patch in the next scheduled maintenance interval.

7 What are your current anti-malware solutions?

Early detection is crucial – such as through IDS tools. Detection tools should be connected to a Security Incident and Event Management (SIEM) system which should log multiple sources including firewalls, assets and remote access tools so that it can alert teams to a possible attack.

8 Do you have a zero trust mindset?

Many organizations consider OT to be a walled garden from IT, and anything behind that wall is trusted. This model has proven to be flawed - we can go back as far as the Stuxnet attack of 2010 when a truly air-gapped system was breached through a compromised vendor. Instead, organizations need to start adopting a zero trust mindset and architecture that doesn't assume anything about trust levels, but entails gathering additional context within the network traffic and then making decisions on what to allow or deny based on this information. While having its roots in IT, zero trust can be adapted for OT.

Once a solid security foundation is in place, there is also a role for AI technologies to play. A robust security posture calls for “shifting security to the left”, that is, expanding preventative and detection capabilities, averting threats before they become damaging incidents. This requires asset identification and characterization, early-stage threat detection – and, where appropriate, autonomous response. AI technologies have been developed that can provide a way for organizations to increase these capabilities with layered applications of machine learning.

By passively observing and dynamically understanding the contextual behavior of all assets, self-learning AI provides a continually updated asset inventory that allows organizations to gain full visibility into their IT, OT and IT-OT converged environments. Further, self-learning AI’s understanding of the nuances that underpin unusual behavior allows it to identify threatening activity at its earliest stages, presenting the threats to be dealt with before they can escalate into a crisis.

Accelerating responses through machine learning is also of particular use when defending against ransomware. Companies must take decisive action in the moment to halt the propagation – and machine learning enables them to assess the threat faster.

For ransomware threatening industrial environments, self-learning AI’s abilities to respond autonomously – mathematically calculating the most precise way to neutralize a threat without affecting normal operations – is particularly valuable, as it can disrupt threats in IT long before they have the chance to spread into OT systems.

This brings us back again to the question of the boundaries between IT and OT – in many senses the challenge for organizations is to keep prudent security segregations between the two while at the same operationally converging them.

Key to the success of this balancing act is people. Both functions should learn from each other as they come closer together.

For example, one of the hallmarks that is absolutely baked into people working within OT environments is the safety and challenge culture. These attitudes should be adopted within IT. Now that their work is more directly integrated with manufacturing or production systems – and the humans physically operating them – IT administrators need to recognize the elevated stakes associated with cybersecurity. The resulting cultural change within IT should better prepare IT processes and workflows for convergence.

On the other hand, OT processes and workflows should be adapted to fit a more regular schedule of updates. This approach is necessary to support cybersecurity in a converged environment that contains more connected devices and potential vulnerabilities. IT administrators are acquainted with this approach and their expertise should be utilized when designing new OT processes, systems and capabilities to support convergence.

In short, there are things that people in each team can take from each other and teach each other. Creating a common culture and sense of team – underlining the fact that everyone ultimately shares the same objectives – is key to success. There is often a lack of collaboration between IT and OT teams, which leads to weak, uncoordinated security programs, as well as poor funding and low risk awareness. This needs to be overcome through a collaborative mindset that recognizes today’s increasing convergence of technology and operations.

At the same time, there may be scope to combine teams or aspects of teams for greater clarity and simplicity. For example, there may be teams managing firewalls on both sides of the OT/IT fence – removing duplication of effort here makes business sense and could also produce cost savings.

It may be some way off in the future, but as tasks are increasingly carried out remotely – even by OT staff who no longer need to be physically on-site for routine activities – it would not be surprising if, eventually, IT and OT teams became one. Just as the disciplines of IT and OT themselves may become subsumed into the one concept of technology.

Managing OT in today’s aggressive cyberattack environment is challenging. It demands rapid action to reduce the risks faced and find approaches that recognize OT’s increasing convergence with IT.

But it can be done – and here are some priority tips to check against to measure your progress.

Take best practices from IT – Take the processes that are common in the IT environment and apply them to OT. For example, patch management can be carried across – it’s not something that has to be reinvented.

Consolidate and combine – Reduce the number of products and asset management approaches in use where you can. Simplifying makes the task more manageable. Combine groups across OT and IT where they are carrying out the same tasks where appropriate too. Of course, you need to make sure you are not harming service quality and standards when doing so.

Think strategically – but also like an attacker – Focus on your long-term program but don’t lose sight of the here and now. What are your most valuable OT assets in a cyber criminal’s eyes and how are they likely to try to reach them?

Don’t ‘boil the ocean’ – Focus on your priority assets and protect those. If half of your asset base is already behind a segregated network, focus on the other half. Don’t create solutions for things that are already up to standard – concentrate on vulnerabilities and threats.

KPMG firms have extensive experience of helping oil & gas and industrial organizations rapidly reduce the risks in their OT. We can advise on and implement industry best practices, effective standardization and available market solutions. Through our wide range of industry relationships and work, we ‘speak both languages’ – fluent in both OT and IT! We can help you bridge the gap between the two as well as create engagement at all levels of the organization – from the boardroom to the operational control room.

We’d be delighted to talk to you about any aspect of accelerating your OT – keeping it modernized, secure and safe, and making it fit both for the present and the future.