For many organizations, the thought of tackling cyber security for their operations is daunting. If you can think of it as a journey, you can break up the challenge into manageable pieces. In continuing our "Ask the Expert" cyber security series, we turned to our own Scott Christensen, technology leader and cyber security evangelist, to get started down the path toward improved OT cyber security.
We asked Scott for his reviews regarding the three biggest OT cyber security challenges, as well as best practice strategies for managing them.
Managing OT Cyber Security Challenges
The first thing to know, and the largest challenge organizational clients are required to overcome, is instilling the mindset that executing a cyber security strategy is a journey. And like any good road trip, you need a clear map to understand where you are and where you want to go. Organizations that want to introduce cyber security into their OT environments often ask, “Where do I start?” It’s the right question, but the answer depends on where you are and what you want to achieve. Is the goal compliance with a regulatory standard? Is it instituting international best practices?
I often recommend clients conduct some level of internal organizational assessment to understand what their current OT environment looks like. The problem is most organizations don’t have the skills or resources to handle this in-house. GE Digital is among the cyber security leaders seeking to address this in-house resource gap, offering several potential assessment options, including a Site Security Health Check, a Site Security Assessment, and a Gap Assessment.
The Site Security Health Check is exactly that: a high-level review of a company’s OT environment’s health with the goal of identifying some of the more obvious OT cyber security risks. Based on the results, GE Digital's Cyber Security offering is able to better determine to what extent there is a need for a more comprehensive Site Security Assessment, which typically involves a custom-scoped, cyber vulnerability assessment to more fully discern possible cyber security threat vectors, and develop a plan for company-wide remediation efforts.
Another offering is our Gap Assessment, where we take a specific standard—IEC 62443-2-4 or ISO 27000—and look to see where an organization may be falling short of these standards.
The next challenge to consider, and the biggest resistance I’ve witnessed to starting cyber in OT, surrounds the possible impact to production. For example, a utility company can’t take power offline to deploy an OT cyber security solution. Or if you’re a manufacturer whose revenue is based on the number of units produced daily, any kind of disruption—whether from an attack or the deployment of a new tool—is not acceptable. Industrial companies need methods that work within the expectation of 24x7 production.
So, what’s an operator or security lead to do to bring cyber security into an OT environment?
Three words: Deploy without disruption.
Or, at least, seek to minimize disruption. Look for tools that add visibility without causing disruption, and then use that new insight to learn how to build and adjust policies and procedures for better security.
For example, one reason why our OpShield cyber security solutions have resonated with the market is because of the ability to deploy with minimal disruption. As a purpose-built security solution for industrial and process control environments, OpShield is an easy-to-install appliance that can be deployed in two different modes. In tap mode, system operators can simply plug into a switched port analyzer (SPAN) to mirror traffic and get a first look into OT. No rewiring, no reconfiguring, no need to change anything—but it delivers a look at what’s actually happening on your network, as well as in process and production environments, without affecting production.
Tap mode provides teams with the opportunity to schedule a transition to in-line mode when the time is right. You have the flexibility to wait for a window where production is pre-planned to be offline. And because these windows sometimes only come around once a year, tap mode allows you to not lose visibility during that time, while also not requiring a special window just to deploy.
The third biggest challenge I’ve seen concerns how to use other parts of an organization’s infrastructure with new data. When deploying a new tool, many organizations want to avoid having another management console that is separate from the consoles managing their other security solutions.
To help address this problem, as a best practice from a defense-in-depth standpoint, consider deploying a solution that provides simple, supplemental capabilities that other tools don’t offer. It should easily integrate, complement, and augment existing tools and investments. It shouldn’t add complexity, and it doesn’t need to be a rip and replace.
GE Digital's OpShield solution seeks to achieve these goals by offering straight-forward integration with SIEMs, other log aggregator tools, and more. When installed and used as recommended by GE Digital, OpShield allows teams to leverage the tools they’ve already invested in to manage potential OT cyber security incidents. From a log aggregator perspective, OpShield has the ability to provide additional data points that teams normally wouldn’t have visibility into. From a firewall standpoint, OpShield permits users with the capability to monitor communications and protocols that traditional firewalls don’t - such as Profibus, Modbus, or DNP3—the protocols that machines speak.
That’s it in a nutshell. To recap, here’s an easy acronym to remember: KDC – Know your environment, don’t disrupt your environment, and complement your security environment. Ok, maybe not easy to remember, but hopefully helpful nonetheless.