Challenges of protecting operational technology
Most of today’s OT networks consist of legacy equipment originally designed to be perimeter protected (“air gapped”) from unsecure networks. Over time, however, much of it has become connected to IT networks. Most security efforts to protect OT involve network-based controls such as firewalls that allow data to leave the OT network for analysis, but do not allow data or signals to enter it. Although important, these perimeter controls are ineffective against attacks originating from within the OT network, such as malware on removable devices. Additionally, malware has been discovered that exploits vulnerabilities in VPNs (virtual private networks) and network-device software.
Many traditional security tools cannot be applied to the OT environment. In some cases, these tools can harm the sensitive devices that control plant equipment. Even merely scanning these devices for vulnerabilities has led to major process disruptions. Applying security patches (updates) to address known vulnerabilities in high-availability systems presents yet another operational risk, as few sites have representative backup systems on which to test the patches. Because of these risks of disruption, operational-unit leaders are hesitant to allow changes in their OT environment. This requires security teams to implement workarounds that are far less effective in managing risk. Adding even more risk and complexity are newer technologies such as industrial IoT devices, cloud services, mobile industrial devices, and wireless networking.
Many traditional security tools cannot be applied to the operational technology environment.
Beyond technology is the human factor, as many industries face a shortage in cybersecurity skills. The problem is worse for heavy industrials, which need to staff both IT and OT security teams, and to attract talent to remote operational locations. In a 2017 report on the global information-security workforce, the cybersecurity professional organization (ISC)2 predicted that the gap between qualified IT professionals and unfilled positions will grow to 1.8 million by 2022. OT security expertise is even more specialized and difficult to acquire, making it particularly expensive to staff.
Exposure to third-party risk
Compared with IT, the OT environment is highly customized, as it supports a process specific to a given operation. The proprietary nature of OT equipment means that companies rely on the OEM to maintain it and make changes. This equipment is often a “black box” to its owner, who has no visibility into security features or levels of vulnerability. Furthermore, companies are increasingly outsourcing maintenance and operation of OT, or adopting build-operate-transfer contracts. These types of relationships require third parties to gain physical access to OT networks. Where remote maintenance is required, the owner needs to establish connections to the OEM networks. These remote connections are mostly unsupervised by the owner organizations, introducing a blind spot. Several heavy industrials have reported that third parties frequently connect laptops and removable storage devices directly into the OT network without any prior cybersecurity checks, despite the obvious dangers of infection.
Vendor assessments and contracts for OEMs often fail to include a cybersecurity review. This failure prevents companies from enforcing security standards without renegotiating contracts. Where they do conduct precontract security assessments, results are rarely pursued. OEM vendors that do have security features in their products report that operational buyers rarely want them. In some cases, even if security features are included by default, or at no additional cost, the buyer does not use them.
Considering the complexity of these challenges, companies in heavy industrial sectors have been slow to invest in cybersecurity programs that span both IT and OT, especially when compared with manufacturing and pharmaceutical companies. The only exception is the US electricity production and distribution grid, acting in response to emerging regulation in this sector. The good news is that solutions for heavy industrials are becoming more sophisticated. Several incumbent OEM providers, and a growing number of start-ups, have developed new approaches and technologies focused on protecting the OT environment.
Leaders that deploy these solutions must first carefully consider the unique challenges and process requirements they face. They can then combine the solutions with appropriate operational changes. Below we describe the challenges they will have to address along the way and the investments that will be needed, both internally and through OEMs and start-ups, to achieve cyber maturity.
Integrate cybersecurity earlier, across OT and IT
As companies undergo digital transformation, leaders are integrating cybersecurity earlier, in both the OT and IT environments. If heavy industrials are to manage risk and avoid security-driven delays during their digital transformations, they will need to embed security earlier in the process, with investments in developer training and oversight. At the same time, these companies should expect increased convergence between their OT and IT systems. Therefore, their investments in cybersecurity transformation programs should span both, while they more deeply integrate their security functions into both the OT and IT ecosystems.
One way to accomplish this is to create an integrated security operations center that covers both OT and IT, housing detailed escalation protocols and incident response plans for OT-related attack scenarios. An example comes from Shell, which is working with some of its IT networking providers and some OT OEMs to develop a unified security-management solution for plant-control systems across 50 plants.5 Solutions like these enable centralized asset management, security monitoring, and compliance, dynamically and in real time.
Improving governance and accountability for security across IT and OT
The decentralized nature of heavy industries makes it particularly vital that they integrate security into all technology-related decisions across IT and OT, and deep into different functions and business units. This integration will become even more important as they become digital enterprises. Accomplishing this will require new governance models.
For instance, mature heavy industrials have established architecture-review committees to vet new technologies introduced into the IT or OT environments, and changes to existing technologies. Emerging as a second line of defense are teams that do information risk management (IRM), including strategy, compliance, and reporting. Additionally, some companies have enlisted their internal audit function as a truly independent third line of defense.
But few have reached such a level of maturity. A look at four typical approaches to IT and OT security reveals that only one approach integrates security under a chief security officer (CSO) aligned with the risk function. In the first three, accountabilities are insufficiently defined. But in the fourth approach, the CSO role spans both IT and OT. The CSO reports directly to the COO, thus protecting security from IT cost cutting, and preventing security from being sidestepped by IT programs.
In this optimal approach, the CSO sets policy, creates standards, and works with process engineers to create security architectures that incorporate operational specifics. In an ideal scenario, deployment and operation of OT security resides in plant-level functions, staffed with OT experts who are cross-skilled in security. However, this separation between policy setting and deployment can lead to misunderstandings, perhaps allowing some risks to fall through the cracks. Companies can mitigate this by creating local security-review task forces, including tenured business-unit security officers who represent the security organization regionally or locally. Metrics and reporting structures can be managed by a company-wide cyber governance committee that reports into the board.
Emerging technical solutions
To overcome difficulties in OT security, consider emerging technical solutions. Several providers focused on protecting the OT environment are bringing new capabilities to tackle issues. Although several proofs of concept have resulted in successful, large-scale deployments, the technology is still evolving quickly. As companies compete to differentiate their solutions, winners have yet to emerge. Here, however, are some solutions to consider:
- Firewalls to limit attackers’ ability to move across the network after one section is compromised. Enhancements in controls at the gateway between the OT and IT networks enable companies to inspect the traffic traversing that gateway. They also automate a system’s ability to execute policy changes and block newly identified threats. Best practice also calls for placing critical assets and systems in separate zones to limit the impact from a compromise; for example, a fail-safe system in a separate zone from the SCADA. Incumbent firewall providers are tailoring their solutions for OT.
- Unified identity and access management. These tools allow the company to centralize adding, changing, and removing user access to OT systems and devices. This is linked to the organization’s identity-management system, providing robust authentication. This approach, pervasive in IT, has been adopted as a standard in OT environments in the US electricity sector. It reduces the risk of attack by limiting “super-user” accounts. It allows the company to trace who has access to critical assets, and it helps identify sources of attack. It also has safety applications; a Chinese power plant, for instance, uses it to allow security administrators to remotely close facility doors for improved safety management.
- Asset inventory and device authorization. These tools help keep companies aware of all devices connected to their OT network. They can identify vulnerabilities in specific devices based on the device type, manufacturer, and version. They are also used for controlling authorizations of devices and communications. In addition to security applications, these tools can optimize efficiency and identify faults in connected devices.
- OT network monitoring and anomaly detection. A plethora of passive OT network monitoring tools have emerged that monitor traffic in a noninvasive way. These tools use machine-learning algorithms to identify and alert known threats and anomalies.
- Decoys to deceive attackers. These relatively new IT tools, tailored for OT environments, create asset and user-credential decoys and fictitious OT devices, including SCADAs, to throw off attackers.
While all these tools are useful, the organizational issues mentioned above have thus far inhibited their adoption. For one thing, security buyers have little or no influence over the OT environment. Incumbent OT OEMs, who own the relationship with the operational decision makers, have made some plays directly, and through partnerships in some verticals. However, low cyber awareness among the decision makers has thus far limited the number of such deals.
Third-party risk management
Cost and timing sometimes interfere with a company’s responsibility to assess vendor security compliance, both before the contract and on a regular basis. Sector-specific collaboration groups such as information sharing and analysis centers (ISACs) have become important in reducing these costs. For instance, the health ISAC, which includes pharmaceutical and medical-device manufacturers with large OT contingents, has implemented a tool that automates evidence collection and sector-specific risk assessments, to measure third-party vendors for security and data risk. This ISAC has also created a standardized vendor repository for evidence collected by others.
Enablers to drive progress
Given the investment required to achieve digital resilience, and the increasing calls from business executives to get there, we have identified some important enabling factors that will help drive progress. These include increased cybersecurity regulation (by industry groups or government), higher and smarter investments in digital resilience programs, and greater industry-level collaboration.
Evolving cybersecurity regulations
Among heavy industries, cybersecurity regulation is now quite limited. One potential model is emerging in the United States. An electrical-industry agency, the North American Electric Reliability Corporation (NERC), is empowered in federal law to set standards known as Critical Infrastructure Protection (CIP). These standards regulate technical and procedural controls. NERC issued 12 penalties in 2017, totaling over $1.7 million, and stepped up its work in 2018, issuing millions of dollars in penalties that year. One serious violation resulted in a penalty of $2.7 million against an electric utility for data exposure by a vendor. Existing and emerging EU and UK regulations for critical infrastructure are a first step to creating consistency at an industry-wide level. However, most heavy industrial companies are struggling to develop their own standards for IT and OT security, patching them together from numerous industry standards. As attacks on critical infrastructure continue, more regulation in this sector is likely to follow, either from industry, government, or both. This will bring a much-needed mandate for CISOs and CSOs to take action, and create a clearer path to setting consistent standards across industries.
Higher and smarter investment in cybersecurity programs
The average electrical-energy company spends just 4.9 percent of its IT budget on security, with mining coming in at 5.4 percent. This is compared with an all-industries average of 6.2 percent and financial services at 7.8 percent.
Cybersecurity spending benchmarks are not the only factor to consider when deciding on what investment is required for a particular company. At the early stages of a cybersecurity transformation, program costs may spike before the company can reach a steady state. Spending mix is another important factor to consider. Companies at lower maturity levels tend to spend most of their cyber budget on compliance-driven, reactive activities. This mix changes substantially as companies mature, spending far more on forward-looking, proactive activities such as threat intelligence, hunting, and deception. Companies that conduct a comprehensive assessment of their current cyber maturity and sources of vulnerability can drive smarter long-term spending.
Greater industry-wide collaboration
Knowledge-sharing initiatives have started to emerge across heavy industrial sectors, but much more can be done. Some good examples come from ISACs and other regional and sector-specific groups, which have supported rapid maturity building through information sharing, resource pooling (such as shared vendor assessments), and capability building (such as cross-sector crisis simulations). Although a few ISACs exist for heavy industrials, companies have much more to do to establish the high levels of collaboration and value seen in other sectors. Being part of a digitized, connected economy, organizations can be successful only if they apply the power of cooperation within and across sectors. Other industries such as financial services, insurance, and healthcare have built robust networks of security professionals, using roundtables and other collaborations to address common threats and build a more secure industry for all.
Finally, it is worth noting that neither spending nor regulatory compliance are reliable indicators of digital resilience. Using the frameworks and tools we have identified in this article, companies can build that resilience by consistently applying a risk-based approach—identifying their critical assets and applying controls appropriately based on risk levels. This can then help them create cyber transformation programs that buy down risk to tolerable levels and prioritize the activities that address the most risk per dollar spent.
As senior leaders set the stage for cyber transformation, they must ensure collaboration and buy-in from both security and risk professionals and the businesses. With such cooperation, companies will be truly able to transform cybersecurity, helping keep them out of harm’s way in a digital world.