One of the main challenges of OT security is the problem of compatibility. OT components often differ significantly from each other in terms of age and sophistication as well as software and communication protocols.
This complicates asset discovery and makes it difficult to establish a consistent cybersecurity governance approach. Combating asset blindness in OT security begins with taking account of these differences.
The standard asset visibility models, active and passive, have apparent faults; active monitoring may overload controllers with unnecessary signals, while passive monitoring may slow the process of collecting comprehensive data. These disadvantages can be mitigated by adopting a balanced approach that maximizes visibility and operational productivity.
Eliminating Information Silos
The core foundation of asset blind spots is siloed information. This may include incomplete or inaccurate data about assets and infrastructure, or it could simply be a lack of awareness between teams, such as IT and OT security. Different teams and individuals focus on their own priorities and objectives. No one has the whole picture.
The advent of the pandemic highlighted the significant level of fragmentation that existed between IT and OT teams. Unlike the world of IT, where solutions embrace a high level of standardization, the OT landscape can be described as chaotic, hence rendering efficient inter-team interactivity near impossible.
However, according to Fortinet’s report, most OT leaders were caught unawares by the pandemic and had to implement budget-stretching processes in a very short time such as by purchasing more equipment to support work-from-home connectivity for workers and enhance secure remote access.
Treating IT as a separate entity from plant operations contributes to asset management problems. This creates "blind" areas where assets remain unprotected and where data is not shared between IT and OT teams.
However, suppose there has been an advantage to the pandemic in cybersecurity. In that case, it must be how it forced organizations to adopt security-mature practices, creating increased collaboration between IT and OT departments.
The process for addressing asset blindness requires collaboration between security teams and their counterparts in IT and operations. Teams must work together to identify, analyze, and mitigate risks associated with blind spots in their systems. The interoperability of security operations is a great way to empower employees to decrease risk and increase resilience.
By working together from the outset, teams can create a holistic view of each asset — including its inner workings and surrounding infrastructure — allowing them to identify vulnerabilities more efficiently and mitigate them as needed.
A Balanced Monitoring Approach
When organizations consider deploying an OT security solution, they often do so with a mindset of "active vs. passive" monitoring. The difficulty lies in the fact that many kinds of devices may be used to control industrial systems, making it difficult to secure all possible types of equipment from digital attack.
This includes legacy industrial control devices. Not originally designed with computer security in mind, these assets still must be kept up to date with current standards for protection against attacks by hackers.
However, it's time to move beyond this outdated dichotomy. Instead, we should be discussing how OT security professionals can leverage a combination of both proactive and reactive measures to get ahead of cyberattacks before they affect production systems, mitigate risks as soon as possible when attacks do occur, and create an environment that actively detects potential threats so they can be rapidly mitigated or prevented before they become full-blown incidents.
With integrated detection technologies, organizations can monitor for malicious activity in real-time and gain a detailed understanding of user behavior, network and endpoint activity, configurations, and software usage.
Integrated Visibility Solution
Although most enterprises have moved to centralized visibility platforms for IT and business processes, the same is not valid for OT. This leaves security teams without the necessary tools and information to monitor, analyze, and detect threats on OT systems.
According to Fortinet’s 2021 State of Operational Technology report, only top-tier organizations are more likely to have 100% visibility into OT activities. The average visibility for most companies hovers at 75%, but like any cybersecurity professional can quickly tell, even 1% of activities left unprotected can bring down the security architecture.
Thus, the best way to combat asset blindness in OT security is to provide a unified platform that enables you to see all of your assets under one pane of glass. This is only possible through an integrated approach that leverages data from disparate sources, including plant floor devices, SCADA/HMI, PLCs, and other sensors, IT systems, and existing security solutions.
Adopting a zero-trust approach, even for OT assets, helps you set the proper security priorities and make better decisions about how best to allocate limited resources toward protecting your infrastructure and assets.
Conclusion
To combat asset blindness, we need to take a step back from the white noise of alerts and investigations and ask ourselves what data has the most significant risk to our organization.
In the end, asset discovery should enable a broader understanding of OT cybersecurity requirements. Cybersecurity policy must keep these assets in mind, and asset identification is necessary for any organization that wants to create consistent cyber defense policies.
Yet even though asset discovery can act as an audit trail for cybersecurity events to determine what transpired during an attack on a production process, it cannot replace more in-depth analysis and external security audits, engagements which can help organizations identify specific vulnerabilities and prioritize corrective actions based on risk levels.
One of the best ways to combat asset blindness in OT cybersecurity is to develop a comprehensive vulnerability management program. Here, IT and OT security personnel work together to gather and analyze data from all sources to identify vulnerabilities, which can then be prioritized for future mitigation. Learn how Tripwire can help your organization create a vulnerability management program today.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.