Protecting Operational Technology (OT) from growing cyberthreats is a fast-growing problem as companies continue to adopt digital technologies that integrate factory floors and production lines with the business. The benefits of convergence are clear, providing greater efficiency and data-driven insights into every corner of a company, but the threats must be mitigated to realise them.
In the previous blog, I looked at how cultural as well as technical challenges divide the two camps. This is why the starting point for our OT Threat Management Service is to bring both sides together to workshop the issues, ideally off-site where more frank and open conversations will give each camp a better understanding of the other’s world.
Shared goals can be quickly established. For IT it’s about avoiding protection blind spots and bringing continuous monitoring to the operational environment. For OT, there’s the promise of more uptime and efficiency through better security, optimising automated processes and the physical devices that run their world, particularly around the adoption of IoT.
Once IT begins to win the hearts and minds of plant managers, production heads, facilities people, technicians and engineers, they can start ‘wargaming’ the scenarios that could prevent them from doing their jobs. When tabletop exercises reveal the scale of cyber threat activity, engagement deepens and we can move on to the next phase.
From auditing assets to proof of concept
To achieve effective OT security, you have to understand what you’re trying to protect. We make a priority of putting in place an up-to-date inventory and then maintain it by automatically tracking what’s there and what changes. Worryingly few people inside an organisation know exactly what's running a factory site and the state of the firmware. It’s not unusual to find code in systems that’s 20 years out of date, which makes them easy targets for cyber criminals.
We scan the network and look at what the thousands of devices are doing and their potential vulnerabilities. We give the company a level of visibility that encourages them to act if there’s an issue, such as an unencrypted connection on a production line device. But it’s not just about security. A fault in an automated control system might be identified early, prompting proactive maintenance that will reduce the risk of downtime in the future.
Next, we devise a proof of concept (POC) with appropriate levels of segregation between IT and OT, addressing potential vulnerabilities that surfaced in the audit. What we usually arrive at is a combination of behaviour and signature-based threat detection that will quickly and accurately identify and disrupt a malicious attack.
The POC will also introduce the benefits of centralised control, monitoring IT and OT through a single pane of glass, providing reports that give insights across the entire estate. Having one central hub makes it easier to scale up and down as operational needs change in the future.
Implementing multiple layers of security
When it comes to the technical practicalities, we start with the fundamentals of segmenting IT and OT. Configuring firewalls to protect east-west traffic will prevent malware from spreading across servers. Endpoint protection from the factory floor upwards will minimise risk exposure; regular firmware and operating system checks will ensure machines are running on the latest and most secure versions. Policies will be put in place, stronger passwords and multifactor authentication become the new normal.
Our clients can also draw on BT’s global expertise when it comes to security. That means tapping into threat intelligence on zero-day viruses and new vulnerabilities. Updated intelligence is fed into our 24/7 threat monitoring service and used in training programmes to keep internal staff up to date with the latest phishing and social engineering scams.
The endgame is zero trust security, a framework for defence-in-depth across networks in and outside the organisation. Before being given access to applications and data, all users are continually authenticated, authorised and validated according to pre-configured rules.
For zero trust to work, an understanding of cyber threat must be embedded in the culture of a company though training and internal messaging. It’s another useful way of bridging the gap between IT and OT, instilling the same security mindset across both sides of the organisation.