By Francis Cianfrocca
In our last blog, we looked at the four core aspects of IoT cybersecurity management: Asset Inventory, Systems Management, Threat Hunting, and Incident Response. These represent the starting point, but there are additional real-world challenges facing CISOs and Ops teams, including how to manage IT and OT infrastructure in parallel – harmoniously.
Virtualization has emerged as a key area of overlap. In fact, the move to virtualization has not left OT behind. You will find that a lot of the industrial compute workloads are virtual. I’ve seen this in a lot of the applications that program and run the automation.
You Need to Manage VMs
You need to manage these VMs. You have to monitor them for uptime, response time, patch levels, and security. They are among the weaker links, and they are very performance sensitive, so you have to use a mix of passive and active methods to monitor them.
Rogue devices are a huge issue in OT security management. A rogue device is basically anything you don’t fully manage or control, and they fall into two categories: things you installed on purpose, and things that are there but shouldn’t be:
1. Things installed on purpose are typically vendor products with compute stacks you don’t or can’t control, including VMs; and things that got installed ad hoc for good reasons by local personnel but never came under proper management.
2. Things that shouldn’t be there include systems that were decommissioned but never removed or “retired in place.” Significantly, they also include systems that sporadically (and mysteriously) appear on the OT network, devices that contain “overfunctionality,” and devices that are wholly malicious in nature.
Anything you don’t understand or don’t manage is a vector for attack. The most basic way to bring these under control is to passively detect and monitor them, using a risk-weighted approach.
This is a way for centralized security ops to control the scale and device/process diversity problem. Partition your OT cyberspace either horizontally, vertically, or both. This produces a possibly overlapping matrix of geographical and functional zones, each one having a distinct security and risk score determined using business and domain knowledge.
Risk metrics include revenue protection, safety/compliance, and environmental/natsec. You watch the high-risk zones closely from a central organization and you watch the mediums and lows closely using more localized personnel.
One major problem with risk-weighted monitoring is the “impedance mismatch.” That is, the mismatch of skills/knowledge levels on the part of the people tasked to do the monitoring. In high-risk monitoring,
the CISO people lack the production-engineering and the domain knowledge. In medium/low risk monitoring, the local staff lacks security knowledge.
An essential and very challenging success factor is to ensure that all the watchers get full and adequate context so they know what to do with the information being presented to them.
OT Monitoring Strategies
Once you’ve sketched out your risk weighting strategy, you’ll need to address three very basic questions to determine your approach to OT monitoring”
1. For starters, does OT require active or passive monitoring?
Each approach has advocates and detractors, and in fact there are good arguments on each side. But the truth is that you need both. Speaking very broadly, active approaches are needed in the systems-management phase, and passive approaches work best in threat hunting. For Asset inventory, a mixture of both produces the best results.
2. Next, how do you justify your OT security monitoring spend?
In many organizations, OT security is an item of direct concern and visibility to boards of directors. This is unusual among the vast array of Ops issues that companies manage. However, this is not to say that boards have deep knowledge and expertise in production-security issues. Quite the opposite is true, which means that CISOs need to tread this ground carefully.
In regard to OT security, boards are interested primarily in revenue protection, operational continuity, compliance with internal and statutory benchmarks, and comparing favorably with peer organizations. In a board meeting, these issues will rarely be looked at more deeply than “yes/no” or “scale of 1 to 10.”
3. How does digitization fit into your OT plans?
OT is traditional automation; IoT is fundamentally about digitization. Security management in the IoT realm includes making sure your digitization workflows are actually doing what they should be doing.
Consider a Managed Service
CISOs need help in providing confident, short answers to these questions, and they need to justify spending on OT security by mapping results and metrics to these questions. Using a managed service that can address these questions is a very favorable way to spend money, and gives Boards confidence that all the right things are being done.
Your best bet to manage all of these divergent strategies is a services approach. Look for a services provider that can deliver a managed IOT security service that incorporates proprietary technology and best-of-breed partnerships to provide the entire package.
Francis Cianfrocca is CEO at Insight Cyber Group.