When tasked with assessing OT cybersecurity risk in OT, many CISOs have questions about methodology. Numerous standards exist, including NIST CSF, NERC CIP, NIST 800-53, with newer ones appearing regularly. Some of these standards embody guidance on assessment methodology, and some specifically address issues of OT security, either in general or for specific industries.
You love the fact that you have great people running your plants, but better standardization makes what they do more efficient. They already have jobs, and you don’t want to be dependent on a large number of people having a high degree of security acuity. It’s better to derive your security from solid processes implemented company-wide.
Well-established standards will capture insights based on long experience by thoughtful practitioners. In general, they tend to break down the thinking about cyber risk into process-lifecycle categories. For example, NIST CSF speaks of Detect, Respond and Recover. While there is great value in this as a guide to cybersecurity practice, there are gaps when it comes to actual assessment methodology.
The OT Knowledge Gap
To properly execute OT cyber assessments, the most common gap faced by CISOs is a lack of specific knowledge about deployed assets, network architectures, and security policies at various OT locations. Unlike IT, where there has long been uniformity of approach and a wide variety of tools, in OT you generally find a lot of individual processes controlled by local plant people.
We have observed a wide range of security postures and awareness in OT locations, and again, the key is to understand that CISOs generally have not been in control of these processes, which tend to be owned by local operators.
The most typical characteristic of OT or plant environments is a posture of security by isolation. Even though Industrial Control Systems have been computerized for decades, and industrial machines have long been connected with Ethernet networks, the integration of shop-floor networks with business networks controlled by IT is much more recent.
The range of postures runs from “these systems never touch the business network, so we don’t have to worry about cyber risk,” to “we take a very serious approach to cyber risk on the shop floor, we coordinate with corporate IT on security, and we would like to do more of that.”
The good news is that many large companies have local operators that take cyber risk very seriously (as it impacts production, safety, and compliance, their major performance metrics), and have often done a very good job indeed at securing their local environments.
Even at the most security-mature organizations, gaps emerge during ongoing monitoring and awareness, or when integrating with people and processes from IT. The key benefits from improving in these areas are validation of proper security and standardization of methods and processes.
Organizations are also on a wide range of maturity scales with regard to assessment methodology. Even in security-mature organizations, these range from little to no assessment practice in OT to extensive and rigid methodology. This is an exceedingly challenging area, because doing little or nothing is rarely acceptable, but neither is trying to impose a methodology derived largely from IT practice that is expensive, invasive, and not necessarily cost-effective.
The most important elements missing from assessment methodology as typically practiced today, are also the two key elements missing from most of the well-known standard methodologies: 1) an impact-aware view; and 2) cost effectiveness.
Most assessment methodologies are ultimately derived from IT practice and, as such, tend to focus on identifying vulnerabilities and attack vectors. Such studies don’t account for the impacts that may be achieved through compromise of industrial processes. These need to be measured in terms of the key metrics of revenue protection, safety, and compliance, and breakouts.
Application of Assessment Methodology
Think of a possible outcome that could impact national security. Now think about the psychology of your potential adversary. He will always choose the softest target that produces an impact of value to him. In OT, the principle of reducing the attack service applies not only to reducing vulnerabilities but also to isolating impacts.
Assessment methodology needs first to ask what are the business, safety, and compliance impacts of the kinetic impacts available to attackers, and whether they can spread their attacks through lateral movements. If the impacts are low, then you don’t need to invest heavily.
Assessment methodology needs to start by first understanding the variability of the footprint, in terms of specific operations, regional differences in compliance requirements, and the level of trust with local managers. Because OT networks as a rule have been developed (and secured) to fulfill different business goals than IT, you will often find a large heterogeneity in how the networks are architected and secured.
Your first job is to figure out how they are being secured. It’s not unusual to find a very simple overall policy (such as network controls by ACLs and VLANs, together with access controls by corporate directory and group memberships), but with very substantial local variations.
How to Get Started
In general, it’s very challenging to impose corporate security standards in OT for a large number of reasons. There needs to be a lot of information sharing and responsibility for incident response also needs to be shared. For that reason, the first step in assessment methodology needs to focus on asset inventory.
Next, ongoing visibility is essential to ensure that agreed-upon security standards are being enforced consistently and without gaps. Process configurations tend to be in constant flux, and machines and their associated computerized controls are constantly being updated. This makes it essential to non-invasively monitor OT networks for anomalies. In an important sense, security monitoring is like the segregated safety interlock systems present in many plants.
An important benefit of assessment methodology is to detect configuration errors, obsolete equipment (which may present enhanced security risks), and unsuspected breaks in network segmentation strategies. Often the cleanup obtained through even a lightweight security assessment more than pays for the effort.
Remember that assessment methodology is much more complicated in OT than in IT for the reasons we’ve discussed. Organizations with the most process-maturity may ironically be exposed to the risk of overthinking methodology, with the risk of only doing the most critical plants because of the high cost. You’ll need to deal with the management friction generated by asking plant operators to do things they consider invasive or have the potential to cause outages or safety risks.
The key guideline here is to watch costs. Assess everywhere, because the smallest apertures can be exploited for break-ins. Beyond that, you should only spend money for extensive remediations in the highest-impact plants.