Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Michael Piccalo
Michael Piccalo
Connect Directly
E-Mail vvv

Implementing Proactive Cyber Controls in OT: Myths vs. Reality

Debunking the myths surrounding the implementation of proactive cyber controls in operational technology.

As the frequency of cyberattacks increases — often with a higher level of sophistication in order to evade detection — it's easy to see why organizations are investing in security technologies, such as automation, that can respond more efficiently to potential attacks after certain conditions have been met.

The effects of this risk can take many forms, including unauthorized disclosure of client data, loss of client trust, litigation, financial loss (including heavy penalties), and damaged brand reputation. While these impacts sound bad — and they are — they often pale in comparison to the potential implications of a breach in operational technology (OT) and critical infrastructure environments, which can also include safety concerns and loss of life.

Related Content:

Operational Technology: Why Old Networks Need to Learn New Tricks

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

By improving how they protect their IT networks, organizations can achieve more immediate risk reduction, shorten the time needed by defenders to counter an attack and maximize the use of investments and human resources. So, why do we often see less proactive efforts in OT?

First, the implications of inadvertently blocking a connection are likely not going to lead to a catastrophic event and so there is a bit more flexibility on where controls can be automated. Second, there is a higher rate of cyberattacks seen at the external perimeters than there are at the perimeter of the OT networks, which reminds us that controls on the business network are often the first lines of defense for OT. While both are valid reasons, it doesn't mean a higher level of cybersecurity maturity can't be achieved in OT environments.

Proactive controls in OT are nothing new. Thinking back to the days of the LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program, the consortium came together to evaluate application whitelisting, a security technology designed to maintain a list of authorized executable files and then automatically block the execution of any files not on that list. This is a great example, from nearly a decade ago, of proactive controls used in the higher levels of OT — and the business case wasn't much different than it is today.

When many people think of OT networks, they think of the sensors and actuators that do tasks, such as opening valves, turning on pumps, raising temperatures, and adding chemicals. These devices reside in Levels 0, 1, and 2 of the Purdue Model and are at the core of what monitors and controls that site. Because many endpoint security technologies, such as application whitelisting, are designed to be installed on IT-type devices, such as workstations and servers, these solutions typically are not applicable to these industrial assets residing in the lower levels.

However, there are many other supporting assets residing in Levels 3 and 3.5 (the OT DMZ) that are less critical and may include devices such as domain controllers, remote access jump boxes, antivirus and patching servers, historians (a historian collects data points over time from many different areas of the plant so decisions can be made on that data at a later point), and much more. This is a great potential area to begin proactive security improvements because it more closely resembles traditional IT-type devices supporting the OT environment — but more importantly, they often do not have a direct impact on operations. For these reasons, Levels 3 and 3.5 are a great starting point for automating cyber controls in OT.

Taking proactive steps in these levels provides some significant advantages over the adversary. A simple example might be leveraging a continuous network monitoring solution to detect malicious or anomalous traffic, which is where the business network traffic often comes through. Then, once activity is detected, an alert could be generated followed by the creation of a firewall policy to automatically block that host while simultaneously opening a support ticket assigned to the appropriate group for any follow-up actions. 

Another example could be when a new host, undefined in the network baseline, begins communicating with the human-machine interface or engineering workstation. An appropriate action may be to automatically block those unauthorized connections while, of course, also generating an alert and support ticket. These actions are prudent in today's environment and are just a couple of basic examples that leverage the benefits of automation.

Many Options
While some may hesitate at the idea of automatically blocking any communications on the OT network, there are many options, which depend upon one's comfort level. For example, in either of the previously mentioned scenarios, an alert and ticket could have been generated without implementing a block. Another option would be to automatically add or update any discovered assets to the configuration management database or to push critical events to the security information and event management system, disable unauthorized USB devices, change virtual LANs for an asset if certain criteria have not been met, validate and remediate antivirus, or patch compliance gaps for transient laptops. The options, while not endless, are certainly abundant and allow for a wide range of actions while taking advantage of existing investments the company has made.

Each of these is a step in the right direction toward proactive security in OT environments. In the end, it's about risk reduction and balancing the needs of the business while ensuring that the site continues to run — and run safely.

Any good cybersecurity program is not implemented overnight but, rather, can take years to get into place. Even then, it is a constantly evolving journey that requires adaptation to our changing times. But we cannot neglect OT networks as part of this journey, even in just taking manageable baby steps and working toward milestones in Levels 3 and 3.5 to meet the organization's security goals and objectives.

Michael Piccalo is the Director of OT/ICS Systems Engineering at Forescout Technologies. With over 25 years of experience in the cybersecurity industry, he worked on deploying some of the first firewalls protecting OT and critical infrastructure back in 2001 and served in the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
PUBLISHED: 2021-05-14
Cleartext transmission of sensitive information via Moxa Service in NPort IA5000A series serial devices. Successfully exploiting the vulnerability could enable attackers to read authentication data, device configuration, and other sensitive data transmitted over Moxa Service.
PUBLISHED: 2021-05-14
In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS.
PUBLISHED: 2021-05-14
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers insta...
PUBLISHED: 2021-05-14
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, wh...