Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Michael Piccalo
Michael Piccalo
Connect Directly
E-Mail vvv

Implementing Proactive Cyber Controls in OT: Myths vs. Reality

Debunking the myths surrounding the implementation of proactive cyber controls in operational technology.

As the frequency of cyberattacks increases — often with a higher level of sophistication in order to evade detection — it's easy to see why organizations are investing in security technologies, such as automation, that can respond more efficiently to potential attacks after certain conditions have been met.

The effects of this risk can take many forms, including unauthorized disclosure of client data, loss of client trust, litigation, financial loss (including heavy penalties), and damaged brand reputation. While these impacts sound bad — and they are — they often pale in comparison to the potential implications of a breach in operational technology (OT) and critical infrastructure environments, which can also include safety concerns and loss of life.

Related Content:

Operational Technology: Why Old Networks Need to Learn New Tricks

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

By improving how they protect their IT networks, organizations can achieve more immediate risk reduction, shorten the time needed by defenders to counter an attack and maximize the use of investments and human resources. So, why do we often see less proactive efforts in OT?

First, the implications of inadvertently blocking a connection are likely not going to lead to a catastrophic event and so there is a bit more flexibility on where controls can be automated. Second, there is a higher rate of cyberattacks seen at the external perimeters than there are at the perimeter of the OT networks, which reminds us that controls on the business network are often the first lines of defense for OT. While both are valid reasons, it doesn't mean a higher level of cybersecurity maturity can't be achieved in OT environments.

Proactive controls in OT are nothing new. Thinking back to the days of the LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program, the consortium came together to evaluate application whitelisting, a security technology designed to maintain a list of authorized executable files and then automatically block the execution of any files not on that list. This is a great example, from nearly a decade ago, of proactive controls used in the higher levels of OT — and the business case wasn't much different than it is today.

When many people think of OT networks, they think of the sensors and actuators that do tasks, such as opening valves, turning on pumps, raising temperatures, and adding chemicals. These devices reside in Levels 0, 1, and 2 of the Purdue Model and are at the core of what monitors and controls that site. Because many endpoint security technologies, such as application whitelisting, are designed to be installed on IT-type devices, such as workstations and servers, these solutions typically are not applicable to these industrial assets residing in the lower levels.

However, there are many other supporting assets residing in Levels 3 and 3.5 (the OT DMZ) that are less critical and may include devices such as domain controllers, remote access jump boxes, antivirus and patching servers, historians (a historian collects data points over time from many different areas of the plant so decisions can be made on that data at a later point), and much more. This is a great potential area to begin proactive security improvements because it more closely resembles traditional IT-type devices supporting the OT environment — but more importantly, they often do not have a direct impact on operations. For these reasons, Levels 3 and 3.5 are a great starting point for automating cyber controls in OT.

Taking proactive steps in these levels provides some significant advantages over the adversary. A simple example might be leveraging a continuous network monitoring solution to detect malicious or anomalous traffic, which is where the business network traffic often comes through. Then, once activity is detected, an alert could be generated followed by the creation of a firewall policy to automatically block that host while simultaneously opening a support ticket assigned to the appropriate group for any follow-up actions. 

Another example could be when a new host, undefined in the network baseline, begins communicating with the human-machine interface or engineering workstation. An appropriate action may be to automatically block those unauthorized connections while, of course, also generating an alert and support ticket. These actions are prudent in today's environment and are just a couple of basic examples that leverage the benefits of automation.

Many Options
While some may hesitate at the idea of automatically blocking any communications on the OT network, there are many options, which depend upon one's comfort level. For example, in either of the previously mentioned scenarios, an alert and ticket could have been generated without implementing a block. Another option would be to automatically add or update any discovered assets to the configuration management database or to push critical events to the security information and event management system, disable unauthorized USB devices, change virtual LANs for an asset if certain criteria have not been met, validate and remediate antivirus, or patch compliance gaps for transient laptops. The options, while not endless, are certainly abundant and allow for a wide range of actions while taking advantage of existing investments the company has made.

Each of these is a step in the right direction toward proactive security in OT environments. In the end, it's about risk reduction and balancing the needs of the business while ensuring that the site continues to run — and run safely.

Any good cybersecurity program is not implemented overnight but, rather, can take years to get into place. Even then, it is a constantly evolving journey that requires adaptation to our changing times. But we cannot neglect OT networks as part of this journey, even in just taking manageable baby steps and working toward milestones in Levels 3 and 3.5 to meet the organization's security goals and objectives.

Michael Piccalo is the Director of OT/ICS Systems Engineering at Forescout Technologies. With over 25 years of experience in the cybersecurity industry, he worked on deploying some of the first firewalls protecting OT and critical infrastructure back in 2001 and served in the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-24
A cross-site request forgery (CSRF) vulnerability in Jenkins Claim Plugin 2.18.1 and earlier allows attackers to change claims.
PUBLISHED: 2021-02-24
Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.
PUBLISHED: 2021-02-24
Jenkins Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
PUBLISHED: 2021-02-24
A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
PUBLISHED: 2021-02-24
Helpcom before v10.0 contains a file download and execution vulnerability caused by storing hardcoded cryptographic key. It finally leads to a file download and execution via access to crafted web page.