Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/5/2020
02:00 PM
Satish Gannu
Satish Gannu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

6 Steps CISOs Should Take to Secure Their OT Systems

The first question each new CISO must answer is, "What should I do on Monday morning?" My suggestion: Go back to basics. And these steps will help.

The inevitable digitalization of an industry can create strife within companies, especially between colleagues tasked with blending often old and idiosyncratic business-critical operational technology (OT) with information technology (IT).

One crucial source of confusion: Who is responsible for the all-important cybersecurity risk mitigation of OT systems as they become part of the Industrial Internet of Things? There's no universal answer yet. Some chief information security officers (CISOs) are drawn from OT, and some from IT.  

Either way, the first question each new CISO must answer is, "What should I do on Monday morning?" My suggestion: Go back to basics.

What I've noticed working with industrial companies around the world is confusion among CISOs distracted by thousands of companies — new and old — offering shiny new tools to prevent and detect threats in exciting ways. As a result, there's a good chance new CISOs could overlook the basic, fundamental steps needed to build the broadest, strongest risk mitigation.

Here are the six steps all new CISOs should take to begin protecting their OT environments in the most effective way possible:

• Step 1: Asset inventory. A company's OT systems are its crown jewels, and the CISO's primary role is to protect them. First step: Explore, discover, and inventory every OT element in the organization to learn exactly what you're protecting — data, software, systems, etc. Without a complete and accurate asset inventory, the succeeding steps will fall short in minimizing cybersecurity risk.  

• Step 2: Backup/test restore. The most effective way to protect OT systems from expensive to ruinous ransomware attacks, to cite just one risk, is to back up OT data and perform a test restore to make certain the backups are optimal. Backing up systems is crucial for multiple reasons, security among them.

(Tip: In case of ransomware attacks, don't forget the European police agency Europol's public/private No More Ransom site, which offers proven, valuable anti-ransomware tools free of charge.)

Yes, test restore can be challenging, but OT network backups are only as good as the test restore process that assures their effectiveness by protecting the network from data loss.

As we'll see in step 5, it's important to identify pertinent data for test restore on a continuous basis — often by asking users in the organization which data is most important for their work — but for the first backup/test restore, do it as widely and deeply as possible now to avoid data loss and other problems down the road.

• Step 3: Software vulnerability analysis. Step 1's asset inventory will reveal all the software in the organization's OT systems. The CISO must know the state of every software asset. Every piece of software must be subjected to vulnerability analysis. What version of the software do you have? Is it up to date? Are there more recent versions — safer and more effective — the OT system will accept and continue to thrive with?

A crucial question about the software: Does it need patching? If so, here's a critical warning: Don't do the automatic IT thing of reflexively patching everything, because OT patching is a complex and challenging process that rates an entire step onto itself.

• Step 4: Patching. Though automatic in IT, patching in OT is the proverbial briar patch. Sometimes patching OT software can make things worse. The soft underbelly of digitalizing the industrial economy is old OT machines and systems. Some absolutely vital systems have been on factory floors for 15 to 25 years or more, and they can't be taken down and patched. And even if appropriate (and safe) patches are available, old OT may not have enough memory or CPU bandwidth to accept them.

Finally, many OT systems are highly orchestrated combinations of software and hardware that develop "personalities," and when they're patched, they come back up with unpredictable results.

What to do? I suggest a threat analysis approach that can identify vulnerabilities and minimize risk short of patching.

• Step 5: Backup/test restore  again. Backup/test restore must become an ingrained habit whenever anything in the OT or IT system changes — updates, for example. The test restore process should include a plan that identifies testing frequency and the specific mode of testing. It is also important to make certain the operating system directly correlates with the version of software being used, as well as the structure of the database.

Important advice: Repeat steps 3 to 5 regularly, forever. New vulnerabilities are often found in old software.

• Step 6: Enable centralized logging. CISOs must know not just how something is working or failing, but why it's failing — and for that, centralized logging is a must. Centralized logging consolidates, manages, and analyzes logs to empower CISO teams to understand their environments, identify threats as early as possible, and optimize defenses.

In my experience, many OT systems have never been monitored. Given how much goes on in OT systems, consistent centralized logging is a must-have: It enables CISOs to confidently identify alarming security signals amid the potentially deafening routine noise.  

If new CISOs take these six basic but essential steps — and habitually repeat those that need repeating — they can go home Monday night confident they've done a solid job minimizing risk for their organization's OT.

Related Content:

 

Satish joined San Jose-based ABB in February 2017 as chief security officer and Group VP, architecture and analytics, ABB Ability™, responsible for the security of all products, services and cybersecurity services. Satish brings to this position a background in computer ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jon-r..s
50%
50%
jon-r..s,
User Rank: Apprentice
3/19/2020 | 8:02:32 AM
new ciso
Some good basics, but if a CISO has to wonder what he or she has to do on a Monday morning then we have a problem...today we have a lot of folks who wnat the title CISO but don't have the substance to be a real CISO, they take low ball offers or get a role becuase of politics for diversity or other flavor of the month public ask...
techilife99
50%
50%
techilife99,
User Rank: Apprentice
3/10/2020 | 7:17:17 AM
jenifer08

I will carefully read the issues you just shared, I find there are some places that are not very clear

 

Myopic
50%
50%
Myopic,
User Rank: Apprentice
3/6/2020 | 9:12:18 PM
A warning
You should be careful running automated asset collection tools. There have been many reports of industrial devices crashing when receiving something as innocuous as a NMAP port scan. It's also worth while being very conscious of the various protocols these devices use and how those protocols are carried across various networks... most older devices don't understand how to talk ethernet.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.