Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Satish Gannu
Satish Gannu
Connect Directly
E-Mail vvv

6 Steps CISOs Should Take to Secure Their OT Systems

The first question each new CISO must answer is, "What should I do on Monday morning?" My suggestion: Go back to basics. And these steps will help.

The inevitable digitalization of an industry can create strife within companies, especially between colleagues tasked with blending often old and idiosyncratic business-critical operational technology (OT) with information technology (IT).

One crucial source of confusion: Who is responsible for the all-important cybersecurity risk mitigation of OT systems as they become part of the Industrial Internet of Things? There's no universal answer yet. Some chief information security officers (CISOs) are drawn from OT, and some from IT.  

Either way, the first question each new CISO must answer is, "What should I do on Monday morning?" My suggestion: Go back to basics.

What I've noticed working with industrial companies around the world is confusion among CISOs distracted by thousands of companies — new and old — offering shiny new tools to prevent and detect threats in exciting ways. As a result, there's a good chance new CISOs could overlook the basic, fundamental steps needed to build the broadest, strongest risk mitigation.

Here are the six steps all new CISOs should take to begin protecting their OT environments in the most effective way possible:

• Step 1: Asset inventory. A company's OT systems are its crown jewels, and the CISO's primary role is to protect them. First step: Explore, discover, and inventory every OT element in the organization to learn exactly what you're protecting — data, software, systems, etc. Without a complete and accurate asset inventory, the succeeding steps will fall short in minimizing cybersecurity risk.  

• Step 2: Backup/test restore. The most effective way to protect OT systems from expensive to ruinous ransomware attacks, to cite just one risk, is to back up OT data and perform a test restore to make certain the backups are optimal. Backing up systems is crucial for multiple reasons, security among them.

(Tip: In case of ransomware attacks, don't forget the European police agency Europol's public/private No More Ransom site, which offers proven, valuable anti-ransomware tools free of charge.)

Yes, test restore can be challenging, but OT network backups are only as good as the test restore process that assures their effectiveness by protecting the network from data loss.

As we'll see in step 5, it's important to identify pertinent data for test restore on a continuous basis — often by asking users in the organization which data is most important for their work — but for the first backup/test restore, do it as widely and deeply as possible now to avoid data loss and other problems down the road.

• Step 3: Software vulnerability analysis. Step 1's asset inventory will reveal all the software in the organization's OT systems. The CISO must know the state of every software asset. Every piece of software must be subjected to vulnerability analysis. What version of the software do you have? Is it up to date? Are there more recent versions — safer and more effective — the OT system will accept and continue to thrive with?

A crucial question about the software: Does it need patching? If so, here's a critical warning: Don't do the automatic IT thing of reflexively patching everything, because OT patching is a complex and challenging process that rates an entire step onto itself.

• Step 4: Patching. Though automatic in IT, patching in OT is the proverbial briar patch. Sometimes patching OT software can make things worse. The soft underbelly of digitalizing the industrial economy is old OT machines and systems. Some absolutely vital systems have been on factory floors for 15 to 25 years or more, and they can't be taken down and patched. And even if appropriate (and safe) patches are available, old OT may not have enough memory or CPU bandwidth to accept them.

Finally, many OT systems are highly orchestrated combinations of software and hardware that develop "personalities," and when they're patched, they come back up with unpredictable results.

What to do? I suggest a threat analysis approach that can identify vulnerabilities and minimize risk short of patching.

• Step 5: Backup/test restore  again. Backup/test restore must become an ingrained habit whenever anything in the OT or IT system changes — updates, for example. The test restore process should include a plan that identifies testing frequency and the specific mode of testing. It is also important to make certain the operating system directly correlates with the version of software being used, as well as the structure of the database.

Important advice: Repeat steps 3 to 5 regularly, forever. New vulnerabilities are often found in old software.

• Step 6: Enable centralized logging. CISOs must know not just how something is working or failing, but why it's failing — and for that, centralized logging is a must. Centralized logging consolidates, manages, and analyzes logs to empower CISO teams to understand their environments, identify threats as early as possible, and optimize defenses.

In my experience, many OT systems have never been monitored. Given how much goes on in OT systems, consistent centralized logging is a must-have: It enables CISOs to confidently identify alarming security signals amid the potentially deafening routine noise.  

If new CISOs take these six basic but essential steps — and habitually repeat those that need repeating — they can go home Monday night confident they've done a solid job minimizing risk for their organization's OT.

Related Content:


Satish joined San Jose-based ABB in February 2017 as chief security officer and Group VP, architecture and analytics, ABB Ability™, responsible for the security of all products, services and cybersecurity services. Satish brings to this position a background in computer ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/19/2020 | 8:02:32 AM
new ciso
Some good basics, but if a CISO has to wonder what he or she has to do on a Monday morning then we have a problem...today we have a lot of folks who wnat the title CISO but don't have the substance to be a real CISO, they take low ball offers or get a role becuase of politics for diversity or other flavor of the month public ask...
User Rank: Apprentice
3/10/2020 | 7:17:17 AM

I will carefully read the issues you just shared, I find there are some places that are not very clear


User Rank: Apprentice
3/6/2020 | 9:12:18 PM
A warning
You should be careful running automated asset collection tools. There have been many reports of industrial devices crashing when receiving something as innocuous as a NMAP port scan. It's also worth while being very conscious of the various protocols these devices use and how those protocols are carried across various networks... most older devices don't understand how to talk ethernet.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) and could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919.
PUBLISHED: 2021-05-10
IBM Control Desk and is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199228.
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) and is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force I...
PUBLISHED: 2021-05-10
Ticketer is a command based ticket system cog (plugin) for the red discord bot. A vulnerability allowing discord users to expose sensitive information has been found in the Ticketer cog. Please upgrade to version 1.0.1 as soon as possible. As a workaround users may unload the ticketer cog to disable...
PUBLISHED: 2021-05-10
An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.