Part 2 of a 4-part series.
IT/OT convergence has expanded what’s possible in industrial production environments by creating more connected, data-driven operations. But it’s also created a need for IT and OT functions that have traditionally operated separately to now work together to address security threats. In the second of a four-part series, Dawn talks to Roy Gundy, OT cybersecurity lead for Johnson & Johnson Supply Chain about steps companies can take to secure IT/OT environments.
Cappelli: We’ve worked with executives responsible for OT security at several companies to develop a list of 10 steps that companies can take to secure their IT/OT environments. As a group, we created this list with the belief that we should work together to address IT/OT security challenges, rather than figuring them out on our own. So, Roy, do you want to start us off with the first step?
Gundy: Yes, it’s important to start by getting executive sponsorship and approval of a funding model. At Johnson & Johnson, our CISO and head of supply chain met with various leaders to communicate the importance of IT and OT working together to address security. And while some companies use enterprise funding models, we chose to use a federated fund model for our OT sites and segments.
Cappelli: Next, it’s time to build your strategy. That gets us to step two: Use the NIST Cybersecurity Framework (CSF) to identify gaps in your IT/OT security posture with a cross-functional team from IT and OT. This is key to getting IT and OT to work together. IT personnel will be familiar with the NIST CSF. And by walking through it with OT personnel to identify OT security issues, both IT and OT will understand how OT and IT security differ.
IT and OT also need to work together in step three: Using a risk-based approach to prioritize the gaps they’ve identified and develop a strategic roadmap for closing those gaps. When you go through the NIST CSF for an OT environment, you’ll likely come up with a long list of things to address. Identify the highest risks and where you’ll get the biggest bang for your buck. Then you can roll out to the most critical plants first.
Gundy: Once you have that strategic roadmap in place, you need to start executing. That brings us to step four: creating processes, standards and reference architectures that are specific to your OT environment. Your IT standards won’t work in OT environments, but you can build off of what IT has done. It’s part of the partnership.
Cappelli: Next in step five, IT and OT can start working together to do the same activities that IT does, but do them differently in OT.
Gundy: For example, in OT environments, asset management can be painful. Assets are behind firewalls and owned by OT, so it’s difficult for IT to see what’s in OT environments. Patching also doesn’t work the same in OT as it does in IT. You can’t apply patches on a standard schedule. You need to make sure they’re approved by key vendors and tested in OT environments to avoid bringing down systems.
Cappelli: The next three steps involve continuously monitoring and protecting your OT operations. First, you need to be able to detect anomalous or suspicious activity on your OT network. Technology for doing this has come a long way over the past few years. Next, IT and OT need to create and execute an incident response plan that defines who will respond to different types of OT security alerts. You can feed alerts from your OT environment into the same security tools already used by IT, like a SIEM (Security Information and Event Management). Then, you need to create a business-continuity plan focused on resiliency of operations.
Gundy: Our IT and OT teams worked together to create 10 use cases that cover 90 percent of things that we think could happen. We’re also working to develop roles and responsibility, so IT site leaders and engineers on site know what to do if these events occur.
Cappelli: Step nine is a quick win: provide security awareness training and communications targeted at your production workers. Risks like phishing won’t be as relevant in the OT space. Instead, the focus should be on physical risks, like safe use of USB drives and managing visitor access. Then, the final step is to use the NIST CSF as a common language for IT and OT. Use it to get buy-in from leadership, to track and report progress, and to benchmark.
Gundy: Scorecards and metrics are part of the plant mentality. You can leverage the CSF to build scorecards for sites and then roll those scorecards up to leadership. This can help everyone know where their risk level sits and what they need to do to lower it.
Read Part 1: CISO Conversations: Engaging Leadership
About the Author:
Dawn Cappelli is vice president of global security and CISO for Rockwell Automation. She is a member of the RSA Conference Advisory Board and RSA Conference Program Committee, and co-founder of the Open Source Insider Threat information sharing group.