Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/27/2020
09:00 AM
By Dawn Cappelli, Vice President of Global Security and CISO, Rockwell Automation
By Dawn Cappelli, Vice President of Global Security and CISO, Rockwell Automation
Sponsored Article
50%
50%

CISO Conversations: Securing IT/OT Infrastructures

IT/OT convergence unleashes new ways to make industrial operations more competitive. But it also requires that historically siloed information and operational technology teams collaborate to manage security.

Part 2 of a 4-part series.

IT/OT convergence has expanded what’s possible in industrial production environments by creating more connected, data-driven operations. But it’s also created a need for IT and OT functions that have traditionally operated separately to now work together to address security threats. In the second of a four-part series, Dawn talks to Roy Gundy, OT cybersecurity lead for Johnson & Johnson Supply Chain about steps companies can take to secure IT/OT environments.

Cappelli: We’ve worked with executives responsible for OT security at several companies to develop a list of 10 steps that companies can take to secure their IT/OT environments. As a group, we created this list with the belief that we should work together to address IT/OT security challenges, rather than figuring them out on our own. So, Roy, do you want to start us off with the first step?

Gundy: Yes, it’s important to start by getting executive sponsorship and approval of a funding model. At Johnson & Johnson, our CISO and head of supply chain met with various leaders to communicate the importance of IT and OT working together to address security. And while some companies use enterprise funding models, we chose to use a federated fund model for our OT sites and segments.

Cappelli: Next, it’s time to build your strategy. That gets us to step two: Use the NIST Cybersecurity Framework (CSF) to identify gaps in your IT/OT security posture with a cross-functional team from IT and OT. This is key to getting IT and OT to work together. IT personnel will be familiar with the NIST CSF. And by walking through it with OT personnel to identify OT security issues, both IT and OT will understand how OT and IT security differ.

IT and OT also need to work together in step three: Using a risk-based approach to prioritize the gaps they’ve identified and develop a strategic roadmap for closing those gaps. When you go through the NIST CSF for an OT environment, you’ll likely come up with a long list of things to address. Identify the highest risks and where you’ll get the biggest bang for your buck. Then you can roll out to the most critical plants first.

Gundy: Once you have that strategic roadmap in place, you need to start executing. That brings us to step four: creating processes, standards and reference architectures that are specific to your OT environment. Your IT standards won’t work in OT environments, but you can build off of what IT has done. It’s part of the partnership.

Cappelli: Next in step five, IT and OT can start working together to do the same activities that IT does, but do them differently in OT.

Gundy: For example, in OT environments, asset management can be painful. Assets are behind firewalls and owned by OT, so it’s difficult for IT to see what’s in OT environments. Patching also doesn’t work the same in OT as it does in IT. You can’t apply patches on a standard schedule. You need to make sure they’re approved by key vendors and tested in OT environments to avoid bringing down systems.

Cappelli: The next three steps involve continuously monitoring and protecting your OT operations. First, you need to be able to detect anomalous or suspicious activity on your OT network. Technology for doing this has come a long way over the past few years. Next, IT and OT need to create and execute an incident response plan that defines who will respond to different types of OT security alerts. You can feed alerts from your OT environment into the same security tools already used by IT, like a SIEM (Security Information and Event Management). Then, you need to create a business-continuity plan focused on resiliency of operations.

Gundy: Our IT and OT teams worked together to create 10 use cases that cover 90 percent of things that we think could happen. We’re also working to develop roles and responsibility, so IT site leaders and engineers on site know what to do if these events occur.

Cappelli: Step nine is a quick win: provide security awareness training and communications targeted at your production workers. Risks like phishing won’t be as relevant in the OT space. Instead, the focus should be on physical risks, like safe use of USB drives and managing visitor access. Then, the final step is to use the NIST CSF as a common language for IT and OT. Use it to get buy-in from leadership, to track and report progress, and to benchmark.

Gundy: Scorecards and metrics are part of the plant mentality. You can leverage the CSF to build scorecards for sites and then roll those scorecards up to leadership. This can help everyone know where their risk level sits and what they need to do to lower it.

Read Part 1CISO Conversations: Engaging Leadership

About the Author: 
Dawn Cappelli is vice president of global security and CISO for Rockwell Automation. She is a member of the RSA Conference Advisory Board and RSA Conference Program Committee, and co-founder of the Open Source Insider Threat information sharing group.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.