Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:00 PM
John Livingston
John Livingston

COVID-19 Creates Opening for OT Security Reform

Operations technology was once considered low risk, at least until the virus came along and re-arranged the threat landscape.

It appears COVID-19 will dramatically impact the economy – and our work life – at least until a vaccine is discovered. In this crisis mode, operators have needed to reduce onsite personnel, putting greater strain on the limited resources at the plant and requiring an increase in external connectivity for those working remotely.

At the same time, cases of ransomware and vulnerabilities associated with industrial control systems are growing rapidly. Both the National Security Agency and Cybersecurity and Infrastructure Security Agency recently released alerts on the significant increase in cyberattacks on critical infrastructure. The air-gap (if it ever truly existed) is now gone.

Related Content:

Most IoT Hardware Dangerously Easy to Crack

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Making the Case for Medical Device Cybersecurity

The challenges of industrial control systems (ICS) and operations technology (OT) cybersecurity are well-known: sensitive devices, limited resources, risk to operations, and the oft-repeated question of "Why bother, if we aren't connected to the Internet?" to name a few. But the crisis opens the door to new possibilities. No longer is the air-gap argument realistic. OT and ICS endpoints are clearly at risk, yet asset visibility and security are also now feasible. How do you avoid wasting the opportunity that comes from this crisis?

Below is a four-step guide that security leaders can follow to significantly change the direction of OT security so that as we emerge from the pandemic, entire systems will be more secure and efficient processes will be created to keep them that way.

Step 1: Don't Settle 
It's tempting to settle for near-term fixes to immediate problems during a crisis. As COVID-19 requires more operations personnel to work remotely, that "near-term fix" is secure remote access. Over the past six months, the demand for these solutions has doubled within our client base. However, secure remote access alone is insufficient. 

Achieving security requires perimeter protection, but endpoint protections within the perimeter is also crucial. Patching, user and account management, software and configuration management, etc., are necessary parts of securing the industrial environment. This crisis offers an opportunity for security leaders to break through the former reaction of "We aren't connected," and push to apply more comprehensive security management across the OT environment.

Step 2: Leverage Security to Enable Business Operational Outcomes 
Usually an agonizingly slow process, COVID-19 has caused a five-to-ten year acceleration in the pace of remote plant support. However, many technology and security initiatives required to safely enable the shift have yet to be implemented. Now is the opportunity to help deliver business outcomes and increase security maturity simultaneously. There are many ways that the foundational elements of security management can improve the efficiency and reliability of remote plant operations.

Two examples include centralized asset visibility and autmated security management. Centralized asset visibility enables proactive identification of operational and security risks. When customers use Verve to aggregate all of their asset information, they are able to monitor for potential operating issues on those devices, e.g., HMIs that are running low on storage; network switches that are starting to overload or slow down; operator consoles that are regularly bluescreening because of outdated or unnecessary software in place; etc. Although these issues are operational in nature, the platform designed to identify "security-specific" flaws – including vulnerabilities, missing patches, and risky configurations – can also identify operational errors to reduce potential downtime.  

Automation included in security management can significantly improve operators' efficiency. If implemented correctly with a "Think global, act local" approach, actions can be designed centrally, with plant personnel controlling automation to ensure actions only happen at the right time and after the right sequence of testing. Our clients regularly save 40%+ in labor from having operator-controlled automation, accomplishing actions that normally take four weeks in merely a few hours.

Step 3: Make a One-Time, Step-Function Increase in OT Security
Conducting OT vulnerability assessments over the last decade, we consistently discovered thousands of missing patches, insecurely configured assets, dozens of shared and/or dormant accounts, unused and risky ports and services, etc. In every case, a one-time clean-up is needed to create a step-change improvement and create a new baseline in security maturity. Now is a great time for this reset. 

Protective elements such as layering compensating controls where patches cannot be deployed, ensuring devices that are insecure by design – including many legacy OT devices – are not directly connected to the external network, and hardening configuration settings can reduce the need for "whack a mole" when a new vulnerability is announced. We have seen our clients save 30% of the labor requirements of remediation by taking these actions. 

Step 4: Bring OT Personnel Onto Security Teams
Industrial companies also have the opportunity to reshape security leadership, especially as remote work has perhaps freed up some plant responsibilities of OT personnel. Our industrial clients have seen great success in shifting OT heads into cybersecurity leadership roles. For example, the OT leader of a Fortune 500 client who is now the head of cybersecurity architecture across both OT and IT, brought a unique perspective to the problem and developed truly creative solutions, achieving efficient and effective security through combined IT/OT management. 

The disruption caused by COVID-19 has created a window where resources are now shifting, uncertainty exists, and new models are possible. Let's not waste this opportunity to emerge from the crisis even smarter, more secure, and more efficient than before.


John leads Verve Industrial Protection's mission to protect the world's infrastructure. He brings 20+ years of experience from McKinsey & Co., advising large companies in strategy and operations. Recognizing the challenges of greater industrial connectivity, John joined Verve ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
PUBLISHED: 2021-01-15
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
PUBLISHED: 2021-01-15
A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
PUBLISHED: 2021-01-15
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
PUBLISHED: 2021-01-15
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.