How to get started on OT cybersecurity

“The main thing is to just do something about cybersecurity. Get some people together, write an initial plan—maybe with a policy for changing passwords—and take some action.” Rockwell Automation’s Brian Deken discussed how manufacturers can take their first steps toward more cybersecure operations.

Cybersecurity is a huge, evolving issue that can seem overwhelming. Cyber-intrusions and attacks like ransomware are lucrative for criminals, and accelerating in critical infrastructure applications. Plus, unpatched, legacy devices are everywhere, so there are many holes in many networks. However, none of this has to cause panic, and no one’s hair is required to be on fire.

“It can seem like there are no best practices because what’s best for one user may not be best for others. Plus, everyone’s attack surface is too big, so what can we do, and how can we measure it?” asked Brian Deken, North American commercial manager for networks and security services, Rockwell Automation. “But you have to do something. It doesn’t matter where you start, and a little effort here and a little there can really add up. ”

Deken presented “Best Cybersecurity Practices for OT” at this week’s ROKLive 2022 conference in Orlando, Fla.

Pragmatic steps

Several widely accepted standards and guides, such as IEC 62443 and the NIST Cybersecurity Framework, can provide valuable advice on initial cybersecurity efforts, along with online self-assessments and other government resources from the U.S. Dept. of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). However, it’s also crucial for users to secure support from their managers and participation by coworkers, especially those on both sides of the operational technology (OT) and IT divide.

“Once your organization begins to understand some of these issues, you can begin to use OT and IT convergence as a catalyst for cybersecurity,” said Deken. “It’s an engineering- and enterprise-wide issue that also involves the supply chain, so everyone has to get involved. You can address cybersecurity by building bridges between OT and IT, growing a joint team, creating a cybersecurity strategy and vision, drafting a response and recovery plan, and executing it. Cybersecurity is a team sport.”

Just as the staff at many industrial plants and facilities hold “safety minutes” at the begin of meetings and other events, Deken reported that users and companies can begin to do the same for cybersecurity. “Much of developing cybersecurity in OT is about changing organizational structures and eventually culture as well,” explained Deken. “However, everyone also has to recognize that none of these issues will go away, and so any successful cybersecurity effort will take years.”

Proactive approaches  

Deken explained that a cybersecurity plan should cover three primary periods:

• Before, when the job is to identify and protect, using asset inventory services, qualified patch management, vulnerability and risk assessments, and industrial control system (ICS) security zone and countermeasure deployment.
• During, when detection is the goal, using real-time threat detection services, remote monitoring and administration services, incident handling and response, and incident response and disaster recovery planning services.
• After, when respond and recover is the task, and backup and recovery solutions are employed, along with remote monitoring and administration, incident handling and response, and incident response and disaster recovery.

Diving deeper

Once a team and the organization get some education and cybersecurity, and during or after they implement their initial cybersecurity strategy, Deken reported they can begin to explore a more risk-informed cyber-strategy, which begins with gauging the visibility of their assets, but goes on to evaluate their cybersecurity posture with a cyber-risk assessment, penetration testing of OT systems and equipment, and establishing a cybersecurity framework and standards. These and other potential items go into developing a basic cybersecurity hygiene program, which can include anti-malware strategies, moving legacy/physical servers to virtual servers, deploying antivirus management, implementing operating system (OS) infrastructure patching, and assessing and addressing OT networks.

“Just as patch management means different things to different people, each team has to assess and determine the aggregate risk posture, cybersecurity hygiene, and network readiness needed for their operations and organization,” said Deken.

Going forward, Deken added that in-depth repeatable and multi-year adaptive cyber-strategies can be deployed. These typically involve:

• Even more detailed assessments and modernization of the installed base,
• Network segmentation with firewalls and industrial demilitarized zones (IDMZ) between OT and IT environments,
• Secure OT endpoints on device- and machine-level networks,
• Continuous threat detection services and tuning,
• 24/7/365 monitoring and managing of OT environment’s applications, data centers, firewalls, IDMZs, network and threat detection platforms,
• Augmenting the cybersecurity workforce with a dedicated security operations center (SOC), and
• Revising and readjusting one’s disaster recovery plan in response to subsequent assessments and related events.

“Of course, repeatable or adaptive cyber-strategies require more people and time,” added Deken. “Less than 10% of organizations report doing adaptive cyber-strategies at this point, and even they’re not the be all and end all. The main thing is to just do something about cybersecurity. It doesn’t matter what or where because you can always add to it and adjust later. Just get some people together, write an initial plan—maybe with a policy for changing passwords—and take some action.”