While using information technology (IT) methods, cloud-computing and other innovations can help cybersecurity efforts, one sure-fire remedy is fostering cooperation between IT and operations technology (OT), and getting their personnel to plant cooperate, though many have to learn more of each other's languages.
"In the past year or so, more manufacturers are formalizing their cybersecurity programs to include converged IT and OT, and are frequently assigning responsibility for all cybersecurity to their chief information security officer (CISO)," says Dawn Cappelli, vice president of global security and CISO at Rockwell Automation. "Many companies are struggling with how to make this work, and how to build a strategy that both IT and OT feel ownership of and work together to implement. This is important because an effective converged IT/OT cybersecurity program relies on a partnership between IT and OT, combining the unique expertise of both sides. That's why we're building a culture at Rockwell Automation in which IT and OT understand each other, and work together as a single virtual team to implement the IT/OT strategy we developed together."
Cappelli reports the "BlueKeep" vulnerability disclosed by Microsoft in May demonstrates the difference between IT and OT cultures. "That vulnerability was predicted to be the next NotPetya, so security experts responded rapidly," explains Cappelli. "IT environments were patched very quickly, but IT and OT leaders had to work together to balance the security risk versus the operational impacts of patching in an OT environment. As a result, many companies are still addressing their patching strategies for OT.
"Many companies are faced with industrial control system environments, consisting of patchworks of very old equipment. We still see most exploits impact OT by compromising IT assets, which is why the organization's whole environment must be taken into account in one holistic cybersecurity strategy. Cybersecurity teams must employ a risk-based approach, identifying specific security requirements for each device and machine on the plant floor. Connectivity requirements must be determined, and a security architecture designed that takes these needs into account. For instance, remote connectivity needed into OT environments may be met by enabling remote monitoring and data analytics. But if it's absolutely required, then it should be designed with a zero-trust model in mind, restricting remote access to authorized users once their identity can be verified, and limiting their access to specific devices and applications required to perform their work for a limited period of time as approved by OT management personnel with the ability to audit any changes being made."
Other elements of a converged IT/OT cybersecurity strategy include creating and maintaining an asset inventory, defining a micro-segmentation model, and anomaly detection. Cappelli adds that Rockwell Automation performs these tasks with its partner Claroty. "This involves analysis of network traffic both within the plant and at the perimeter of the plant, to build an understanding of what normal looks like, and then allowing for the ability to alert on any anomalies. Combined with a contextual asset inventory, this can greatly reduce the mean time to respond to security incidents in OT. Response must be carefully thought out. When anomalies are detected, it may be due to a misconfigured device, which OT can handle. However, if it's due to potential malware or a security compromise, then IT needs to work with OT to stop it."
Cappelli cautions that a holistic cybersecurity program consists of more than just technology. For example, she reports Rockwell Automation initially focused its own security awareness training on issues facing office workers and in-house engineering staff. However, two and a half years ago, they realized that plant workers required very different security awareness training, so the company also started publishing a monthly cybersecurity awareness newsletter for its plants. They're also addressing cybersecurity issues related to critical suppliers, as well as the rest of their supply chain.
"It's crucial to identify and support a cybersecurity leader, and to create a centralized cross-functional team represented by subject matter experts from both OT and IT," explains Cappelli. "This team can work together to prioritize facilities based on criticality and risk, build a cybersecurity strategy, and select and deploy the right tools. It can also employ best practices, such as the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (www.nist.gov/cyberframework), and maintain awareness to specific threat intelligence pertinent to their company, for example through their local FBI field office."
