OT Cybersecurity Best Practices for Small & Medium Organizations: A New Monthly Blog Series By Dragos OT-CERT
This is the first in a new monthly blog series detailing best practices for OT cybersecurity for under-resourced organizations. Cyber risk for small and medium businesses (SMBs) has increased substantially, as detailed in a recent blog: Ransomware Attacks in Small and Medium-Sized Organizations and Manufacturing Are On the Rise. For that reason, it is critical that SMBs with OT environments begin to implement a foundational cybersecurity program as soon as possible. Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team) provides free resources to help SMBs create or enhance their OT cybersecurity program.
Dragos OT-CERT is working directly with the SMB community – along with our partners – in workshops and tabletop exercises. This enables participants to learn from each other and allows OT-CERT to maintain a growing list of best practices for OT security that are practical for SMBs and address common security challenges identified in the workshops and tabletops. This is the first blog in the OT-CERT Best Practice blog series, based on challenges we discussed with participants in our first OT-CERT tabletop exercise, at the Xylem Reach Conference, held in partnership with Xylem and WaterISAC. Read on to see what we discussed with tabletop participants – the first tip that you can put into practice immediately to start upping your OT cybersecurity game. Our next workshop is set for November 16, 2022, at WaterISAC’s H2OSecCon – Security for the Water Sector virtual conference. We will publish the second best practice in December.
We organized the best practices by Category and Practice in the “OT Cybersecurity Fundamentals Self-Assessment Survey” that was provided to OT-CERT members in August 2022 – note that some best practices fall under multiple categories. Hopefully OT-CERT members filled out the survey and identified their gaps – these best practices can be implemented to begin to address those gaps. If not, there’s no time like the present – join OT-CERT and get started today!
Larger Organizations Take Note
If you have been increasing your security posture and reduced risk of a significant cyber attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers!
Tip #1: What to Do If a Ransomware Message Is Displayed on an OT Asset
|Cyber Incident Response|
|If a ransomware message is displayed on a screen in your OT environment your plant employees should be trained on what to do. Quick action is imperative to minimize impact, but incorrect action could have safety or operational consequences. Your IT and OT teams should work together to decide what action employees should be instructed to take – and it might not be the same across all of OT. Should they unplug the computer immediately? Should they call IT before doing anything? If so, do they know how to call IT? You do not want to rely on a panicked decision by a single employee if you are attacked – work it out in advance.|
A company in our tabletop said all plant employees are trained to call IT immediately if any cyber incident occurs, and they all know how to do that. Their IT is outsourced, but their provider has a helpdesk and the phone# is widely displayed throughout their plants.
Dragos OT-CERT Recommendation:
We recommend, where possible, that you isolate or quarantine the affected asset as quickly as possible – at the network level – by unplugging the network cable or by disabling the port on the network switch.
We recommend network isolation instead of powering an asset down because it will preserve important forensic information that could be extremely valuable to the incident response team’s investigation. Powering a device down results in the loss of data from the device’s “volatile” memory. That data is key for a responder to determine when the infection is remediated, and for other important aspects of the investigation.
Stay Up to Date with Resources for SMBs: Join Dragos OT-CERT Today!
Dragos OT-CERT offers FREE resources to help SMBs build their own manufacturing / OT / industrial control systems (ICS) cybersecurity program without hiring any cybersecurity experts. OT-CERT membership is free and is open to all OT asset owners and operators globally. Resources are oriented toward small and medium businesses and resource-challenged organizations with OT environments that lack in-house security expertise. Members have access to a growing library of resources such as reports, webinars, training, best practice blogs, assessment toolkits, tabletop exercises and more.
Currently available resources include:
- OT Cybersecurity Fundamentals Self-Assessment Survey
- OT Asset Management Toolkit
- Self-Service OT Ransomware Tabletop Exercise Toolkit
- Collection Management Framework for Incident Response
In the coming months we will provide OT-CERT members with access to introductory ICS/OT cybersecurity courses and modules, so some of your plant engineers and IT staff can increase their expertise in OT security. We will also continue to provide resources for incident response to include: an incident response plan toolkit and OT backups guidance.
If you haven’t joined Dragos OT-CERT don’t delay! Membership is open globally to any organization that owns or operates a manufacturing / OT / ICS environment. Please join and spread the word to your community and supply chain so we can all work together to raise the security posture of the entire ecosystem – we are only as strong as our weakest link. We look forward to working with you to safeguard civilization!
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.