For industrial organizations, digital transformation has officially arrived. No longer just an IT initiative or a buzzword, digital transformation is now critical to modernizing and securing OT environments. But while business and technology leaders recognize the importance of protecting industrial control systems (ICS) successfully implementing a cybersecurity strategy is far easier said than done.
Like every stable structure, a strong OT cybersecurity posture requires a solid foundation. At Dragos, we have helped industrial organizations protect their infrastructure for years. In our experience, that foundation requires three essential components: executive buy-in, smart investments, and a culture of security.
Requirement #1: Obtain Executive Buy-in
We’ve previously addressed how to talk to the C-suite and the board about OT security. The topic is worth revisiting because it’s critical to success. You can accelerate the pace and investment of your program by effectively presenting to leadership – or impede your objectives by proceeding without a clear strategy.
First, understand your role. It’s not your job to steer senior leadership, and most executives don’t take kindly to activist agendas. Instead, your job is to inform them of the risks, demystify the technology, and trust them to do what they have been hired to do: make smart decisions.
Every Board of Directors and Executive Leadership Team is unique, and it’s important to speak to yours in their own language. Below are several best practices:
- Business context is key. Outline the business problems associated with the risks versus trying to wrap deeply technical concepts in a thin layer of business language.
- Present unbiased options to your leadership team without appearing to sell to them.
- Emphasize healthy, quantifiable risks and avoid FUD.
- Use facts and note realistic assumptions when you don’t.
- Metrics and benchmarks are your friends, as are graphs and visual representations of data that make it easy to quickly digest the data
Requirement #2: Make Smart Investments
Once you have executive buy-in, what’s the best way to get your OT cybersecurity program off the ground?
“Step zero” is a comprehensive crown jewel analysis. This will look slightly different for different industries – natural gas vs. electric power generation vs. wastewater treatment, for example – but involves working systematically top-to-bottom to determine the physical & logical assets, data, and communication & control interfaces required for primary system function. This insight serves as the bedrock for each component of vulnerability management, incident response, disaster recovery, and prioritization of protection and detection. It also informs overall business context and establishes the lens through which you can create a successful strategy.
With the crown jewel analysis in place, you can conduct a holistic risk assessment with an objective business impact assessment. Prioritize remediations based on highest risks. You can leverage the CIS-18 controls, or even break those down further by emphasizing exploitable vectors. There are no silver bullets, so get good at the basics, beginning with asset management.
It is becoming borderline cliche to say it – and we may sound like a broken record – but don’t treat OT like IT. OT has different priorities than IT (AIC vs. CIA) and the differences don’t stop there. The OT approaches to vulnerability management, patching, asset refresh rates, moving to the cloud, and more are all unique. A strong OT cybersecurity posture relies on a strategy that is specific to ICS environments.
With your OT-specific assessments in place, adopt a build-to-sustain model for everything you create. A solution is worthless if it sits on a shelf, or if you don’t have the resources to bring it to fruition and sustain it over time. Assume the worst-case scenario will happen and build your resilience in from the beginning. This may include projects like IR planning, actionable playbooks, and a threat intel-driven program.
Requirement #3: Create a Culture of Security
All the technology in the world can’t protect your organization without people who understand how to use it – and perhaps more importantly, why it’s so important. We’ve said it for years in IT security but instilling a culture of security is still as important as it was decades ago. As we embrace Industry 4.0 and digital transformation, we need to remember to bring our people along with us for the ride.
What does that look like in practice? Think about change management efforts now, even if the impact is several years out. How will job roles change as we increase connectivity to the outside world and to the enterprise? How do we instill a mission to support security efforts in day-to-day activities so that everyone, in some way shape or form, is part of the “security team”? How do we train our next generation of OT cyber professionals?
This last question is particularly relevant. We believe that there isn’t a shortage of OT talent, but a shortage of OT experience. As we prepare for the digital world of the future, and continue to expand transformation efforts, we need to cultivate a culture of learning and education that translates to a passion for securing OT. That passion, in turn, powers what we at Dragos consider our true calling: safeguarding civilization.
Identify interested leaders and help connect them to training opportunities. There are free web-based trainings from the Department of Homeland Security, and several others that can be purchased through SANS, CISCO, Udemy, etc. Remain open minded and foster the curiosity and potential of current employees and external prospects.
Finally, a culture of security requires bridging the IT/OT divide to align your digital transformation teams. The best work gets done when silos get broken down. Get involved with the teams that are focused on Industry 4.0 and digitally transforming your ICS/SCADA environments. Offer to review design documents and/or project plans and see where security can be baked in early on.
Apply strong OT network security principles from the get-go: separate IT and OT assets where technically feasible, incorporate security services in a DMZ, include firewalls, understand your asset/application/data dependencies, etc. Strong collaboration breeds strong culture.
Learn More
For additional insight into how your organization can successfully implement a robust OT cybersecurity strategy, check out our on-demand webinar with PwC on securing OT systems, achieving stakeholder alignment, and increasing productivity and cooperation between IT and OT.
Ready to put your insights into action?
Take the next steps and contact our team today.