What is OT security execution, and why should you focus on it?
If you have been in OT security for quite a while, you may be among those who feel frustration about the lack of progress in reducing the attack surface. After all these years, we still hear about new threats and attack attempts every other day. If you follow the industry like me, you probably couldn’t tell how many times you have heard about a “growing trend” of cyber attacks on OT systems. Why is that, after decades of effort in OT security, after several government sponsored programs, national and international standards, and billions of dollars spent?
Here’s a simple answer: If you focus on only one parameter, and that parameter represents nebulous external factors that you cannot control, don’t expect progress. Not this year, not next year, not in ten years.
Progress can only be seen in activities that you control, and where you can measure results.
Progress requires an objective, a plan on how to reach that objective, and a means to measure how far you have come. All of that is missing in the predominant OT security school of thought that is mostly concerned with threat detection. If you spend more resources on that issue, you won’t see less threats; you will see more.
The inherent limitation of ICS Detection
Progress cannot be found in externalities such as actual or suspected activities of shady hacker groups, reported by agenda driven security vendors and media outlets. Both will never tell you that hackers are really incompetent when it comes to industrial control systems, or that the “growing trends” they allege cannot be backed up by fact. You will never hear that the threat landscape is improving from a security vendor or from an industry publication, because both live by fear.
What the ICS Detection industry also doesn’t tell you is the following:
Every single cyber-physical attack on the record exploited very basic design flaws and omissions in the victim’s environment.
That’s right, every cyber-physical attack that we know of could have been prevented easily! You may not have known this interesting factoid because few people analyze OT attacks with the question how they could have been prevented. (For some background, check out the following video.)
The bottom line is this. If you put all, or most of your OT security resources into ICS Detection, you will not experience progress. As simple as that! The ICS Detection industry needs to push the impression of an ever increasing threat environment in order to support their business model.
What needs to be done
Those interested in achieving progress therefore need to turn to other chapters of the OT security playbook, and they are not hard to find. Consider the following questions:
Both protection and disaster recovery are prime areas for security execution because they allow for setting objectives, and measuring how well such objectives are met. They are also under full control of the asset owner.
Let me give you some examples, which I mostly relate to ransomware scenarios.
领英推荐
Example 1: Protection
As far as protection is concerned, one thing you really want to know is how many outdated Windows operating versions you are still running. Windows 7, or even Windows XP. It’s a safe bet that in any typical OT environment you will still find several, if not hundreds, of these obsolete and super vulnerable software products. Make a plan for system upgrade and execute this plan, or bury those systems that you cannot upgrade deep behind a firewall. Monitor execution by checking the number of outdated OSes in your asset inventory. You will literally be able to see your security posture improve week by week.
Another example: Is your network architecture designed with security in mind? How big are your networks? Do you even know how many networks you have, and how they are interconnected? Let’s get more concrete. If you already know that the majority of your OT devices are in one big flat network, or in a handful of networks that are fully routed, you don’t need to search long for ways for improvement. If that is your scenario, I would even advise to forget about CVEs for the next couple of months, until you have a solid plan for network segregation in place, and have started to execute that plan.
Example 2: Disaster Recovery
When you look at disaster recovery, the underestimated value of security execution becomes even more obvious. Can we all agree that presently, the biggest cyber risk for asset owners comes from ransomware? Good. If you also concede that your existing prevention capabilities might not be sufficient, the logical consequence is to focus on disaster recovery.
In practical terms, this translates to your ability to fully recover systems within a predetermined timeframe. Depending on your processes and on individual system criticality, that timeframe might be in the range of several hours, or several days. Setting appropriate recovery goals is not rocket science and can be done by SMEs if they can rely on a solid asset inventory.
The next step is to implement technology that allows you to meet your recovery objectives. This pretty much boils down to a managed backup solution, which involves a PLC version control system for your PLCs. Just imagine you could tell with a click of the mouse how many of your PLCs are properly backed up, and how many are not.
Actually that’s easy with existing technology, and it gives you a solid metric of your disaster recovery capability. And on the day when the matter hits the fan, you’ll be the hero who restored operations within hours. That is security execution that really makes a difference.
Putting it all together
OT security is approaching a watershed where more and more stakeholders realize that they are over-invested in detection technology that doesn’t allow for progress.
At the same time, these stakeholders understand that other segments of the NIST cyber security framework allow for measurable improvements, especially in the protection and disaster recovery areas. Planning for measurable improvements, actually implementing the plan and checking the results – that is what we call security execution.
OT security execution, with its focus on tangible results, is much more akin to engineering types than a threat-centric approach with its often dramatized aspects of epical conquest against evil unidentified hackers. By putting OT security in the hands of engineers, you are setting the stage for measurable and predictable success.
Given the fact that the predominant risk for OT asset owners is ransomware, security execution is your best bet for preventing an attack, or at least recovering within acceptable limits. Having all your OT assets in an OT asset management system will vastly catalyze your journey towards OT security execution with measurable results.
To learn more about the OTbase OT asset management system, click on the following link.
IT/OT Cybersecurity & Risk Management | International Speaker | Adjunct Professor | Mentor
1 年Very telling statement from Ralph Langner, "Every single cyber-physical attack on the record exploited very basic design flaws and omissions in the victim’s environment."
Really apt , but empathising from stakeholder mindset for them cost and scale is important, some stakeholder just want the cheapest option to fulfil regulation requirements, their are very few stakeholders who understand technology and security at micro level to devise the most effective long term strategy ??, just the sad reality
USN veteran. Simplifying OT / ICS Security. Compliance. DevSecOps. Neurodivergent & underserved population supporter.
1 年Great stuff!
Co-Founder & CEO @ SecurityGate | Industrial Risk Management
1 年Great article and thesis. Improvement is only achievable through validated/continuous control closure. I couldn’t agree more!
OT Security Consultant_Certified IEC62443 Expert
1 年By this approach one can see a moving needle , as they say.