CISO perspectives: How to secure OT systems

In recent times, OT networks have been undergoing perhaps the most extreme digital transformation in organisations looking to compete more effectively in the digital marketplace. Air-gapped protections are being torn down and pristine environments are being inundated with IT-based solutions and IoT devices. This transformation is essential of organisations are going to be able to respond to the real-time demands and short development cycles of today’s businesses and consumers.

However, because many OT networks have been isolated for so long, they are also particularly vulnerable to malware and criminal activity targeting today’s networks. Outdated hardware, unpatched or unpatchable operating systems and applications, delicate devices and instrumentation, and a compute environment built around the idea of inherent trust all combine to put OT networks, their organizations, and—in the case of many critical infrastructures—the lives of workers and the safety of surrounding communities at risk.

Three of Fortinet’s Field CISOs. Rick Peters, Joe Robertson, and Alain Sanchez, discuss securing OT networks in today’s evolving threat landscape.

OT security has been in the limelight over the last year as digital convergence continues at a rapid pace. What is top of mind on this topic for CISOs right now?

ALAIN: Well, to start, the love-hate relationship is coming to an end. OT has always operated as an outsider of the IT environment, and for good reason, but that has led to some miscommunications over the years—mostly because IT and OT have had very different priorities. And let’s remember that no security officer is taking lightly that “20 billion foreign objects” are coming their way. Particularly, those rudimentary devices often used to regulate gigantic industrial processes. These have been out of his remit for a long time, jealously guarded by fierce teams of process engineers who never shared a word of their secrets.

Initially, OT devices were part of a closed universe that was designed for performance and reliability, a disconnected world that only applied the most basic security rules, and only when needed, because connecting the crown jewels to the public IP wilderness was unnecessary. The routing tables have turned now, and under the irresistible pressure of the CFO, these two worlds are being inexorably converged. Fortunately, the “not-invented-here” syndrome has turned into tolerance, and in the light of the huge financial and technical benefits of connecting production sites, a mutual understanding has developed. This is an ideal moment for the right security vendor to step in and compensate for the intrinsic lack of processing power or in-built security of OT environments by exporting essential defense mechanisms to a single, integrated security platform.

JOE: Although the convergence of the IT and OT environments continues apace, it is certainly not something that CISOs have wanted. They understand the IT environment—it is where most of us have spent our careers. Suddenly being handed the OT network portfolio and asked to secure it is a new challenge that few CISOs were asking for. One of their key concerns is that they have so little visibility into the OT risks they face. Of course, they recognize the dangers that convergence entails, but they are also realistic and recognize that this is going to happen regardless of how anyone feels for a variety of financial and operational reasons. The challenge is how to bring the IT and OT worlds together under one roof.

To me, the problem of combining IT and OT environments can be compared to a problem in ecology. Many, if not most, OT environments are like islands that have been isolated for eons. Their “ecology” has grown up in isolation because the air gap between the OT network and the rest of the IT environment has protected it like a wide ocean protects the species on a remote island. As a result, many OT systems have “evolved” over the decades. They use very old technology and have little or no internal security, and as a result, are extremely vulnerable. When the first European ships landed at one of these remote islands they brought rats that decimated the local fauna, which had not evolved with a defense against so voracious a predator. Similarly, interconnecting with an IT network opens up OT to the predatory world of cyber-attacks and malware for which it is unprepared. How to protect those OT systems while still allowing important data, telemetry, and HMI (Human Machine Interface) traffic to reach its destination is the conundrum CISOs are wrestling with.

RICK: CISOs recognize that innovation and technology-driven change is inevitable, and the impact on OT brought about by the desire to gain operational efficiency is certainly no exception. The executive commitment to optimizing industrial business practices via advanced software, dramatic growth in enabled sensors, and the desire to leverage massive amounts of data and analytics challenges the CISO’s ability to lead the charge to balance the security side of the equation, especially given the sudden and exponential growth in the attack surface. This top of mind challenge is complicated further across the vertical subsectors where OT subject matter experts prefer security practices based on legacy configurations.

Likewise, the CISO is confronted with a set of business values that are distinct and unique to OT, in that sustaining continuous and safe operations is the absolute imperative. Those CISOs that are tuned into the “winds of change” for OT also recognize that advances in technology bring about new ways to think about protecting the convergence of the cyber and physical world that is common in the OT space. While traditional IT security practices can offer some comfort (think perimeter defense), it is essential that protecting prized, high-value OT assets and the intellectual property that distinguish a business requires much more than a well-placed firewall. Due to the predatory nature and intent of cyber-adversaries who seek to successfully execute campaigns impacting OT targets, CISO’s need to remain aware of the security industry’s commitment to developing advanced solutions that deliver protection from the inside-out.

Have there been any unexpected insights gained during recent weeks that CISOs should learn from going forward, in particular for OT in terms of business or mission continuity? 

ALAIN: Automation and Segmentation have been the two attributes that have saved many OT architectures from attacks or malfunctions during these weeks of confinement. The first one scales up security on networks that have been inverted to accommodate remote workers, and the second significantly decreases the devastating effects of cyber-attacks on industrial infrastructures. However, the OT wave is so large that automation needs to quickly expand to include orchestration. The response team needs to be backed up by machine learning algorithms to cope with the speed and the scope of these attacks. This not only relieves the pressure of monitoring, and manually correlating network and security events, but it also enables humans to do what they do best: imagine defense strategies instead of compiling logs.

JOE: As I mentioned, protecting OT is not unlike protecting an island’s native plants and animals from invasive species. First, you have to work hard to remove all the invasive plants and animals, put up appropriate barriers to keep new ones out, and then constantly monitor to make sure nothing has slipped through the cracks. All this is no simple task, and it takes time – on an island or in a network.

However, given the global pandemic and associated lockdowns, production teams have been suddenly forced to run—or halt—many systems remotely. This has meant monitoring plants and processes from afar. Even those environments not in use must be safely shut down and monitored to prevent unintended activity, damage, etc. This sudden scramble for remote control and monitoring has created an enlarged attack surface that bad actors are trying to exploit. CISOs have been racing to catch up and to ensure protection. And in many cases, those CISOs have only just been told to manage the OT side of the house.

RICH: CISOs have been reminded that periods of social and global disruption are often coincident with an increase in cyber adversarial-motivated campaigns. Recent hacking initiatives rely on less complex techniques because of the perception that there is significantly increased human error during periods of heightened stress. Add to that the implementation of business practices designed to extend and expand the remote workplace and the attack surface expands to an even greater degree. Neutralizing the effectiveness of the surge in cyber activity geared to accomplish disruption requires attention on multiple fronts to heighten workforce situational awareness at the edge, as well as with techniques like micro-segmentation that control movement within the OT network infrastructure. The recent global increase in malicious and disruptive activity has simply reinforced the CISO’s awareness of the need for proactive cybersecurity practices that harden the OT environment to an extent where outmaneuvering the adversary is a realistic objective.

What one OT security strategy stands out in terms of importance or difference for the long term protection of OT environments? 

ALAIN: Three important steps have recently turned into golden rules. The first is the identification of all critical assets as a prelude to any security deployment. In addition to identifying what really matters, this sequencing will be very important for an efficient segmentation plan. Next, the operational objectives need to be aligned with IT priorities. When this step is skipped or only partly achieved, we have observed longer downtime—which is the last thing production lines will be able to afford as industries have to ramp up at full steam. And last but not least, the design of the protection plan must equally integrate the specifics of the IT and the OT world. This includes the similarities and differences between both environments. The biggest challenge of cybersecurity is to protect the converged world without degrading the precious performance of the production lines.

JOE: I very much agree. When it comes to protecting an OT environment, there is no one-size-fits-all solution. Every environment is different. There is, however, a high-level strategy that does work, regardless of the specific tactics necessary for a particular situation. That strategy is to have a holistic, open security posture where threat information from various devices (and vendors) can be collected and managed, and then turned into intelligence that is pushed back out to all of the security devices in both the IT and OT environments.

This means 1) having visibility into the OT network, 2) being able to inventory the devices and applications that are there, 3) putting up powerful gateways with role-based network access so only authorized personnel and tools have access to the OT network(s), and 4) ensuring that all devices can be managed and monitored as a unified whole. These tools exist for IT networks, and some, such as gateways, can easily be used in OT networks as well. Others rely on understanding OT-specific network protocols, ICS and SCADA implementations, PLCs, etc. CISOs should be looking for open ecosystems where IT and OT tools can interact. The Fortinet Security Fabric is just such an open ecosystem. Published APIs provide tried and tested links to products from hundreds of IT and OT hardware and software vendors, allowing integrated visibility, monitoring, and management of both IT and OT environments.

RICK: The single most important strategy, in my opinion, is recognizing the inherited range of vulnerabilities that result from the convergence of IT and OT infrastructure. The broadened attack surface exposes a significant range of opportunities for cyber attackers to penetrate and establish a multi-point presence on OT targets of primary interest.

Implementing best cyber practices that deliver security beyond just perimeter detection and protection, and focus on recognizing and analyzing and unknown and unusual behavior is vital. That often starts with complete visibility combined with enforcing earned trust for all devices within the OT infrastructure. Strict identification of approved access and roles, and consistent enforcement of controls to limit movement within an environment are equally important.

In today’s digitally transformed OT environment, it is important to acknowledge the likelihood of breaches, both past and present, and detect any event that could threaten productivity. Adopting an ecosystem strategy to protect OT is the more sensible approach, as building-in security can yield awareness of insider activity. For OT, that is essential, as implementing such a strategy can deliver the security services essential to sustaining safe and continuous operations, and accomplish such awareness with transparency, scale, and speed.