5 Things every CISO should know about operational technology
13 March 2019
As organizations recognize the need for a unified understanding of the entire IT/OT attack surface, some are shifting responsibility for OT security to the Chief Information Security Officer (CISO). The shift isn’t an easy one for a CISO to make says Eitan Goldstein, Senior Director of Strategic Initiatives at Tenable.
Cyber-attacks resulting in the disruption of operations/physical infrastructure ranks as one of the top five global concerns identified by the World Economic Forum’s Global Risks Report 2019.
The other four events survey participants found more concerning were: economic confrontations and/or frictions between major powers; the erosion of multilateral trading rules and agreements; political confrontations/frictions between major powers; and cyber-attacks resulting in the theft of data and/or money.
That’s right: cyber-attacks are considered to be only moderately less scary than trade war for the 1,000 members of the WEF community -- made up of leaders in government, private sector and academia -- who contributed to the report.
This indicates people not only understand the sheer frequency of cyber-attacks, they also appreciate the risk they pose to our digital economy and our very way of life. These rankings reflect the global impact WannaCry, Equifax and hundreds of other successful cyber-attacks have had on our global psyche.
Yet, most of the organizations we work with in sectors typically associated with critical infrastructure -- including utilities, oil and gas, and manufacturing -- are struggling to secure the Operational Technology (OT) used to manage and maintain these systems.
It’s only in the last decade or so that OT systems began converging with IT, as networks and sensors improved and organizations began recognizing the business value in collecting and analyzing the data being gathered by these industrial systems. While such convergence is enabling improved efficiencies, it’s also making it easier than ever for bad actors to exploit digital vulnerabilities to cause real, physical harm.
Also of interest: Do CISOs need an image makeover?
Modern systems are built on legacy technology
Modern OT environments have evolved over decades and are often saddled with legacy equipment which can only run on outdated software. These systems are being connected to the business applications, databases and networks traditionally run by the IT organization, resulting in a complex, sensitive and vastly expanded attack surface.
As organizations recognize the need for a unified understanding of the entire IT/OT attack surface, some are shifting responsibility for OT security to the CISO.
The shift isn’t an easy one for a CISO to make. Not only does it require learning about a whole new ecosystem of technology, it also requires finding ways to work with a part of the organization that, until now, has probably operated with a fair degree of autonomy and minimal interaction from an IT security perspective.
If you’re a CISO who’s been recently charged with securing a converged IT/OT environment, here are five things you need to know:
- Achieving true visibility into your entire attack surface isn’t easy. Traditional IT asset discovery and vulnerability assessment tools are not widely used in OT because they may disrupt operations. The problem is that identifying and assessing IT and OT devices each requires specialized technologies – active scanning for IT and passive monitoring for OT -- to avoid any unintended downtime.
- You’re encountering a whole new ecosystem of vendors. Whether you’re working with the simplest Industrial Control Systems (ICS) and Programmable Logic Controllers (PLC) or the most advanced Supervisory and Control Data Acquisition systems (SCADA), your OT environment is only as secure as the devices, applications and network it’s built on. Rife with interdependencies, these technologies serve the part of your business that has zero tolerance for downtime, making OT environments notoriously challenging to update and patch. And, typically, these systems are built for optimal functionality rather than optimal cyber security.
- The OT team probably won’t be happy to see you. Their mission is to keep critical systems up and running -- even if it means connecting to a Human Machine Interface running an unpatched version of Windows 95 -- and you’re going to be seen as the person who wants to slow them down. It pays to brush up on your diplomatic skills. And, when all else fails, consider bringing free lunch and snacks the next time you meet with them.
- Take the time to agree on which team owns which parts of the system -- before an incident occurs. This way, you’ll have a clear plan for who will handle remediation of each application and you’ll know who is accountable for making sure patches are deployed.
- Don’t overlook physical safety. You’re probably accustomed to evaluating the effects of a cyber attack in terms of business risk -- how the potential loss of data will impact the company’s bottom line or its brand reputation. While these outcomes can have serious implications for the individuals affected, a breach of an OT system introduces a whole new vector of direct human impact. For example, if a system responsible for controlling heavy equipment on an assembly line should be compromised, it could have instant and tragic human consequences for those on the shop floor, resulting in injury or loss of life. If a system responsible for controlling a nuclear reactor is compromised...well, you get the idea.
While the task of securing a converged IT/OT environment may seem daunting, The WEF Global Risks Report offers a glimmer of hope: “Though we often cannot simplify our systems, we can change how we manage them. Research shows that small changes in how we organize our teams and approach problems can make a big difference.”
About the Author: Eitan Goldstein is Senior Director of Strategic Initiatives with Tenable, the Cyber Exposure Company