Introduction
The converging of IT and OT systems, combined with increased use of IoT in industrial environments, drives the transformation and modernization of their environments. These initiatives are challenging many security practices and capabilities that Industrial organizations need to strengthen or develop to improve their resiliency against an ever-increasing threat regime.
Conformance to good Cyber Security practices and growing regulatory compliance pressure are mounting, as authorities around the world dictate new guidelines to improve the security of critical infrastructures. Furthermore, economic pressures demand the need to keep costs down to stay in business and remain competitive.
Organizations need solutions that will accelerate their digital transformation by providing exceptional network visibility, threat detection and operational insight to this environment.
OT Cyber Infrastructure Operational Capabilities
Considering the sudden rise of cyber risks to the OT environment, and increase of newly discovered vulnerabilities and threats posed to these environments, Cyber Security and risk management leaders need to address these pressing issues with urgent attention. These leaders should strive to accomplish the following 3 goals:
- Strengthen your organization’s security strategy with the use of a hybrid approach of traditional security technologies and specialist controls to protect OT environments.
- Leverage available OT security frameworks and proven practices as a guideline to update Cyber Security strategy, while continuing to look ahead for signs of looming regulations.
- Assess the impact that new digital initiatives may have on your current security setup and operations.
Dexcent proposes that all organizations will need to strengthen their cyber infrastructure operations capabilities on two fronts:
- Deep insights to Monitoring of Assets and Detection of Threats; and
- Administration and Support of the Operational Infrastructure.
We see five key capabilities in each of these two operational services areas. These top 10 capabilities are presented in the next section.
1. Deep Insights to Monitoring of Assets and Detection of Threats
The first four of the following five core capabilities are covered in more details in another Dexcent blog called Top Five Challenges and Solutions of Network Monitoring and Anomaly Detection (NMAD) in OT Networking Environments.
1.1. OT Cyber Asset Management
This capability focuses on how to Accurately Visualize the Network and Automatically Track Industrial Cyber Assets. It provides:
- Passive Asset Discovery across all levels in OT Control systems network (Purdue model layers 3.5, 3, 2, 1), supplemented with optional smart active discovery techniques where safe and justifiable; and
- Asset Information Consolidation across many systems (e.g. OT infrastructure, Network and Security devices, Control Systems).
1.2. Cyber Threat Detection
Rapidly Detect Cyber Threats / Risks and Process Anomalies by:
- Integration of various Technology insights and threat detection capabilities; and
- Supplemented with AI techniques to detect anomalous behaviour from a baseline.
1.3. Monitoring & Insights to Network Activity and Process Data
Monitor Networks and Processes data flows with Real-time Insight and visualization by providing:
- Deep Network Insight/Monitoring and proactive Cyber or Process data Threat Detection; and
- Monitoring of Control Systems process data flows and deviations from normal.
1.4. Vulnerability Management
Passive Vulnerabilities discovery and risk assessment that:
- Identify all know Cyber Security vulnerabilities for all assets under management; and
- Validate vulnerability applicability and risk to the asset, assigning priority for remediation.
1.5. Conformance or Compliance Reviews
Regulatory compliance or internal conformance management by:
- Performing asset management and Information consolidation – a key capability to meet expected outcomes; and
- Preparing and executing Conformance / Compliance / Audit Readiness Reviews periodically (leveraging selected Cyber Security frameworks or standards, assessment tools or services).
2. Administration and Support of the Operational Infrastructure
This group of capabilities addresses day-to-day operational support and administration services to maintain a healthy OT infrastructure and to manage and respond to changes or incidents in the OT environment.
2.1. Incident Management, Problem Troubleshooting and Resolution
Significantly reduce troubleshooting and Forensic efforts by:
- Having deep insights into service interruption or incident information (qualified incident tickets with criticality classification), access to incident event logs, threat analysis and resolution procedures;
- Maintaining analysis tools and experienced staff to resolve the issues; and
- Performing Incident response activities, coordination, and tracking.
2.2. User Administration and Access Management
Daily User administration, access control management, and help desk support that will:
- Support a zero-trust model for all system access and authorization requests;
- Enforce segregation of network layers (e.g. Purdue model) with layer by layer access control;
- Provide monitoring of privileged user access; and
- Enable secure remote access and where applicable implement multi-factor authentication.
2.3. Infrastructure Technical Maintenance and Support
This capability addresses Administration, Configuration Change Management (CCM) and Technical Maintenance and Support services that will provide:
- Risk management control over all changes;
- Vendor support under approved maintenance agreements; and
- Timely Software and Firmware level upgrades to maintain platforms within vendor supported maintenance plans.
2.4. Patch Management
Preparing and applying Security Patches to vulnerable systems by:
- Developing and documenting comprehensive patch remediation plans;
- Validating approvals from ICS vendor for software or firmware patches as it relates to their ICS products for all security patches released by software or hardware vendors;
- Securely obtaining patches from various vendors with integrity of patch files guaranteed;
- Testing of patches before deployment to production environments; and
- Performing patch process on targeted systems and Reporting (usually a manual interaction required to reduce risk).
2.5. Data Backup and Recovery
Data Backup and Restoration of critical Systems, providing:
- Effective and secure data and system backup across all assets in the OT network (no interference) – using deduplication techniques where possible;
- Archives of backup data to off-site locations (or the cloud);
- Seamless support for diverse system platforms in the OT network; and
- Timeous data recovery when needed
Summary Conclusions
Dexcent with several years of experience in Industrial Control Systems (ICS) and having successfully delivered several industrial Cyber Security engagements and solutions, has noted that these 10 capabilities in various states of maturity are the baseline capabilities to integrate into organization’s Cyber Security program and drive the key strategic initiatives for improvement in the annual Cyber Security Roadmap.
Furthermore, we noted that modernization of OT network traffic insights is key to OT asset discovery, network monitoring, vulnerability management, and threat detection challenges that are common in the present day industrial Operational Technology (OT) environment. In addition, deploying a modern Network Monitoring and Threat Detection solution helps to align businesses’ Cyber Security goals as well as it hastens better decision making, operational support and remediation outcomes.
About Dexcent
Founded in 2006, Dexcent Inc. is an engineering consulting and industrial automation company that provides a range of specialized solutions for clients in a variety of industries throughout the world. Our professionals have modernized IT and OT engineering methodologies into comprehensive solutions, specializing in information analytics, Cyber Security, infrastructure, and control systems engineering. As such, we pride ourselves on truly transforming industrial operations to optimize business performance and deliver bottom-line results.
