In our latest webinar, we delved into the ever-critical topic of Securing Operational Technology (OT) with cybersecurity. Our speakers, Kirsten Turnbull and Chase Applegate, shared their insights on numerous concerns and strategies for best practices and compliance when securing OT systems. Here’s a recap of the questions addressed:
Do you recommend and follow ISA 62443 for Securing Operational Technology?
When answering this question Chase highlighted that “It’s not just about compliance; it’s about constructing a resilient OT security posture. As we say, ‘Security is only as strong as its weakest link,’ and that’s why we champion the ISA/IEC 62443 standards. They provide the comprehensive guidelines that ensure all links in the chain are robustly protected.”
This set of standards provides a structured approach to OT security, from defining requirements and procedures to implementing proper security controls. While the foundational level of NERC CIP does not explicitly mandate a comprehensive OT asset inventory, such an inventory is implicit in achieving compliance with many of its requirements.
By utilizing tools like MS Defender for IoT and other advanced OT monitoring solutions, organizations can establish a robust asset inventory, thus laying the groundwork for a holistic security program. These tools not only facilitate compliance but also enable proactive management of cybersecurity risks across OT environments.
Any recommendations on security testing of new, custom OT/IoT devices?
As Chase highlighted in the webinar, “For security testing of new, custom OT/IoT devices, it’s critical to integrate ‘Security by Design’ principles. This should start right from the device conception stage and continue through development and deployment.” He stressed, “Device manufacturers must incorporate rigorous security testing throughout the development process, including penetration testing and vulnerability assessments.”
Firmware analysis is another vital tool for security. By examining the firmware, you can understand the functionalities and potential flaws in your OT/IoT devices. Kirsten added that “Creating a secure development lifecycle (SDLC) for IoT devices is paramount. Within this lifecycle, employing threat modeling is essential to anticipate potential attack vectors.” She advised that “Companies must insist on regular security audits and firmware updates to respond promptly to newly discovered threats.”
Creating custom parsers is also a strategic move; this allows for the decoding and analysis of proprietary or unfamiliar protocols that may exist in OT environments. Equipping Defender for IoT with such custom parsers enables a more tailored approach to asset monitoring.
Not to be overlooked, third-party risk management plays a crucial role in securing OT/IoT ecosystems. Establishing and enforcing cybersecurity requirements with all vendors, along with clarifying risk ownership, creates a solid foundation for a defense-in-depth strategy. “Vigilance in security testing is not just about observing best practices—it’s about creating a culture of continuous improvement and preemptive defense.”
How are best practices evolving with regard to maintaining an air gap between IT & OT systems?
Chase pointed out, “To me, there’s really no such thing as a true air gap“, suggesting that reliance on air-gaps is a “frankly a false sense of security“. The evolution of best practices now leans towards a balance—minimizing but managing points of entry while maximizing visibility and control. Effective security must accept that “there’s always gonna be ways that malicious code could get introduced into your environment“.
By acknowledging human error and vulnerabilities, such as plugging in e-cigarettes to your computer, the focus shifts to enforcing protocols that mitigate the very real risk of inadvertent threats, like those involving “USB sticks tethering a laptop to cell phone for fantasy football “. Monitoring and controlling these limited points of interface between IT and OT systems stands as the contemporary alternative to the illusion of an absolute air gap, fostering a security landscape that is not only more realistic but also diligently vigilant against both the conventional and unforeseen threats.
What are the cybersecurity best practices for securing operational technology used in the real estate sector?
In the realm of real estate cybersecurity, the best practices for securing operational technology stress a nuanced approach that distinguishes between enterprise IoT and pure OT within building management systems. As highlighted in the webinar, it’s critical to understand that “E IoT devices are like your thermostats. Your Phillips light bulbs that are all connecting to the Internet to get their updates.” whereas “pure OT in building management would be, yeah, the PLCs that are doing the actual physical work.”
This classification underscores the importance of tailoring cybersecurity strategies to address the specific vulnerabilities and needs of each system type. The acknowledgement of this differentiation is essential for deploying security measures effectively in the real estate sector.
Do you have free integrations with network devices like Cisco, PAN, or Fortinet?
As Kirsten puts it, “Defender for IoT isn’t going to integrate with Cisco and Fortinet to create firewall rules to block; what it does do is integrate with those firewalls to analyze the policy set to do attack path vector simulations.” This means that while there isn’t direct automation for security rule creation, Defender for IoT plays a critical role in the evaluation and enhancement of network security measures. Additionally, Kirsten points out a possibility for customers who do favor automation: “there’s nothing stopping you from using Sentinel to integrate with network devices.” She describes a scenario where Sentinel could trigger Palo Alto to implement firewall rules in response to alerts. However, Kirsten also notes the general trepidation within the OT community about automated rule creation, with Chase adding, “It’s just a bit scary, right?“.
In Europe, automated firewall rule implementation is more advanced due to having “really good baseline” security measures in place, suggesting that while such automation might be scarce presently, the industry is gradually moving towards it.
What are the key compliance and regulatory challenges that OT security operations face, especially with the increasing focus on critical infrastructure protection?
Aligning OT security operations with evolving regulations can be challenging. One speaker noted, “I think that a big compliance challenge right now is it’s sort of holding back the cloud a little bit…Compliance has a tendency to be a roadblock for certain cybersecurity initiatives.”
But the good news is that Kirsten and Chase agree this is changing.
Kirsten raised was the possibility that regulatory bodies may have an outdated understanding of cloud technologies, as suggested by the statement: “I feel like the cloud that being referenced here is a cloud from like 8 or 10 years ago, right. And there’s been so much advancement in terms of security in the cloud and the products that exist within the cloud today.”
CONTINUE THE CONVERSATION