In our latest informative webinar, we delved into the ever-critical topic of OT security operations. Our speakers, Kirsten Turnbull and Chase Applegate, shared their insights on numerous concerns and strategies relevant to OT security operations. Here’s a recap of the discussion: 

Watch the full webinar here. 

How is up-to-date patch management being achieved in OT environments?

Up-to-date patch management in OT environments is a nuanced subject. Chase expressed a candid perspective, stating directly, “It’s not.” But, a delicate balance must be struck between risk management and system updates.  

Chase believes “the risk of having a vulnerability…is generally substantially less than the risk of implementing a patch that takes down your systems.” To mitigate these risks, he suggests having “ full redundancy in your environment and have a full QA that perfectly emulates everything…to really do it safely and be sure that that patch isn’t going to break something.”  

Kirsten adds that systems running on outdated OSes like Windows XP might be automatically considered up-to-date given they have the “last patch that was released 10 years ago.”  

Both experts agree that in many OT scenarios, prioritizing robust layers of security may be more beneficial than focusing on frequent patch management, but they do not advise completely forgoing the process. 

How do you gain visibility when there are third and fourth parties operating between you and the OT devices?

Gaining visibility into OT systems managed by third parties relies on relationship management and strategic technical implementations. The key lies in fostering a good rapport with vendors through regular cybersecurity-focused meetings, ensuring the topic remains a priority. Chase also mentions that while some may resort to independent methods to gain visibility, this could cause conflict. It’s important to approach the matter with a certain finesse and collaboration: “It’s more of the people and process conversation with your vendors.” 

On a technical level, Chase outlines direct solutions such as “placing the defender priority sensor directly in that environment, so you can feed us that span port to the sensor.” 

Furthermore, Kirsten advises including third-party network segments within incident response plans. She also suggested leveraging executive support to ensure visibility. “Making sure that you get your boss to go make that fight for visibility in that area because it’s going to become critical when you’re doing incident response to get the data from there.” This strategy underscores the combination of top-down influence and comprehensive planning necessary to overcome the challenges of OT security. 

How do most organizations structure OT security operations? Is this function typically in information security, IT, or the OT engineering world itself?

Chase Applegate highlights that structuring OT security operations is not a one-size-fits-all solution. “We I don’t think that OT or plant operations should own security operations,” but acknowledges the need for diverse skill sets and many players in the OT space. Initially, IT security might lead OT security operations efforts with a potential for specialized teams’ formation later on.  

There’s a tendency towards third-party management for OT security operations at least for tier-one incident triage. “Because of this complexity in a lot of use cases, it makes sense for companies to go with a third party to manage OT security operations.” 

Kirsten reflects on this collaborative approach seen in Canada, where both IT and OT express interest in fortifying cybersecurity measures. She explains, “This is where we want to be, where we can have these hybrid teams that come together…once a week they meet and they go over the alerts…to better tune the system.” This emerging practice showcases the desire for cross-functional collaboration between IT and OT, specifically citing networking as a critical crossover skill.

Top 3 defense strategies against OT threats.

  1. Redundant and Tested Environments: Chase advocates for creating redundancy in OT environments and rigorously testing these systems before applying patches. His stance is clear as he states, “you need to have a full redundancy in your environment and have a full QA that perfectly emulates your environment“. 
  1. Strategic Relationships and Technical Monitoring: Building good relationships with vendors and holding regular cybersecurity-focused meetings.  
  1. Automation and Alert Optimization: Automation can significantly reduce the number of alerts that need manual review. “We found certain very specific parameters…if those are present then the alert doesn’t need to be forwarded to…a SEC OPS analyst“. This streamlined approach aims to cut down on time and resources while maintaining high vigilance. 

What kind of automation use cases can I find in OT security operations?

Chase detailed a scenario where automation plays a critical role: “For one of our clients, we have an alert that regularly fires that could be indicative of a very serious compromise…“. Specifically, he described an automated process tailored to minimize false positives, “…we found if certain very specific parameters are present the alert doesn’t need to be forwarded to a SEC OPS analyst“. We can now utilize that information to prevent the alert from moving to Sec Ops analysts with Difenda AIRO.  

Chase highlighted the practical benefits of automation beyond high-concept ideas: “…there’s a lot of opportunities that you can have to just streamline your operations“. He emphasized the importance of such measures in terms of optimization and scalability, ” especially for someone that’s trying to manage this in-house, nobody wants to get 10 calls a night because there could be an attacker in and they have to manually review it“.

These discussions highlight the advantages of integrating automation into OT security operations to manage alerts and optimize monitoring. 

Discover automation possibilities with Difenda AIRO.  

Are you seeing more skated deployments to integrate with PLCS for data acquisition as well as saving configuration? 

The trend towards integrating sophisticated data handling with Programmable Logic Controllers (PLCs) has been notably rising. Kirsten confirms she’s seeing, “every single command that’s sent to the PLC.” Suggests a significant improvement in the granularity and transparency of PLC operations, critical for both security and operational optimization. 

Kirsten also emphasizes the leap toward big data and its impact on operational technology. “We’re seeing the demand for that is more from an optimization perspective…So we’re talking now, big data.” By leveraging big data analytics, organizations can better engage in practices like predictive maintenance, deriving insights based on the extensive data acquired from PLCs. 

Furthermore, there is a growing interest in not only data acquisition but also the safeguarding of PLC configurations. “I’ve had customers that say, we wanna see what the config was before and after.” This attention to configuration details is a testament to the proactive measures companies are adopting to maintain oversight and ensure swift recovery efforts. She acknowledges the differences in protocols and how they affect the viability of tracking configurations. Yet reinforces that the industry is moving in that direction. “That’s really dependent on the protocol that’s being used, but yeah, so we are seeing it definitely.” 

For more detailed insights, watch the full webinar, where our experts break down the complexities of OT cybersecurity.  


Join Our Exclusive OT LinkedIn Group