In a world increasingly reliant on interconnected systems, securing OT is of strategic importance. Our recent webinar, “Securing Operational Technology: A Live Q&A for Cybersecurity Leaders,” focused exclusively on this critical arena, diverging from industries including retail and healthcare to a broader industrial perspective.
Kirsten Turnbull and Chase Applegate, shared valuable insights into how organizations can effectively fortify their OT environments against cyber threats. They delved into topics such as network segmentation, encryption of device communications, and the symbiotic relationship between IT and OT security practices.
In this blog post, we’ll highlight some of the key takeaways from the event.
Key takeaways from this blog
- There is an essential need for protocol parsers, like the horizon parser, to bridge the gap between sophisticated cybersecurity demands and customer capability. Difenda can assist customers in generating these crucial parsers for enhanced protection.
- 90% of incidents in OT environments have to deal with third-party contractors, USB sticks, or tethering laptops to cell phones for fantasy football or adult entertainment.
- Segmentation within networks is important to combat the rising threat of ransomware attacks. Devices, such as IV pumps that connect automatically to the internet for updates, should be on a separate VLAN to limit access and minimize potential breaches.
- Many attacks in OT originate from IT. Solid IT security is a strong foundation for OT security.
- Automation is being used in the OT environment to filter alerts and reduce the number of instances requiring manual review, thereby saving time and resources.
Meet Our Hosts
Kirsten Turnbull, a Technical Specialist at Microsoft with GCIA, GCIH and CISSP certifications, has been recognized as one of Canada’s top women in cybersecurity. She has a deep understanding of network security. As well as extensive experience across various industries, including Oil & Gas, Manufacturing, Utility, Pharmaceutical, and Mining. Kirsten offers invaluable insights into the unique challenges of OT security.
Complementing Kirsten’s expertise, we have Chase Applegate, a Senior Engineer with a proven track record in cyber research and response for operational technology. Chase is known for his innovative solutions in safeguarding organizations against emerging threats. He has a robust understanding of the technological landscape and its vulnerabilities. Combined with his expertise in threat detection techniques, and experience in in-house manufacturing security operations teams makes him a go-to authority in the field.
Security Testing and Compliance
While the foundational level of NERC CIP does not explicitly mandate a comprehensive OT asset inventory, an inventory is implicit in achieving compliance with its requirements. By utilizing tools like Microsoft Defender for IoT, organizations can establish a robust asset inventory, laying the groundwork for a holistic security program. These tools not only facilitate compliance but also enable proactive management of cybersecurity risks across OT environments.
For security testing of new, custom OT/IoT devices, it’s critical to integrate ‘Security by Design’ principles. This should start right from the device conception stage and continue through development and deployment. Device manufacturers must incorporate rigorous security testing throughout the development process, including penetration testing and vulnerability assessments.
Creating custom parsers is also a strategic move; this allows for the decoding and analysis of proprietary or unfamiliar protocols that may exist in OT environments. Equipping Defender for IoT with such custom parsers enables a more tailored approach to asset monitoring.
Managing Third Party Operations
There is a significant risk management challenge presented by third-party operations in OT environments. But both speakers dispelled the myth of “air gaps” as a foolproof security measure. They highlighted instead the importance of maintaining visibility over network activities. Malicious code can be introduced in numerous ways, invalidating the false security promised by a completely isolated system. Applegate underscored the risks of not having network visibility as greater than the perceived benefits of air gaps.
The reality, as Turnbull mentioned, “90% of incidents I see in OT environments have to deal with third-party contractors, USB sticks, or tethering laptop to cell phone for fantasy football or adult entertainment.” These breaches emphasize the critical need for conscientious protocol adherence and the human element in safeguarding information systems.
What organizations need to do is have a robust incident response plan that includes third-party network segments. These plans should be championed by leadership to ensure access to crucial data during cybersecurity incidents. Establishing strong relationships with vendors and maintaining an ongoing dialogue about cybersecurity can also help. This will align all parties toward securing OT environments without sacrificing the operational functionality critical to business success.
The Importance of Network Segmentation In Securing OT
Network segmentation emerges as a foundational strategy in reinforcing OT cybersecurity. Particularly in the healthcare sector where connected medical devices are ubiquitous. Devices such as IV pumps are constantly connecting to the internet for updates, making them potential targets for cyber threats. Such devices ideally exist on their own VLAN, isolated from the rest of the network. Restricting their internet access solely to legitimate update sites.
This level of network segmentation is not merely a best practice but is increasingly seen as a critical challenge within the industry. When these devices are properly partitioned into distinct segments, they are shielded from widespread network threats. Ultimately mitigating the risks of sweeping ransomware attacks. Without proper segmentation, it’s like you are leaving the front door open for cyber attackers to access your entire environment.
We know that robust IT security frameworks bolster OT defences, yet segmentation is often the missing piece in many cybersecurity blueprints.
Securing OT With Automated Security Operations
One of the most significant discussions during the webinar centred around the transformative potential of automating security operations. By leveraging automation, through tools like Difenda AIRO, security teams can conduct “automatic incident triage” to streamline and improve the efficiency of response mechanisms. The agility granted by automation allows for the creation of custom scripts or tailored KQL queries to provide additional context during incidents.
Automation can also be used on a case-by-case basis. It can analyze recurring alerts, gather crucial data points, and determine benign or malicious activity without manual intervention. An example of this application is Microsoft Sentinel, which amplifies the capabilities of Defender for IoT. It transforms the SOC’s responsiveness and enables a higher level of precision in threat detection and response.
Kirsten Turnbull also highlighted the integration of logic apps that bolster the context-awareness of OT security. For example, when a new device is detected on the network, a Teams alert is sent to the site superintendent. The alert includes targeted information, prompting for verification and action.
Both speakers noted that while Sentinel opens new avenues for security automation, it still respects the foundational principle in OT. It offers actionable insights to the right personnel, allowing for a blend of high-tech capabilities that respect the low-tech nature of critical infrastructure environments.
For more detailed insights:
CONTINUE THE CONVERSATION