An OT (Operational Technology) Security Manager is a professional responsible for overseeing the security of operational technology systems within an organization. For one, you are accountable for your company’s business continuity, and this is a huge responsibility. If the company can’t manufacture anything, it can’t sell anything, so the pressure is on you to deliver. But, delivering is a tough task, we know. And we also know that you’ve invested heavily into various solutions, hoping they will provide the “silver bullet”.
100% cybersecurity will forever remain unachievable. However, the good news is that there are several steps you can take that will even provide budget benefits on top of the cybersecurity ones.
How Asset Visibility Solves OT Security Manager Nightmares
Lots of OT assets that cannot run any security applications
One of the toughest problems is agent installation. As an OT security manager, you do not have the same luxury as the IT guys back in HQ who can run multiple agents on their endpoints. You either “enjoy” multiple legacy technologies that aren’t compatible with agent-based solutions, or you are using new assets whose manufacturer prohibits any installations. In any case, you reach a dead end.
Here is where physical layer can come to the rescue. Every asset connected on your network holds a specific physical layer fingerprint. You don’t have to do anything. Its sheer existence creates a set of physical layer parameters that, if analyzed correctly, can reveal the asset’s identity (physical layer visibility).
This passive, non-intrusive approach doesn’t require traffic monitoring, so it’s indifferent to the type of protocol used in that specific OT environment. Inventorying your OT assets has never been so easy (Food & Beverage IT / OT Environment).
Traffic-based solution with false positive alerts
Traffic-based solutions come with constraints, the first being a limited radar. Imagine playing “hide and seek” with your eyes shut, your ears as your single sensory receptor. Naturally, you will only be able to find the players that make noise. So, if you have an asset not generating any captured traffic, how can you tell it’s there? Physical layer data comes to save the day (once again). The mere fact that an asset is there is enough. If it’s physically connected, you will know about it.
The second constraint is protocol. Many solutions rely on analyzing and validating the traffic, but the “important” traffic may be using a standard or, even worse, proprietary protocol – which means your solution needs to be aware of all the protocol variations out there. However, this desirable scenario is not attainable in reality, and thus, it is not uncommon to receive false-positive alerts from traffic-based solutions. And if there’s one thing you hate, it’s running around in a panic just to find out it was a “blip”.
Thirdly, providing access to your traffic could be a double-spearheaded sword as all your sensitive data now flows through a third party. Reliable as it may be, it makes you uncomfortable (and rightfully so) as your cybersecurity posture now relies on the cybersecurity efforts undertaken (or rather, not undertaken) by your supplier (Improving Security of Open Source Software in Operational Technology).
So, if there’s a way to avoid these constraints…well, by now, I think you know the answer.
Any device you are unaware of IS a rogue device until proven otherwise
As the cliché states, you cannot be responsible for what you don’t know. Yet, you need to ensure that you take reasonable action to keep “what you don’t know” at a minimum.
Unless proven otherwise, any device in your OT infrastructure you’re unaware of is a rogue device (OT device security). Why? If you can’t answer the following questions – what is this device? Is it vulnerable? When was it first connected? When was it last seen? – then you can’t guarantee that it will not disrupt your operational continuity. It’s always the one you’re unaware of that comes to bite you.
Physical layer visibility, providing the answers to such questions and bringing you closer to 100% operational continuity.
Cybersecurity needs are straining the budget (and the CFO)
Remember that time you came back from Costco carrying huge packets of pasta, only to realize that you already had four packs waiting in the pantry? And that it was, in fact, rice that you were missing? You curse yourself, wishing you had a complete inventory of all your food items so that you could’ve bought what you actually needed and not what you thought you needed?
Cybersecurity doesn’t always have to give the CFO grey hairs. It can actually save the company money by providing an accurate asset inventory. When you know the exact number of a certain PLC or HMI from a specific vendor, you can better manage your budget, verifying that you buy licenses according to the precise number you need; knowing exactly how many PLC’s you are going to retire next year; and negotiating on the correct type of maintenance and support agreement (Risk Management).
Who would’ve thought that an OT security manager could be liked by the finance department?
Drowning in OT risk and regulation compliance
Whether by law or cyber policy insurance, you are required to state your compliance level.
Complete asset visibility, device identification and risk scoring are the foundations for many popular regulations. So, once you have ultimate visibility and control measures in place, you can already check several compliance items off the list, freeing your attention to other challenging requirements.
Sleep tight, OT security manager. Sleep tight.