In previous posts in my series of blogs on cybersecurity in the Middle East, I’ve highlighted the ongoing convergence between information technology (IT) and operational technology (OT). In the face of ever-growing cyber threats, this blurring of the traditional divide makes it critical for organizations to have an incident response capability that’s able to act across the IT-OT boundary.
In fact, the ideal is that there should be no incident response (IR) for OT – just a single IR capability in which IT and OT operate cooperatively and simultaneously. But while this is ideal in theory, it’s complicated to achieve in practice.
Why? In many organizations, the IT and OT teams have different objectives that may conflict with each other. OT prioritizes availability above everything else, and looks to keep production running while maintaining safety by whatever means it has to hand. By contrast, IT prizes confidentiality above all, while managing legal responsibilities and potentially time-critical obligations to customers.
Partly as a result of these differences, we often see situations where an organization doesn’t have one single Security Operations Center (SOC) covering both IT and OT. The most common approach is to have an IT SOC that – when called upon to act in the OT environment – relies on some capabilities provided by the OT organization.
Given the rising scale and severity of the cyber risks confronting OT, this approach is no longer fit for purpose. What’s needed is a unified IR process that works seamlessly across IT and OT. But as organizations attempt to achieve this, they often come up against some tough challenges. Such as different approaches to cybersecurity and risk management in OT and IT, and the fact that their existing IR plans don’t cover OT systems and environments. Also, in many cases the cybersecurity solutions already implemented aren’t ready to work in OT, and IR teams lack OT knowledge and expertise.
How to overcome these challenges? Based on my experience, I would suggest that organizations focus on five key elements to help them create the unified IT capability they need.
Collaboration: Teams in both IT and OT should use a common, shared process to collaborate at all stages and levels of the incident response. This means actions like sharing information about indicators of attack or compromise; determining the endpoints impacted in OT and the function of those endpoints; and analyzing the potential impacts of cyber incidents from the health and safety perspectives.
The teams should also develop a combined approach to threat detection and hunting, and work together during post-incident reviews to reconstruct the sequence of events that allowed the incident to expand across the IT/OT boundary. It’s also important to align the IR approach with the corporate business continuity plans, not only from the recovery actions standpoint but also sharing common KPIs, planning, scheduling and business engagement.
Cross-training IT and OT security teams: Even though the two teams have different backgrounds, skillsets and possibly priorities, they’re still well-placed to understand each other’s challenges. Most cyberattacks originate on the IT network – and in some cases, the security alerts that are generated in IT don’t get to the OT network. Even when they do get to OT, they may be ignored or misinterpreted by OT personnel. Cross-training between IT and OT can get each team closer to the other´s world, providing a single, consistent and combined view of the communications networks, the cybersecurity solutions in place and the systems managing the company's production processes.
Know the OT environment: Organizations should create and maintain an up-to-date inventory of OT assets, containing extended information to help assess cyber risks. To do this, the inventory should go beyond technical details such as firmware versions and network addresses and include business-relevant information that can be used to categorize the relative criticality of each component.
Create a security baseline: A security baseline requires the use of security solutions specifically designed for the OT environment. In recent years there’s been dramatic growth in the availability of offerings in this space. However, introducing security solutions to the OT environment remains a delicate task, especially if these have the potential to interfere with OT network communications. In these cases, it can be useful to set up Cyber Fusion’ centers – specialized, tailored capability clusters which enable cybersecurity solutions to be tested securely in OT environments that accurately replicate real ones.
Test and evolve: While it’s always important to have plans, it’s even more important to test those plans out before you execute them. IR plans in particular should be tested as much as possible. Tabletop exercises and more realistic disaster recovery exercises are valuable ways to identify potential areas for improvement in the plan – helping organizations not only to determine if the recovery instructions are clear and accurate but also to look into the assets needed to conduct a prompt recovery and the communication channels among stakeholders
Strategies for an efficient response
With these elements in place, an organization is well-placed to mount an efficient response to cyber incidents that cross from IT into OT. There are a number of strategies it can apply to help do this. One is to mark out and maintain clear boundaries between IT and OT, while exercising tight control over all IT-OT communications. It’s also helpful to have a detailed understanding of the traffic flows required for production: this is usually relatively easy, as OT networks are very deterministic in how they’re structured and how they operate.
A further useful step to prepare for effective IR is to have OT-specific IR playbooks, with clear guidance on how, when and by whom things should be done, and pre-approved actions and authorizations to help put these instructions into action at pace. Companies should also establish an IR baseline by finding suitable partners to cover immediate gaps, establishing the Recovery Point Objective (RPO) for OT, and ensuring the inventory of systems and requirements is complete and up-to-date. And it’s a good idea to define a minimum viable architecture, processes and equipment to achieve effective response and recovery.
The final critical step is to develop the full IR plan, including coordinating with business units, vendors, integrators, engineering, procurement and construction (EPC) contractors, and other suppliers to identify optimum recovery strategies. The plan should also involve legal, media and HR teams. And when incidents occur and lessons are learned from them, companies should conduct regular exercises to test out new approaches based on those lessons.
Bringing OT into under the IR umbrella
As cyber threats to all connected devices and equipment continue to grow, companies that fail to adequately protect their OT are putting their very future at risk. And the risk is all the greater if OT isn’t covered by the same IR capability that applies to their IT. Put simply, leaving OT outside the ambit of IR is not an option. It’s time to bridge the gap.
Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.
Managing Director – Technology, Cybersecurity Energy Lead, Middle East