3 steps to help you get your OT SOC off the ground
July 29, 2021
The recent cyber-attack on U.S. fuel pipeline operator is just one of several ransomware incidents that highlight the vulnerability of OT networks operating without a robust OT-specific cybersecurity program in place.
If you’re still embracing an “it can’t happen to us” mindset, consider how often you have contractors or third-party vendors accessing your network to make changes or updates to a control system or equipment. Does your IT security team know when these changes are happening? What changes did they make? Were they approved? If someone can come to your facility and connect to your network with their own laptop, how confident are you their equipment won’t introduce a vulnerability? And if they upload a system patch or update, how do you know it won’t introduce a vulnerability?
To bring this issue to light, let me share a personal experience. A former employer was experiencing periodic facility shutdowns that were costing about $600,000 per hour. No one could figure out what was causing the issue. After the company made a solid investment in tracking software and connecting systems to that software, we were able to identify the source of the issue—a contractor who was logging in at 2:00 AM and making unapproved changes to the control system. His intentions were not malicious, and he had no idea the impact his periodic changes were having other than keeping the system updated. Without taking the steps to advance its security posture, it’s unclear when, if ever, my former employer would have found the source.
So, what should you do to get the needed visibility to protect your company?
To successfully deploy your OT Security Operations Center (SOC), make sure you (1) design the right architecture for your environment, (2) build with the right tools to get the needed data, and (3) implement with the right people to give your data actionable context.
OT environments are like fingerprints—not one is alike. With a menagerie of PLCs, field sensors, workstations, SCADA systems, machines, and software (some commercial, some home-grown), it’s a complex environment that requires a delicate hand and custom approach to secure.
Unfortunately, there are few companies that have the resources to replicate their OT environment for design and testing. And if they do, that testing environment may quickly become the go-to for replacement switches and components that are hard to find.
Given this issue, we built our OT Cyber Fusion Center (OT CFC) to provide companies with a fully operational OT environment, with field control systems and logic controllers, that mimic their environment down to the hardware, software, and network communication. We tie this into our security monitoring platform and perform live attacks to show where a system is most vulnerable and how the business can be impacted.
From there a proof-of-concept is created with specific initiatives and quantified results for designing the proper architecture to improve an OT environment’s security posture.
Now that you have a plan for what to fix and what to connect, you need the proper tools in place.
There are many OT security vendors and tools claiming to be the best, with standards that are either too general or too specific for your environment, and conflicting information and viewpoints. Many companies use our OT CFC to demo leading technology vendors, and to perform extensive evaluation of capabilities and integrations of specific tools in a safe testing environment before deploying to a live setting.
But even after a technology has been deployed, our center enables companies to safely test updates, upgrades, and next-generation technology before going live, as well as perform additional testing when issues arise. In fact, we have clients who have us set their specific devices and equipment in the lab and connect them all remotely so they can securely remote desktop in and do any type of testing needed.
Beyond the challenges of building the right architecture and selecting the right tools, you need the right people. We have found one of the most successful approach is to cross-train your IT and OT security teams to effectively monitor and respond to incidents in both environments. On the OT side, engineers benefit from the IT engineers’ understanding of how the networks really work at a deep level. They understand the firewalls, endpoints, and much of the fundamentals of newer internet-enabled OT systems. The IT folks benefit from OT’s deep understanding of the machinery and mechanics that actually make the cash register run at the company. Ultimately, cross collaboration improves identification and accelerates issue resolution.
Many of our clients use our OT CFC and experienced security engineers to lead and/or enhance that training. We work directly with engineers to show them how to access their OT data and develop a baseline for their network activity using our fully functioning lab. We use this representative environment to show them the proper approach to help securely connect their systems to the larger enterprise network and how to get the needed data into their SOC.
Once in place, we go through the process of tuning the security tools and feeding it a constant flow of traffic to determine what normal is on their network. Then we can simulate an attack to see an abnormal event happening and point out how it appears different in the feed. In fact, one of the attack scenarios we use starts on the Internet, goes into the corporate network, infiltrates a vulnerable OT system, and then breaks a control system. It’s a useful training scenario to reinforce the fact that most OT attacks are originating from the IT side.
But more importantly than the attack, we explain how we detect and respond to that type of incident and how that would be seen in their own environment. This includes how to detect when someone, such as a vendor or contractor, plugs into their network and identify what changes were made, if there were any misconfigurations, and whether or not that activity was malicious.
<<< Start >>>
<<< End >>>
Unfortunately, hiring and maintaining qualified cybersecurity professionals is a significant challenge for the security industry in general. Layer on the need for a security analyst who understands IT and OT and the hurdle gets higher. The solution for many companies is to outsource.
Because of the need for qualified IT/OT security specialists, we’ve made our OT CFC resources available as a Managed Service Solution. You get access to a team that really knows OT tech, so there’s no need to explain what SCADA is or what sensors and actuators are used for. As an experienced group, they also understand the repercussions involved with making a wrong decision. Fortunately, with access to the OT CFC’s testing facility, our analysts can test patches, new equipment, and other changes before going live, providing another level of support and security to the engagement.
<<< Start >>>
Learn more about how your peers are conquering the complexities associated with building OT programs and improving network visibility.View Transcript
<<< End >>>
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.