Lessons from the control room: The right way to lock down OT and IT cybersecurity
November 19, 2020
You’ve just been hired to help secure the operational technology (OT) systems for a large manufacturing company. It has 20 plants that range from a flagship operation getting the last bits of life out of 60-year-old analog equipment, and a number of sites featuring next-generation automation and control systems. Most of the operations employees, who know every clank and whistle the system can throw at them, have never been concerned about cybersecurity. Why should they? Who would want to attack them?
The company’s IT group has never worked with the operations team outside of the occasional help desk call. Many of the OT systems are located in dirty, noisy parts of the plant or in controlled areas they rarely enter. When these industrial control systems need upgrades, network connections, or servers set up, they rely on vendors to do everything except plug the connection into the network switch.
Now, back to the task at hand: You’ve convinced company leadership the long-term goal is to stand up a Security Operations Center (SOC) that includes a proactive OT focus—thus better-protecting operations against known and emerging security threats. You’d also like to get Red and Blue teams fired up to exercise the security program and demonstrate your threat hunting chops. So…where do you start?
This may seem like it has nothing to do with cybersecurity, but it’s crucial. Learn who’s who in operations, IT and management. Listen to their stories about incidents that have disrupted the business and production. Find out their pain points regarding maintaining safe, reliable production, including how to return operations to service if there’s a problem. Ask them what they need and want to be successful and also ask what they fear (which may be you… and the changes a cybersecurity program will drive).
Reassure them that the OT security journey is not something you are going to do to them, but with them. Recruit their help. Find out who has institutional knowledge about the control systems and processes at work and learn as much as you can from them. Then start building your team, promoting from within where possible to make good use of the people who already know many of the nuances of the OT environment.
Once you know who you’re going to be working with, inventory their skills and identify how and where they can help build the foundations of the OT cybersecurity program. This will also help you identify candidates possessing cross-functional and specialized skills that match staffing needs for both the SOC and Red and Blue teams.
<<< Start >>>
People are your key to success or failure. If you don’t have them on your side, your program and aspirations for security maturity are dead before you even start.
<<< End >>>
Armed with this inventory of personnel skills, start educating people at all levels on cybersecurity concepts. Be sure to tailor training to the OT environment and its often- unique operating requirements. Also make sure your IT personnel understand the differences between IT and OT systems and security. Teach OT people how to work with their IT counterparts and how important cybersecurity is to their livelihoods. Promote a common lexicon and common understanding of what is ahead, but encourage flexibility in this rapidly changing world.
Don’t forget to educate managers. They too should be aware of risks and how they affect business priorities if they are to fully appreciate what you’re trying to do and why. Earn their trust. Help them understand that support for your efforts is the right and smart thing to do for the company, its customers and its stakeholders. Educate early and often!
People are your key to success or failure. People write the policies and process and follow procedures. They select and deploy technologies, while they also operate and maintaining systems. People are essential to addressing risks and responding to security challenges. If you don’t have them on your side, your program and aspirations for security maturity are dead before you even start.
Once your people are on board, determine what you’re securing. Gather all available information about your OT systems. What systems are in operation? Where are they located? What do they do? Who are your hardware, software, system and service vendors? Pore over connected device and asset inventories (if they exist) to understand the systems and components being used. If inventories do not exist, create them. Obtain or develop network drawings to understand the underlying architecture and how all the components are connected.
Understand the physical processes each system supports, including interconnections among processes. Identify perimeters that separate OT and IT systems and give particular attention to the physical and logical bridges that connect them. Find out what cybersecurity products and practices are already in place. If they are effective, build on them.
Has anybody created a process hazard analyses? In an OT environment, health and safety are paramount because this is where the digital world meets the physical world. Risks that can disrupt or destabilize operations can also lead to equipment and environmental damage, personal harm and even loss of life. Remember, OT systems are engineered. This can give you an advantage in understanding how control systems regulate, monitor and protect the process.
You also should learn the state of the current business culture, because an organizational culture will directly affect your OT security program’s success. Learn how the company is structured and how your program fits into existing processes. Identify key leaders, chains of command and decision-making authority.
Understand current budgets and follow the money for safety, maintenance, repair and operations (MRO) expenses, including the planning and justification process for improvements and new programs extensions. Understand your industry and regulatory requirements, including cybersecurity standards – whether they apply to OT or IT. Find out if the company already has existing cybersecurity programs, processes, policies or a governance structure. If it doesn’t, begin developing them.
Learn how projects are managed and whether any in-flight projects with an IT or security component could affect the OT environment. Armed with comprehensive business knowledge, you can develop a program that fits the organizational culture and its operational processes and is more likely to succeed. These steps are crucial on your path toward building a SOC and a broad, sustainable OT security program.
Finally, analyze the current cybersecurity state of each operation that’s core to the OT domain. Each environment may have different risks, follow different requirements, guidelines and procedures, use different tools and practices and operate at different cybersecurity maturity levels. Each will likely have its own operational priorities. Note any cybersecurity best practices in people, process and technology that are found along the way and consider how to potentially adapt and implement them more broadly across all operations. Once you understand the current cybersecurity posture of the business, you can next focus your efforts where they are most needed, protecting the integrity of the company’s OT systems.
Now that you understand your people, the business and its operations and the processes and technologies in place, it’s time to devise a strategy for securing your OT operations and making progress toward that comprehensive SOC. Include IT and OT operations people at all levels: those who design, operate and maintain these systems and those who oversee these teams. They know better than anyone how things work—and what doesn’t.
The OT risk management strategy should include short-, mid-, and long-term plans based on the current risk to the operations’ environments, business and operational priorities, and the various automation and control systems used in production and to deliver services. Above all, address the health and safety of workers first. Also address any applicable environmental or regulatory requirements and of course maintain a clear focus on facilitating business objectives to maintain safe, productive and profitable operations.
This is where the fun really begins. Don’t forget, strategies will have to adjust during execution. Build regular strategy reviews into the implementation process, measure progress and course-correct where needed. Also, lean into the relationships you’ve built. Goodwill has no price, but the lack of it certainly does!
As you progress forward with your teams, make sure you link investments, activities and outcomes directly to offsetting the “pain points” you had gathered at the beginning of your journey. This approach can afford you the ability to demonstrate a tangible return on security investment from the results of the program you’re building. Still though, embrace the fact that you will need to be agile and learn as you go, and your strategy will likely change as your program matures.
You’re now on a clearer path to developing an effective and sustainable OT security risk management program. Soon your SOC will be up and running and your Red and Blue teams will be actively addressing cybersecurity risks to your company to thwart bad guys. Most of all, the OT security program you’ve put in place will start to pay back measurable results in the cultural and operational changes it drives across the company.
Accenture is a leading global professional services company, providing a broad range of services in strategy and consulting, interactive, technology and operations, with digital capabilities across all of these services. We combine unmatched experience and specialized capabilities across more than 40 industries — powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. With 513,000 people serving clients in more than 120 countries, Accenture brings continuous innovation to help clients improve their performance and create lasting value across their enterprises. Visit us at www.accenture.com.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture protects helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Copyright © 2020 Accenture.
All rights reserved. Accenture and its logo are registered trademarks.