Operational technology (OT) assets are now at the core of most organizations today, as they offer the ability to automate, control, monitor and integrate business processes.
While OT systems have historically been proprietary and isolated from corporate IT systems, OT suppliers have now largely converged onto common, connected IT platforms. This increased connectivity is compelling but dangerous, and could potentially have dire consequences if not well-managed.
As organizational operations become increasingly connected and complex, so does the need to gain a better understanding of the organization’s security and risk posture. It can be achieved by regularly identifying and prioritizing risks, analyzing threats and resolving vulnerabilities in the business’ critical infrastructure.
With the diversity of technology, variety of device and protocols, and the sensitivity of equipment, extreme caution needs to be taken to ensure that security solutions do not impose a risk to physical safety and operational uptime. It is with only proper identification and prioritization of risks that organizations can secure critical assets and assure reliability, business continuity, and regulatory compliance.
How then can organizations effectively manage the risk of their OT assets?
Gaining visibility into connected devices
Lack of asset visibility and device status knowledge continue to be top concerns for OT security and risk management leaders. Often, organizations lack a complete, up-to-date inventory of the OT assets they have. Furthermore, many maintenance processes are still either being performed manually or by their equipment vendors.
As threats expand beyond traditional IT networks, so does the need to extend security visibility into all networks. Visibility of connected devices and intelligence of device security posture is therefore essential in helping organizations effectively manage security risks.
Identifying key OT assets
Reducing OT related business risk starts with understanding and identifying the OT assets associated with critical business processes. Only then can organizations understand which OT assets need security focus and investments to reduce their OT related business risk – in a cost-effective manner.
According to the 2018 SANS Industrial IoT (IIoT) survey, most organizations envision a 10 to 25 percent growth in their connected devices for the foreseeable future. This explosion of devices, in addition to the existing obscurity issues inherent in OT, makes asset discovery difficult.
In a typical asset discovery, there is a tendency to start grouping devices by type, such as Windows, Mac, Linux devices, PLCs, sensors, and so on, which distracts focus from managing the risk of the critical processes. Instead, doing discovery based on the critical asset systems helps us not “boil the ocean,” waste resources and lose focus.
Start with critical impact systems and work in priority order to identify what assets support the process, what hardware and software run on the assets and what is the network topology supporting them, as well as what endpoints, devices, and non-network connected devices constitute the asset system.
Organizing impact systems
Once organizations have an in-depth understanding of what critical asset systems look like, the process will highlight the importance of protecting high-impact systems, such as data center assets or operations. Requesting funding becomes easier to justify from a business perspective, especially when introducing risk-mitigating controls.
Organizing impact systems on a high/medium/low scale can ease successful implementation of many Risk Management Frameworks (RMFs). RMFs are best-practice policies to assess and reduce OT asset-related business risk
In addition to the RMFs, there are also international standards and regulations for which organizations can be certified. What they all have in common is a framework of controls that should be put in place from asset discovery, hardware, and software asset management, configuration management, and vulnerability management, to where you have a blueprint allowing for efficient and measurable business risk reduction.
When we start from a ‘top down’ versus a ‘bottoms up’ approach, we end up building a solid risk management program that executive management can understand, protecting the most critical processes to the business, and achieving both cost-effectively.