There is a good reason so many cybersecurity point products emerge in the OT and IT cybersecurity markets. They address and, hopefully, alleviate a clear and present danger. Budget gets allocated for solving problems the C-suite can understand. The problem with these quick fixes is that they are accretive. Old threats seldom ever go away, and they need to be managed like a chronic disease. Pretty soon, the cybersecurity team has two dozen pill vials in its medicine drawer and keeping track of each of them and managing the overall health of the organization is a serious challenge.
This proliferation of point solutions is common in many organizations and creates serious pain points for operations and security teams because each solution can come with its own agents and management console, with each introducing possible negative interactions when used in combination on the same infrastructure. Not to mention the accumulative effect on the teams tasked with managing these OT security products. There are several ways to reduce this accumulating problem. The two most obvious are to consolidate functionality into a platform or to offload functionality to a service provider.
Learn about industrial control systems cyber security in our A Comprehensive Guide to OT Cybersecurity.
Industrial automation cyber security: Benefits of consolidation
A platform approach to OT cybersecurity solutions can alleviate many of these potential problems by simplifying the deployment, management, and maintenance of these products. Platforms can reduce operational fatigue on cybersecurity teams and significantly reduce false positives from individual point products. OT cybersecurity platforms can also provide the centralized management required to effectively integrate into IT systems such as SOCs, ticketing systems, or SIEM Solutions.
New threats introduced by new connectivity into the OT environment and integration with enterprise business systems have led to a proliferation of available OT cybersecurity solutions. This development is driving the introduction of platforms with bundled functionality that manages and delivers core OT cybersecurity.
Types of industrial security: Minimum capabilities
At a minimum, an OT cybersecurity platform should include device detection, communications monitoring, network mapping, network segmentation and protection, threat prevention, and unified management. OT cybersecurity teams should identify and prioritize the specific goals and map that to platform features.
OT Cybersecurity teams need to:
• Protect assets by restricting unauthorized access to and blocking malicious traffic from reaching OT equipment such as controllers and Level 1 devices
• Continuously monitor the IP network IP, along with digital and analog signals
• Enable real-time analysis and incident detection and/or prevention
• Inform trusted operators and cybersecurity professionals through a dedicated communications system
• Gather system data from digital and analog sensors and actuators, controllers, and the OT network for real-time analysis and post-attack forensic purposes.
With these capabilities in place, organizations should also have the ability to carry out optional automated or operator-guided responses and control system restorations to enable safe operating states and continued production.
While the core responsibility of OT cybersecurity teams remains protecting Level 0 equipment and the control systems that touch that equipment, the systems that OT cybersecurity teams need to protect will continue to expand.
As operations and engineering teams continue to push for more asset visibility and management support, the attack surface of OT will continue to expand. While the core responsibility of OT cybersecurity teams remains protecting Level 0 equipment and the control systems that touch that equipment, the systems that OT cybersecurity teams need to protect will continue to expand. What this means in practice is that the temptation to deploy another stand-alone security control will likely expand as well.
Industrial cyber security: Managed services
Similarly, the use of managed services for OT cybersecurity requirements can significantly simplify internal security deployments. The benefits of managed services are well recognized and can also include both reduced cost and improved effectiveness.
Reducing complexity is, in fact, a meta-benefit of using managed cybersecurity services. Managed services can augment the scale and expertise of internal security teams, helping monitor operational networks, maintain OT network and device protections, identify real-time threats, and provide incident response. Managed services teams often bring additional depth and breadth of experience to internal analysts and can be staffed 24/7/365. Importantly, services teams can also more simply introduce advanced analytic capabilities, such as threat hunting. This benefit can further reduce complexity by allowing OT organizations to avoid or postpone hires and technology purchases.
Cybersecurity teams need to anticipate the need to simplify and unify solutions today. In this regard, OT cybersecurity teams should consider the lessons learned by IT security teams as they grappled with similar issues over the last decade and quickly moved to platforms. The shortage of qualified cybersecurity personnel is a major driver in working to reduce the workload of managing multiple disparate systems.
OT security teams need to proactively work to reduce the complexity of security infrastructure. The shift to platforms is overdue in OT cybersecurity, and the drivers for moving away from point solutions will only grow with time. As OT cybersecurity further integrates with IT security, the need for a centralized management function will become particularly acute. The use of managed services should also be considered as an effective means of further reducing complexity.