Manage Cyber Risks Across an Organization
nCyberattacks are everywhere. Today, the most effective defense centers onnindividuals: strategic thinkers who can bridge gaps between securitynpolicies, information technologies, and human behaviors. Protect systems andndata with a Master’s in Cybersecurity Risk Management from Georgetown.nnLearn More.
n
nOperational technology (OT) is everywhere in organizations as well as inneveryday life, and it’s one of the biggest cybersecurity targets of thenmoment thanks to the disruption that an OT outage can cause.nn
nnCybersecurity professionals work mostly with information technology (IT) –nservers, laptops, routers, switches, Wi-Fi kit, and so on. And because we’renused to such technology, we know pretty much how to defend those systemsnagainst cyber-attack using kit such as firewalls, anti-malware software andnthe like.n
nn
nWhat About Operational Technology (OT)?
nn
nnIn its simplest form, OT is all about the technology that is connected tonour networks, but which isn’t part of the everyday IT infrastructure. In anhospital this might be X-ray machines or CAT scanners and their associatednsupport equipment, for example; in a mine it might be drilling or conveyornequipment; in an oil company it could be the drilling rig or the pumpingnequipment (and everything monitoring it). OT has often been around for anlong time (a $10million drilling rig might have a lifetime of 10 or 15nyears, for example) and may well not have been built with cybersecurity andnlong-term software updates in mind. It might originally have been builtnwithout even a thought that it might one day be connected to a globalnnetwork for management or monitoring purposes. The common factor we see isnthat you generally can’t install commoditised (say) anti-malware or EndpointnDetection and Response (EDR) onto OT equipment, and nor can you configure itneasily (or at all) so it only accepts management connections from a specificnIP address range (that of the management station).n
nn
nWhat Can We Do?
nn
nnFirst, we can remember that there’s more to life than using agent-basednvulnerability scanners. If we’re going to secure our systems, one of the keynthings we need is visibility of their vulnerabilities. Now, there are dozensn– hundreds, even – of vulnerability scanners out there for which you installnan agent app on each system and let them report to a central console.nHowever, just because your scanner doesn’t have an agent app available for angiven piece of OT equipment, this doesn’t leave you powerless – you simplynhave to do what a bad actor would do and have a scanner that probes kit tonsee what ports are opened and what versions of software are listening onnwhat ports, and checks against a big database of known vulnerabilitiesnbefore alerting you to problems. Doing so puts you one step ahead of annattacker in this respect anyhow – not only do you know (well, we hope younknow) what is attached to your network, but you can put your scanner insidenthat network and configure the routers and internal firewalls to permit themnto run their scans. Agentless scanning of this type is commonplace for ITnsystems today (you’ll seldom find a scanner that has an agent for, say,nCisco routers) so extending the concept to OT should be straightforward.n
nnThe other key question is how you defend a device that can’t defend itself.nEasy: pretend it’s Britney Spears (other celebrities are available) and asknyourself what you’d do. The answer: get it a bodyguard. If it can’t defendnitself, put it behind a big, solid wall with a sturdy door to which only younhave the keys. Firewall it to death, strictly limit the connectivity betweennit and the main network and have monitors that alert you to the merest sniffnof bad activity. If you can, try to get to a situation where the onlyncommunication that happens is initiated by the OT device making an outboundnconnection to the outside world, because this means you can have a “denynfrom any to any” rule for all inbound traffic.n
nn
nShould It Even Be Connected?
nn
nnThere is one other consideration, though – and it’s one that is constantlynforgotten. One would hope it’s kind of obvious, but sadly it isn’t: the actnof asking the question: “Does this thing have to be on the network at all …nand if so, then why?” This correspondent was chatting with the manager of andata centre a while back, inquiring about the network security of thenmassive generators in the (high-fenced and alarmed) back yard. “Oh, that’sneasy”, he answered, “I didn’t order the network modules”. His reasoning wasnmore around reliability – he would rather have engineers come to site thannbreak his world remotely – but it had a tremendous accidental securitynbenefit.n
nnWherever we turn, we see stuff connected to the network (and even to theninternet). Chances are that if you’re reading this you’ve at least heard thennstory of the casino network that was compromisednnvia the thermostat of its lobby fish tank. But did you realise that theninfamousnnColonial Pipeline attacknndidn’t in fact hack the pipeline systems themselves but were instead aimednat the billing system? The company, not the bad actor, shut down thenpipeline – as a precautionary measure.n
nnDefending OT is a long way from being rocket science. If it can’t defendnitself, build something around it that carries out that task on its behalf.nIt doesn’t have to be expensive – and in most cases for big OT the cost ofnthe security systems will be a fraction of what you paid for the OT kitnitself.n
nnBut before you spend a penny, do take a step back and ask: why is thisnconnected to anything in the first place?n
]]>