When creating a security architecture for an OT environment, it’s advisable to separate the OT network(s) from the corporate network. This is because the nature of network traffic on these two networks is distinct. While the corporate network may allow Internet access, email, and remote access, these activities are generally not allowed on the OT networks. Moreover, corporate and OT environments may differ in terms of the rigor of their change control procedures. Using the corporate network for OT communication protocols could also make the OT components vulnerable to cyber-attacks like DoS, man-in-the-middle, or other network-based attacks. Having separate networks provides greater flexibility to meet security and performance requirements between the two environments.
However, practical considerations such as digital transformation, the cost of OT installation, or the need to maintain a homogenous network infrastructure may necessitate a connection between the OT and corporate or other IT networks. This connection presents an additional risk, and organizations may want to minimize these connections and consider additional security controls for them. This section outlines various security strategies that organizations can consider while designing their OT environments to support cybersecurity objectives.
Having a cybersecurity strategy can help organizations make informed decisions about cybersecurity, which would otherwise be more ad hoc. This can lead to a more systematic implementation of risk decisions into the development and operations of systems, thereby supporting a comprehensive and sustainable cybersecurity program. An accepted and comprehensive cybersecurity strategy can assist an organization in consistently maintaining acceptable risk management throughout the life cycle of an OT system.
To optimize system security, an engineering design should be based on a proactive loss prevention strategy. This strategy includes planned measures that are designed to address potential scenarios, rather than just what is likely to occur. This involves proactively identifying and addressing weaknesses and defects that may lead to security vulnerabilities, understanding both the certainty and uncertainty of adversarial and non-adversarial threats, and implementing means and methods to protect against adverse consequences. Proactive systems security engineering should also plan for failure, regardless of whether it results from adversarial or non-adversarial events, and ensure that the system is resilient to such events.
When devising their security strategy, organizations must take into account critical infrastructure standards and regulatory requirements. As per the guidelines from CISA, organizations may discover that both their IT and OT environments are part of the critical infrastructure sectors. Additionally, these standards and requirements are usually established to safeguard crucial cyber assets to enhance reliability and may impose further legal responsibilities on the organization.
Impacts of Choosing a Cybersecurity Strategy
When an organization consciously decides to develop and implement a cybersecurity strategy, it establishes a disciplined approach to cybersecurity in its systems. This approach allows the organization to consider cybersecurity at all stages of the system life cycle, from procurement to decommissioning. Consequently, the organization can ensure that cybersecurity goals are realized in its systems.
Decisions regarding the cybersecurity strategy should be based on a high-level understanding of the organization’s operations, objectives, and cybersecurity goals. For instance, the organization may want its systems to display specific characteristics such as trustworthiness or resiliency. A strategy provides a framework that can assist in incorporating these characteristics into the final systems. Additionally, the strategy can consider factors such as the ability to adopt new technologies (e.g., AI/ML technologies, crypto agility, digital twins) and the need for sound cybersecurity practices like monitoring or patching.
The cybersecurity strategy should have a direct impact on the architectural decisions made for systems. When architecture is informed by a cybersecurity strategy, it increases the likelihood that high-level cybersecurity goals will be reflected in the cybersecurity of individual systems. The strategy serves as a document and a reminder of these goals when decisions are made at the system level.
Cybersecurity and OT Assets
OT assets are typically long-lived and represent significant investments in operational, reliability, and safety testing. In some cases, it may not be economically or technically feasible to replace existing equipment and applications entirely with newer alternatives in the short- or medium-term. As a result, this equipment is at a higher risk of attacks than equipment that has the latest security features and updates installed, which can significantly impact security.
The adoption of a security strategy can assist an organization in comprehending the life cycle of its OT systems and modifying approaches to sustain cybersecurity. This strategy can assist in prioritizing resources and efforts towards the most critical areas of the OT environment to minimize risk. Additionally, the strategy can help to identify alternative methods of improving cybersecurity, such as enhancing system monitoring, implementing access controls, or enhancing incident response capabilities, which may be more feasible than replacing equipment entirely.
The defense-in-depth strategy is a comprehensive approach that combines people, technology, and operational capabilities to establish multiple layers of barriers across various dimensions of an organization. It is widely recognized as a best practice in cybersecurity. Many cybersecurity architectures incorporate defense-in-depth principles, and the strategy has been integrated into various standards and regulatory frameworks.
The fundamental idea behind defense-in-depth is to avoid having single points of failure in cybersecurity defenses and to assume that threats can originate from various sources. To accomplish this, cybersecurity controls are designed to provide layers of protection around critical systems and components. This ensures that if one layer of defense is compromised, there are additional layers of protection to prevent or mitigate the impact of the attack.
A defense-in-depth approach is a valuable strategy in OT environments as it allows for targeted protection of critical functions. The flexible nature of defense-in-depth enables organizations to apply this approach to a variety of OT environments such as ICS, SCADA, IoT, IIoT, and Hybrid environments. However, implementing a defense-in-depth strategy requires an integration of people, processes, and technology, and cybersecurity defenses must be updated as risks evolve. To establish and maintain an effective defense-in-depth architecture, organizations should prioritize:
- Providing security training to personnel to reduce risky behaviors and promote a secure environment.
- Implementing cybersecurity technology that is both appropriate and sustainable.
- Establishing procedures to monitor, respond to, and adapt cybersecurity defenses to changing conditions.
Other Cybersecurity Strategy Considerations
The rise of business agility and cost reduction requirements has led to a shift in traditional OT systems, which were initially designed to function safely and reliably without external network connections. This shift has resulted in more integration between OT systems and networks with business networks and cloud infrastructures. However, this integration may have unintended consequences for cybersecurity, especially with the introduction of IIoT systems in OT environments.
Furthermore, while cloud computing capabilities such as infrastructure as a service, platform as a service, software as a service, and security as a service are increasingly being adopted by organizations to support IT services, utilizing these services to support OT environments may pose additional challenges such as system performance levels and connection issues.
Hence, the current state of existing OT environments may impact the adoption of a security architecture strategy. For instance, procurement decisions may need to be adjusted based on the architectural strategy. Additionally, existing systems may already support some or most of the security architecture strategy, allowing for the acceleration of implementation. Moreover, building cybersecurity into the design of new OT environments provides an opportunity to assess cyber risk early on.
Organizations need to ensure that their security architecture strategy allows for the necessary flexibility to adapt to changes in their environment. However, it is important to carefully consider the potential impacts on both operations and cybersecurity before implementing any changes. This can involve assessing the potential risks and benefits of different approaches and balancing the need for agility with the need for security and reliability. It may also involve establishing clear policies and procedures for implementing changes, monitoring their impact, and responding to any issues that arise. Ultimately, an effective security architecture strategy should enable organizations to stay ahead of evolving threats while also supporting their business objectives and operations.