The Five Critical Operational Technology (OT) Cybersecurity Controls
Organisations are expected to defend their digital assets to acceptable levels and make balanced risk decisions. This is challenging due to the complexities of the organisation and the dynamic nature of threats and technologies. In a whitepaper published in October 2022, The SANS Institutes provides five critical ICS security controls as the minimum requirement for community and national security. Organisations can go beyond these controls to further reduce risk according to their own goals and risk assessments.
1. ICS-specific Incident Response Plan
Organisational Technology (OT) has a distinct incident and response plan from Information Technology (IT), as it involves different device types, communication protocols and TTPs specific to industrial threat groups. Investigation requires different tools and languages, and managing the potential impact of an incident is different for OT systems such as pipelines, electrical grids and manufacturing plants. Companies should create a dedicated OT response plan with the right points of contact and next steps for specific scenarios, and consider running simulation exercises to test and improve the plan.
It is important to consider the incident response from the outset of the security program and not as an afterthought, as this will ensure that all security controls are properly aligned with the needs of the incident response process. In addition, with increasingly strict regulations on incident reporting, organisations must be aware of the questions and requirements that will need to be addressed in the event of an incident.
A key factor in the incident response process for industrial organisations is the ability to analyse the root cause of the incident. This has become increasingly difficult due to the complexity of industrial automation. IT incident response plans tend to focus on identifying the adversary, containment and eradication, while OT incident response plans place priority on actions that reduce the impact of the attack and the effect on the process. By investing in incident response and cyber security, not only can the risk of cyber attacks be reduced, but the resilience of the operations can be increased.
2. Defensible Architecture
An architecture that is defensible reduces the amount of risk that is accepted by the system’s design and implementation as much as possible while enabling people who are providing protection to do their jobs. There is no perfect security system or architecture because it is the human aspect that allows a defensible architecture to be defended. Many frameworks and architectures can be used, including the Purdue Model and ISA/IEC 62443. It is not the framework that matters, but how it is implemented so it provides security to the organization and follows the guidelines set by the first essential control.
Common attributes of a defensible architecture include:
- asset identification and inventory for key sites,
- segmented environments to reduce ingress and egress,
- establishing when bi-directional access is needed,
- collection of network traffic and systems communication,
- the ability to go into a “defensible cyber position” with reduced connectivity and devices during heightened situations.
3. ICS Network Visibility and Monitoring
Having visibility into your operational technology (OT) environment is essential for protecting it. Maintaining an inventory of assets, mapping potential vulnerabilities to those assets, and actively monitoring traffic are all key components of a successful OT security posture. Monitoring can help detect threats, identify vulnerabilities, and enable automation for large and complex networks. It is essential for protecting OT systems and ensuring a defensible architecture.
4. Secure Remote Access
The digitisation of ICS and business requirements has led to an increase in remote connectivity, which can bring significant business and operations value. However, it can also bring risks, as adversaries increasingly target these methods of remote access. To mitigate the risks, secure remote access is a must and Multi-Factor Authentication (MFA) can help. MFA should be applied to externally accessible connections, such as remote work by employees, integrators, original equipment manufacturers, and other vendors and partners. Where MFA is not possible, compensating controls should be developed to mitigate the risks. These include jump hosts, ‘break and inspect’ opportunities, guiding remote connections through choke points for increased monitoring and the capability to cut communications in heightened scenarios.
5. Risk-based Vulnerability Management
A risk-based vulnerability management program helps to identify the vulnerabilities that pose the most risk to an organisation, and to focus on mitigating their impact or monitoring for their exploitation. Only 4% of vulnerabilities in ICS environments are required to be immediately acted upon, and 10% are not useful. The remaining vulnerabilities can be monitored or mitigated. IT and OT staff may find it difficult to patch every vulnerability due to long life cycles and potential disruption. Focusing on key vulnerabilities and applying defensive architecture, ICS network visibility and monitoring should reduce tension, workload, and disruption.