As cyber adversaries who target industrial facilities continuously pick apart weaknesses in operational technology (OT) environments to orchestrate their attacks, the need grows by the day for enterprises to evolve their OT vulnerability management practices.
While more than 91% of organisations include on-premises IT infrastructure assets in their existing or planned vulnerability management program, only 23% do the same for OT assets.
This lag is not necessarily from any failure by industrial organisations. Instead, it can be partially explained by the unique challenges of finding and remediating vulnerabilities in OT environments.
Why are OT environments more vulnerable to risk?
Managing vulnerabilities in OT environments is challenging for several reasons.
Consider these realities:
• Active scanning can be very disruptive to OT environments
• Many OT and ICS systems have exceedingly long patch cycles
• Downtime tolerance is slim to none for OT systems
• Legacy and fit-for-purpose assets are entrenched
• Remediation of many OT vulnerabilities is highly manual and depends on vendor action/approval
While many security teams have made recent inroads in regularly assessing for and identifying OT vulnerabilities, these challenges have made it difficult for them to push beyond vulnerability assessment into full-cycle vulnerability management.
It can be daunting to overcome these challenges, but there are several steps that industrial organisations can take to get started in maturing their OT vulnerability management program.
One of the most foundational elements of an effective vulnerability management program is establishing asset inventories and asset visibility.
OT vulnerability management starts with asset discovery
Organisations cannot fix flaws in OT assets they do not know they are exposed to.
Therefore, every effective OT vulnerability management program starts with discovery and asset visibility. Organisations need to conduct an asset discovery process that identifies assets in the environment and classifies them by a range of attributes, maps their connections and tracks their configuration state. Ideally, this asset inventory should be continuously updated.
Organisations that can build out automated mechanisms to gain continuous visibility into the state of their asset inventory greatly improve the sustainability of their OT vulnerability management program.
It is important to note that many IT asset visibility tools do not translate well to the OT environment. This means that organisations may need to take an approach to asset visibility specific to OT environments to achieve the level of visibility into assets, vulnerabilities, and risks that are closer to what their security team may be used to seeing across the IT asset portfolio.
To get this right, organisations must establish a plan that determines data collection requirements through a structured approach using a collection management framework. A good plan will lay the foundation for establishing an automated mechanism for continuously updating the inventory and establishing ongoing OT asset visibility.
Cultural divide between IT and OT teams
As the frequency and severity of cyber-attacks on industrial organisations increase, defenders struggle to keep ahead of threats. Security leaders know that a unified IT and OT approach is critical to protecting the safety and availability of operations but face cultural and technical differences between traditional IT best practices and what is possible in OT.
The recently published “2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide Between the IT and OT Teams” from the Ponemon Institute found only 21% of organisations have achieved full maturity of their ICS/OT cybersecurity program, in which emerging threats drive priority actions and C-level executives. The board are regularly informed about the state of their OT security.
Most organisations lack the IT/OT governance framework needed to drive a unified security strategy, and that begins with the lack of OT-specific cybersecurity expertise in the organisation.
Bridging the cultural divide between IT and OT teams is a significant challenge. But organisations must not fall into the trap of thinking that OT can just be tacked onto an existing IT program or managed under a general IT umbrella. There are fundamental differences between the problems and goals of a corporate IT environment—data safety and security—and industrial environments, where human health and safety, loss of physical production, and facility shutdowns are real risks.
Deep domain expertise and ICS/OT-specific technologies are both required to truly safeguard industrial systems. This ensures a better understanding of ICS/OT networks and the industrial-specific security challenges an organisation may face, preparing them to more effectively monitor and improve their ability to prevent, detect and respond to cyber-attacks.
Article by Dragos ANZ senior sales executive, Warren Miekle.