How to Build a 'DefenderSphere' Map for OT Security
In locking down operational technology, companies need to bring in a team of experts comprised of enterprise partners, OT specialists and security pros.
You are Tom Hanks in Cast Away. You have just been plunked down onto an island in which you have no earthly clue where you are and where to begin. So, what’s the next logical step? Seek the high ground and map out the ecosystem.
This is where many chief information security officers find themselves today. The board has just placed you in charge of cybersecurity for their biggest operational cybersecurity capital investments. The executive committee doesn’t want to be hit with the next attack, and if they are, they definitely want to have answers to questions about how it happened and how long it will take to recover. That’s now your job.
So how does a CISO seek the high ground? How do you begin to build a map for a journey to the civilization your company has come to know over the last two decades with frameworks like ITIL and the Critical Security Controls (CSC) Top 20? You build a ‘DefenderSphere’ map.
I have been in the OT security and compliance business for 15 years. Many of my co-workers have been at it as long or longer. We’ve seen a lot of convergence attempts, some good, some not. The less successful ones usually started out like this, “Okay, well I have built a solid program and have existing contracts with these IT Vendors, let’s forge ahead with those into this brave new world of OT.”
The issue, this OT island, isn’t new. It is decades old and more like New Zealand with a chain of very large islands. And much like in the real-world island, it has evolved in isolation. While occasionally something might fly or swim over from the mainland, much of the ecosystem has evolved to fill very specific and unique roles. Some of it is even dangerous. OT has placed a very high value on predictability, reliability, and most importantly safety of life and property. These are different values than the IT mainland, where the triangle of confidentiality, integrity and availability have separated winners and losers.
To better illustrate these value differences let’s look at a simple example. Online health record data is really important. It needs to be accurate and needs to be secure. The user expects reasonable load times but it doesn’t really matter in what order the data loads. The lab results have already taken days, so a brief system outage doesn’t really matter. It doesn’t really matter if there are a few packets dropped and re-transmitted during actual transmission. It does matter if those packets are altered or viewed by a third party. The priorities are equal parts confidentiality and integrity, followed in a lesser degree by availability.
A plant safety system, however, is designed to receive a temperature reading every 1/60th of second. That needs to happen with an accuracy of two milliseconds. If the safety system fails to receive a signal, it will “fail safe” and stop your process. If it receives the wrong data, it will either fail to act correctly or will act when it shouldn’t. Here a retransmission is disastrous. You either have a plant offline for days, or you have a potential loss of life and equipment. It needs to do this for 24 months straight, with no outages. No one cares who sees that value, the more the merrier. You do care if it is accurate and reliably delivered every 1/60th of a second for 24 months. Here your priorities are equal parts availability and integrity and to a much lesser degree confidentiality.
This is why all too often I’ve seen failures when people rush into an OT environment with the latest technology. The priorities are all wrong. You need partners and solutions who understand this and who have experience. Or maybe they rush to pick the latest OT buzzword, but it ultimately falls short, because it is a point solution and never reaches the audience that would serve it best. You need a plan on where it makes sense to bring in both your enterprise partners, your OT specialist, and where the journey is better together. You need a map to safely plot your journey.
This is why we developed the DefenderSphere. It is a beginning to drive a better conversation. It is your high point to see the ecosystem around you. Take it and sit down with your OT staff and begin building your own map. No one solution will solve this for you. It’s not true in IT, and it isn’t in OT. Do not just focus on a SOC dashboard, or threat intelligence, or just a single plant compliance program, but a true enterprise cybersecurity and compliance program. As the world has seen the last few months, society is completely dependent on these systems.
We hope this helps everyone take a breath and plot that course. We all depend on it.
About the Author: Jeremy Morgan is Principal Solutions Engineer at Industrial Defender. Jeremy has over 20 years experience in IT and OT cybersecurity, with a diverse career from running compliance at a utility to a cyber security product manager for a major OEM.
About the Author
You May Also Like