COVID-19 Creates Opening for OT Security Reform

Operations technology was once considered low risk, at least until the virus came along and re-arranged the threat landscape.

John Livingston, CEO of Verve Industrial Protection

September 30, 2020

5 Min Read
Dark Reading logo in a gray background | Dark Reading

It appears COVID-19 will dramatically impact the economy – and our work life – at least until a vaccine is discovered. In this crisis mode, operators have needed to reduce onsite personnel, putting greater strain on the limited resources at the plant and requiring an increase in external connectivity for those working remotely.

At the same time, cases of ransomware and vulnerabilities associated with industrial control systems are growing rapidly. Both the National Security Agency and Cybersecurity and Infrastructure Security Agency recently released alerts on the significant increase in cyberattacks on critical infrastructure. The air-gap (if it ever truly existed) is now gone.

The challenges of industrial control systems (ICS) and operations technology (OT) cybersecurity are well-known: sensitive devices, limited resources, risk to operations, and the oft-repeated question of "Why bother, if we aren't connected to the Internet?" to name a few. But the crisis opens the door to new possibilities. No longer is the air-gap argument realistic. OT and ICS endpoints are clearly at risk, yet asset visibility and security are also now feasible. How do you avoid wasting the opportunity that comes from this crisis?

Below is a four-step guide that security leaders can follow to significantly change the direction of OT security so that as we emerge from the pandemic, entire systems will be more secure and efficient processes will be created to keep them that way.

Step 1: Don't Settle 
It's tempting to settle for near-term fixes to immediate problems during a crisis. As COVID-19 requires more operations personnel to work remotely, that "near-term fix" is secure remote access. Over the past six months, the demand for these solutions has doubled within our client base. However, secure remote access alone is insufficient. 

Achieving security requires perimeter protection, but endpoint protections within the perimeter is also crucial. Patching, user and account management, software and configuration management, etc., are necessary parts of securing the industrial environment. This crisis offers an opportunity for security leaders to break through the former reaction of "We aren't connected," and push to apply more comprehensive security management across the OT environment.

Step 2: Leverage Security to Enable Business Operational Outcomes 
Usually an agonizingly slow process, COVID-19 has caused a five-to-ten year acceleration in the pace of remote plant support. However, many technology and security initiatives required to safely enable the shift have yet to be implemented. Now is the opportunity to help deliver business outcomes and increase security maturity simultaneously. There are many ways that the foundational elements of security management can improve the efficiency and reliability of remote plant operations.

Two examples include centralized asset visibility and autmated security management. Centralized asset visibility enables proactive identification of operational and security risks. When customers use Verve to aggregate all of their asset information, they are able to monitor for potential operating issues on those devices, e.g., HMIs that are running low on storage; network switches that are starting to overload or slow down; operator consoles that are regularly bluescreening because of outdated or unnecessary software in place; etc. Although these issues are operational in nature, the platform designed to identify "security-specific" flaws – including vulnerabilities, missing patches, and risky configurations – can also identify operational errors to reduce potential downtime.  

Automation included in security management can significantly improve operators' efficiency. If implemented correctly with a "Think global, act local" approach, actions can be designed centrally, with plant personnel controlling automation to ensure actions only happen at the right time and after the right sequence of testing. Our clients regularly save 40%+ in labor from having operator-controlled automation, accomplishing actions that normally take four weeks in merely a few hours.

Step 3: Make a One-Time, Step-Function Increase in OT Security
Conducting OT vulnerability assessments over the last decade, we consistently discovered thousands of missing patches, insecurely configured assets, dozens of shared and/or dormant accounts, unused and risky ports and services, etc. In every case, a one-time clean-up is needed to create a step-change improvement and create a new baseline in security maturity. Now is a great time for this reset. 

Protective elements such as layering compensating controls where patches cannot be deployed, ensuring devices that are insecure by design – including many legacy OT devices – are not directly connected to the external network, and hardening configuration settings can reduce the need for "whack a mole" when a new vulnerability is announced. We have seen our clients save 30% of the labor requirements of remediation by taking these actions. 

Step 4: Bring OT Personnel Onto Security Teams
Industrial companies also have the opportunity to reshape security leadership, especially as remote work has perhaps freed up some plant responsibilities of OT personnel. Our industrial clients have seen great success in shifting OT heads into cybersecurity leadership roles. For example, the OT leader of a Fortune 500 client who is now the head of cybersecurity architecture across both OT and IT, brought a unique perspective to the problem and developed truly creative solutions, achieving efficient and effective security through combined IT/OT management. 

The disruption caused by COVID-19 has created a window where resources are now shifting, uncertainty exists, and new models are possible. Let's not waste this opportunity to emerge from the crisis even smarter, more secure, and more efficient than before.

 

About the Author

John Livingston

CEO of Verve Industrial Protection

John leads Verve Industrial Protection's mission to protect the world's infrastructure. He brings 20+ years of experience from McKinsey & Co., advising large companies in strategy and operations. Recognizing the challenges of greater industrial connectivity, John joined Verve Industrial to help companies find the lowest cost and simplest solutions to their controls, data and ICS security challenges.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights