The industrial manufacturing space is one in which IT and OT infrastructures are increasingly converging. Plant teams want to ensure safe and reliable operations, with assets running as much as possible, and the ultimate responsibility for this lies with operations, maintenance, and the entire OT team.
However, OT networks and control networks tend to be primitive without security built in. They are built on implicit trust because they are built for specific functions, and with the lack of certain security controls—segmentation, access control, secure remote access, lack of patching—conditions exist for a perfect storm of attacks and intrusions.
Enrique Martinez is technical solutions architect for OT security of World Wide Technology, and offered his thoughts on how asset management and operations teams can approach OT security in a planned, effective manner that safeguards both assets and operations.
Step 1: Build trust between IT, OT, and engineering
“You cannot have reliable operations without the three of them,” says Martinez, adding that building trust between the three teams is based on managing that ongoing relationship through conversation. “I'm a very big fan of a whiteboard—we will go whiteboard the system, lay it all out—and then once I have an understanding of that system, I'll bring in the security piece out, overlay it to them. I explain to them what it is that I'm doing and why. I am not pushing something on you as an engineer, but I'm explaining to you why we're doing this,” and it usually involves risk reduction, ensuring the reliability and availability of the systems, and helping ensure that damage to those system is minimal in case of a security event.
“It's really more gaining an understanding, a level-set that this is where we are, this is where we are going to get to, and this is how we're going to get there together as a group— IT, OT, engineering, maintenance, I&C, whoever it is,” adds Martinez. “Instrumentation and controls technicians are usually vital to those operations, and in my experience, having I&C technicians that understand what you're trying to do will help you get a lot further.”
Step 2. Safety first
When establishing a rapport between IT, OT, and engineering, Martinez emphasizes that safety should be everyone’s primary concern and central point of common ground. “For industrial systems, it's going to be safety— safety first. It's also going to be availability; we need to be able to continue operating. And then lastly, it's risk reduction as it pertains to safety and availability.”
Often a reliability or maintenance engineer will approach the finance team for support in security efforts, as finance can help other plant teams quantify the value of risk reduction. “I've personally lived this where, we have an effort, whether it is due to regulatory compliance, or because it's an effort for reducing risk, and you go to a business unit, and you say, hey, we want to reduce this risk, we want to take this action, and it's just to make your operation safer and more reliable,” says Martinez. “The first response that I get—and this is before we start having the true conversations and the relationship management part of the equation—their answer is, ‘well, we've never been hacked, why do we have to make changes?’ So, to me it's a race, you’re constantly fighting all these different attacks that are coming in, and there's new ones coming in every day.”
For Martinez, his approach to cybersecurity is that there's two types of entities, the ones that have been compromised, and the ones that are compromised and don't know it, and over the last few years, it's been proven that even safety systems can be vulnerable. In both cases, finance can help foster the right conversation on risk reduction and safety improvement.
Step 3. Assess the impact of segmentation on operations
Segmentation can be considered the most basic form of risk reduction in an OT environment, in which you’re separating critical assets from everything else. But there’s some important planning work that must be done first in order to prevent segmentation from affecting other critical systems.
“What I see the most is, oh, we need segmentation,” says Martinez. “But when you start peeling the layers of the onion back and you ask, okay, do you have a good asset inventory? ‘Oh, no, we don't.’ Do you have good network diagrams? Some places do, other places have network diagrams that were commissioned 15 years ago, that's what we have but the environment has changed over time. So the first thing that we need to do is conduct a high level assessment of where you are. We need to establish that baseline of where you are, understand what it is that you're trying to achieve, and really define those business requirements.”
He adds that “with that separation, you need to also understand critical dependencies that might be outside of that bubble that you're creating. Think about inventory systems, logistics, billing systems. To that extent, when we're talking segmentation, it's really understanding the environment, the critical dependencies and ensuring that everything is protected to the same level.”
Step 4. Develop a secure remote access strategy
The flip side of a strong segmentation plan is a solid remote access strategy. There will be times when vendors or third parties will be the best or only option to help maintain your networked assets as well as the networks themselves. VPNs can be a solution, says Martinez, but there is an associated risk of extending a secure critical network over to another PC or to a laptop that travels and has access to the internet, which increases the risk of opening your assets or system to harmful software.
“There are newer technologies that are specific to OT that enable secure remote access, where you can actually track what the person did, when they logged in, you can record the session and see where they clicked, what they typed and whatnot on that session,” explains Martinez. “Not only that, you can monitor the session, and if something were to happen, you get an alert that something's going on, you can actually go and disable that session. It's a way of ensuring that you still get the support that you need, but in a more secure manner.”
In this way, you're keeping networks separate up to a certain extent, but you're still enabling remote interaction with those systems. With these technologies in place, for example, “now you can do secure file transfer: I upload the file, it gets inspected, once it gets inspected, then it's allowed to go forward. Those are all just really means of reducing that risk, while still allowing you to perform those operations,” Martinez says.
Step 5. Record every asset management victory
To keep momentum on your security initiative, it is important to record the success stories along the way and share that story between IT, OT, engineering, and management. Martinez remembers one such case: “I worked in a project where they were deploying pipe corrosion monitors throughout a field, and they were wireless, there's a wireless array. What we ended up doing was building a wireless network parallel to our production network. But then, since those systems were not necessarily critical, and they were not fully trusted, what they were doing was collecting that data, converging at a gateway that actually uploaded the stuff to a provider that was hosting the data, and then you could access it through the internet. That way you are actually collecting the data, but you're not mixing your gear that's just collecting data with your control gear.”