While automation technology has been around for decades, protecting control system assets from a set of very modern day threats is relatively new. In the face of growing risk, companies are challenged by continuously evolving best practices and standards. With this new territory, comes confusion (multiple standards, changing regulatory laws, hyped news stories) and often frustration (deciphering vendor claims and managing security for proprietary systems).
Lately, companies have expressed confusion over understanding which cybersecurity solutions reach far enough into their control system assets. The desire to overcome this confusion stems from industry recognizing their most valuable assets are their most vulnerable as well as standards bodies publishing OT-specific compliance requirements (e.g., NIST, Q-CERT, and NERC CIP) during the last few years.
Unfortunately, the definitions of OT and IT – at least as far as the control network is concerned – have become muddied from quite a bit of vendor marketing speak. Let’s see if we can get a clearer definition of terms. First, cybersecurity that strictly focuses on Windows machines, switches, routers, and firewalls is by definition IT cybersecurity. It doesn’t matter if those devices are in the control network or not. OT cybersecurity, which includes the IT systems in a control network, also includes those proprietary, often heterogeneous control systems that sit behind the Windows machines, such as the Honeywell TPS, Yokogawa Centum, and Rockwell Allen Bradley PLC, found in plants today. Think of OT cybersecurity’s purview being a superset of all assets in the control network.
While companies absolutely need IT-based security, by no means does this sufficiently address the control systems at the heart of OT cybersecurity. A solution must account for I/O cards, controllers, control strategies, sequential function charts, registers, rungs, graphics, and other detailed configuration data. Without this information and the ability to analyze it or watch for unauthorized change, cybersecurity risk remains within the control network.
Here’s a quick way to evaluate whether an OT solution is focused on truly OT cyber assets. Ask yourself if your solution addresses these three real-world cybersecurity scenarios:
- Can you determine your enterprise’s exposure to a published ICS-CERT vulnerability focused on a specific manufacturer and model of a transmitter?
- Can you detect an unauthorized change to a safety system’s logic?
- Will you identify the next Stuxnet attack that successfully gets past IT protection layers, such as glued USB ports, A/V software, and firewalls?
If you answer “yes” to all three, then you have an OT cybersecurity solution. What do you have in your control network?