What are the top three pieces of advice you would give a CISO to make the plant OT/ICS environment more secure from cyber attacks?
Jacob Laas Glass is responsible for integrated operations and ICS security on six offshore oil platforms. As the ICS industry gives more consideration to cybersecurity, vendors must develop a more holistic view. Until then, he has adopted several practices that have greatly improved cybersecurity in his environment.
1. Begin with a technical standard of critical security elements. OT control systems often require multiple components to work together in order to perform a control function. Every device in that control system could have a critical safety impact on the overall system’s function. When a device is installed, all the ways it could negatively impact the system must be evaluated. Glass recommends applying the same strategy to evaluate ICS from a security perspective. Begin with a technical security standard that the system and its components must meet. “Every time we install something, we apply a Swiss cheese model against the standard. We look at it to see what can be set up initially, what we can prevent, what we can detect, what we can respond to, and what we can recover. If there’s something we can’t do, we look for what we can do in the system instead to cover for that security element,” he notes. When something is added to the system, one way or another the system as a whole must still meet the standard of critical security elements.
2. When in doubt, assume a protection is not there. In Glass’s environment, systems are pretty well documented from a cabling standpoint. However, documentation of device configuration is often poor. New technology that detects OT devices and their configurations has been a tremendous help in providing greater visibility, but there still can be areas of uncertainty. “For example, it might not be clear if a device is configured with a host firewall. In this scenario, we have to assume that it’s not there, and then develop a plan for hardening that device or network.” This involves a lot of work and help from vendors. “Some vendors know how to protect their own systems, but others do not get involved in industrial security. Then we do it ourselves,” says Glass.
3. Establish an OT department that works closely with the IT department. This gives OT people access to IT people, who typically have more detailed technical knowledge about cybersecurity issues. In Glass’s organization, although the OT department resides in the IT department, it is still totally responsible for operations and OT security. But sitting next to the IT people has been a big help. “Every time we connect a device, we have different information from the vendor. ‘This is possible, this is not possible’ and so on. We get our network guy and the IT guy together and we apply our Swiss cheese model—what can we do to prevent, detect, and respond. That has helped us create good, secure solutions.”
This blog comes from the eBook Advice for CISOs: How to Approach OT Cybersecurity. Download the full eBook for more strategies from experts on the front lines of OT cybersecurity.
Download » Advice for CISOs: How to Approach OT Cybersecurity