Organizations need visibility into operational technology [OT] as well as information technology, according to Paul Furtado, VP, Analyst, Midsize Enterprise Security, at Gartner, during his keynote at the Midsize Enterprise Summit IT Security 2024.
IT environments are interconnected between SaaS apps, cloud and also physical systems. Furtado spoke about the need to lock down physical infrastructure.
Many of the leading security vendors address OT. Palo Alto Networks defines OT security as securing the "hardware and software systems that execute monitoring and/or control over industrial equipment and processes."
According to Cisco: "OT security (also called ICS security and industrial IoT security) refers to cybersecurity practices that help to ensure operations continuity, integrity, and safety in industrial networks and critical infrastructures."
"Operational technology (OT) is the use of hardware and software to monitor and control physical processes, devices, and infrastructure.," according to Fortinet.
Collectively, the industry determines that these frameworks include SCADA (systems and distributed control systems), Industrial Internet of Things (IIOT) devices including sensors, monitors, actuators, and other technologies, building management/automation systems, physical access controls and more.
"We spend all our time focusing on the IT side," Furtado said. "A lot of the risk is over on the cyber-physical center, and the bad actors know it. The reality [is] you carry more tech debt on your OT [operational technology] side of the business, then you do the IT side of the business."
Furtado spoke about locking down the physical environment and not just IT operations and the reasons why:
Shared Credentials
One thing that happens in OT that we really don't allow on the IT side [are] shared credentials, Furtado said. He cited an example: "You got three shifts a day. You've got a number of people who come in using the exact same machine. They don't all have a different username and password. They all log in as ‘operator' ... so we've got a lot of shared credentials sitting in that environment," he said.
Remote Access
"We have uncontrolled remote access. You know why? Because the folks that are responsible for facilities or plant operations, they signed a contract with Siemens or Honeywell, or Schneider Electric, or whoever, pick your vendor," he said.
"And part of that contract was that they will do maintenance. Part of that maintenance means they just connect in. No control. Direct into that device. What does that mean? What sort of controls [do] we have in there," he added.
Furtado said that a lot of these devices also have a long shelf life. "We're not replacing them [and] we're not doing a good job of configuration tracking that we need to do."
Untraditional Equipment
Hackers are not going after the traditional things that you might expect, Furtado said. "Now, they get into your HVAC system … They're going to turn off your cooling in your data center … They've also disabled the alarm, so you don't know. Now you've got a thermal alert on your server.
By the time you can get to those machines. They're too hot. They're going to shut down. You now have an outage That's why you've got to start caring about these things," he added.
Adhere To The Purdue Model
Furtado said that the Purdue model for industrial control systems (ICS) is a good template for locking down physical systems. He called it a "game plan and model to adhere to." The model refers to securing multiple layers. "Visibility is important. You have to know what you are trying to protect," he said. Facilities, plant operations and all other physical infrastructure must be part of the security strategy," he said
Stick To What You Need
Resist the temptation to chase shiny new cybersecurity objects, Furtado advised. "We see these vendors are always coming out with this new magic button. How many of us have had the magic button work? … Make sure that we're using the right tooling [for] your overall security governance to fit the needs of [your] [operational technology] environment.
Create The Right Security Policies And Use Free Resources
You don't have to always create new security policies, but you should make sure the ones you have in place are all encompassing. That means, for example, including existing vendors, Furtado said.
SANS, the professional cybersecurity organization, offers advice on industrial control systems, he said. It offer manuals and guidance on its site.
