Let’s say you run an operational environment and you’ve spent years figuring out how to keep your production processes and core, life-enabling systems running at high efficiency and efficacy. But now, your IT group wants to connect your production and control systems to outside networks as part of new “IoT” (Internet of Things) initiatives.
You certainly understand the upside of making the change: better process visibility, potential process downtime reduction, and cost savings on maintenance and field service. But does the IT group understand the challenges that IoT presents in terms of security, worker safety, and operational compliance? Now let’s say you’re in Information Security. What do you need to know about Operations Technology (OT) concerns?
3 Greatest Operations Concerns: Simplicity, Control and Shut Down
Most of the operations folks have been on the shop floor or patient care floor for a long time. They’re adept at maintaining and improving processes but are challenged with keeping up with IoT and digitization, let alone security.
As it is with human nature, they are afraid of losing control—especially to the IT team and the “carpeted” part of the business. This is critical. They know change is coming because of the economics of IoT, but there is a great fear of having to report to the IT team.
A breach shutting a facility down is a real possibility. There is no fine to pay to get you out of this one. Just a few year ago, for example, a German plant that was shut down in late 2014 is still out of service and may be closed permanently.
Both IT and OT have their place leading the charge for aspects of organizational security. We need to address the challenges that Operations Management professionals already know are some of the most difficult aspects of delivering successful industrial IoT projects.
Thus, our top 8 areas for addressing this new(ish) open frontier in security must account for these concerns.
- Assess risks to be in a defensible position and determine what you’re NOT going to do.
A key word to explain strategy is that it means choice…what choices are you going to make and why? According to CIO magazine, the average tenure of a CISO is only 17 months. That’s it! Too often, security leaders attempt to develop technical strategies without strategic business planning by going straight to the tactical aspects of a security program. Risk assessments can relieve (for a while at least) some of the chokepoints of not only how best to enable the IoT security strategy for the organization, but how to best protect its livelihood. Risk assessments align both the defensible strategic choices along with the tactical business case for improving the entire security program—both IT and OT.
- Inventory assets and flow the data.
According to the Ponemon Institute study for 2018, only 9% of respondents say they are fully aware of all the physical objects connected to the Internet. Only 15% of survey respondents have an inventory of most of their IoT applications and 85% cite the lack of centralized control as a reason why it’s so difficult to maintain a full inventory of IoT applications. It is critical to know what you have and where data is flowing—both inside and out of your organization. Having a data flow diagram models the process aspects of a system and visualizes the structured design, providing insights that are much more difficult to get any other way.
- Integrate with people: establish governance and policy.
This topic doesn’t really generate much buzz. However, when you hear from CISOs, their top issues are communication, reporting to executives, and getting people on board with their decisions. When it comes to the operations floor, the people are often critical. According to the Ponemon study, less than half of organizations even say they have a policy in place to disable a risky IoT device within their own organization.
- Stop “things” from going to malicious sites.
Recently, half a billion smart devices being used around the globe were made vulnerable to a decade-old attack called DNS (Domain Name System) rebinding. It’s clear that there is a need for a cloud-delivered network security service that blocks our “things” from going to malicious sites, but also protects against major malware, botnets, and phishing threats regardless of port, protocol, or application. DNS protection defends all devices globally without hardware to install or software to maintain. Not “touching” the device will be a recurring theme.
- Prepare for an event.
Resiliency is the ability to bounce back, much like how white blood cells provide the means for our bodies to bounce back from illness. We’re getting attacked at all times and we must assume there is some compromise at all times as well. Thus, we must be prepared for an event and have an incidence response plan. As an example, we’ve seen a decade-old worm hit a medical device running an old version of Windows XP because it was not able to be patched due to vendor requirements. We also could not take the device offline, because doing so would have shut down the entire radiology department of a hospital. Thus, the incident team had to work with the vendor to manually remove malware and then wait for them to patch.
- Collaborate to align tasks and responsibility with your third parties.
According to the first market guide for data center and third-party hardware maintenance, issued recently by Gartner, there are more than 10 million devices under Third-Party Maintenance (TPM). About half (53%) of companies rely on contractual agreements to mitigate third-party IoT risk, but only a quarter or so of respondents say their onboarding due diligence process actively evaluates the IoT risk of third parties.
What we must realize is the success of an organization’s product or service is now fundamentally intertwined with others. My risk is their risk, and their risk is mine—it’s one in the same. As a result, organizations need to streamline vendor management, and they should also be on the path to assign accountability for monitoring the use and deployment of IoT devices, as well as collaborate with appropriate parties to find successful techniques to manage and mitigate third-party IoT device and application risks.
We had a lengthy blog on the “why” of segmentation. There’s some debate on this within IT networks because of the complexity, but it’s critical for connected industrial and medical devices. We’ve seen that it can reduce cost to maintain, monitor, and protect all of the components by a ration of 3-to-1. Incident identification can go from roughly 100 hours down to 8 hours, and we’ve seen a reduction in the ability to fully compromise from 90% of the time to 15% of the time. These are orders of magnitude in difference. With digital drivers to improve experiences, automate operations, or change business models, there is now a need to manage data, systems, devices, people, and things from all over the globe. Therefore, solutions must also be software-based to be able to effectively make zones or planes across geographies.
- Deceive hackers.
Appearing as the production assets of the environment it is placed in, a deception tool creates a trap out of any type of network, including IoT. The goal is to look identical to the IoT devices on the network, thus decoys appear as production IoT servers. These are great, simple techniques that have no impact to the devices and require no agents on the device to work. By engaging with decoys and not with production devices, the attackers reveal themselves and can be quarantined and studied for detailed forensics. This can be one of the simplest places to start as well.
A couple of other notes: This is not an end-all, be-all list. Certainly, there are other aspects with identity, visibility, etc., that should be considered. Also, we know that with human nature, change only happens if there’s no other choice, but businesses have to architect for change at an accelerating, exponential pace. The sooner you can get a plan, even if not full steam ahead, the better off you’ll be. People will make the effort if they identify and align with the intended outcomes (both personal and business), and thus everything needs relentless communication in this new cross-silo, IT-to-OT model.
Author: Stephen Marchewitz
Stephen has been in the security and risk industry for over 13 years and in IT for over 20 years. He has assisted companies in driving change to ensure clients are successful both in receiving value from products and services as well as managing the security and compliance risks of new projects and technologies. He’s served as an outsourced Chief Information Security Officer for a dozen different companies and consulted to some of the largest companies in the world. Prior to joining TrustedSec, Stephen was the Global Risk Practice Manager in the Digital Transformation Group at Cisco, President and Advisory Practice Lead for a leading information security firm for nine years, a Management Consultant with Ernst & Young, held Technology Management and sales positions with CA and Oracle, and developed new offerings in the insurance industry as an Underwriter and Program Director with Willis Coroon/Chubb in underwriting risk. He is dedicated to helping customers implement the right solutions and services that best meet their business needs, thus allowing them to achieve new levels of success.