Top-Down Security Approach – The Final Stage for OT Protection and Compliance

  • November 22, 2016
  • Feature

By Shmulik Aran, CEO, NextNine

Industrial Control Systems (ICS) are used by manufacturers to control field devices that perform vital operational functions, such as opening and closing valves and breakers, collecting data from sensory systems and monitoring the operational equipment for alarm conditions. These control systems are becoming increasingly connected, enabling managers to make better data-driven decisions in order to improve production efficiency and operational safety. Along with the benefits of an increasingly connected manufacturing infrastructure comes a larger attack surface and a range of cybersecurity vulnerabilities and risks.

While many industrial enterprises have successfully established cybersecurity infrastructure to defend their IT systems and networks, the effort to protect Operational Technology (OT) and ICS systems is significantly different. One example is that IT security focuses on protecting confidentiality, especially of databases storing customer data, source code and so on, while in the industrial sector the focus should be on protecting field assets that are key for production, safety and integrity.

Securing a large industrial operation is a complex task

ICS environments often include thousands of field assets across multiple production facilities. Many field locations are remote and some are not even attended by a human. Moreover, these assets have been installed by multiple vendors over many years and even decades and are using proprietary hardware, software and communication protocols with limited security in mind.

Moreover, many manufacturers do not have an integrated policy for protecting their industrial assets, even as OT and IT are becoming increasingly connected. Often, the roles and responsibilities among the plant, operation and control teams, and the corporate security personnel are not well defined.

In order to protect their ICS environments, many industrial enterprises have invested in point security tools. However, despite the incremental benefit that each tool provides, manual processes are still required and integrated approach for securing their ICS is still not possible.

A top-down approach for protecting a complex ICS environment

Protecting such a complex environment requires a top-down, integrated approach. "Top-down" means that the corporate operation and control executives should be driving the policies, procedures and technology solutions that secure the entire operational environment. "Integrated" refers to the intersection points among OT and IT, remote plants and head office, and third parties, such as equipment vendors, that must all be considered when choosing the means to enforce policies and execute procedures.

However, as a prerequisite to applying a top-down security strategy, a manufacturer must first obtain complete visibility of its full asset inventory and establish secure connectivity among these operational devices and equipment.

Once this has been achieved, the following are some examples of a top-down, integrated approach for ICS protection that can be applied.

  • A central operation and control team should set clear plant-wide policies for protecting all industrial assets
  • The approach must allow granular policies by plant, asset and user identity, as not all assets and users can or should be treated in the same manner
  • Security policies should be centrally deployed and locally enforced for protecting network segregation
  • Enforcement should be automated and monitored for violations and the central operation and control team must have the ability to tune policies following lessons learned from various activities and events
  • If there is a policy breach, the security system should generate an incident alarm so that a security analyst can investigate the event
  • If an incident occurs, authorized personnel must have the ability to promptly access an asset for incident response
  • Backup and restore procedures should allow recovery from an incident
  • The head office must have the ability to generate reports for risk management and compliance

These recommendations may seem straightforward, although in complex, multisite industrial environments, this is clearly easier said than done.

Focus on protecting industrial assets with security essentials

The primary focus of OT security should be shielding the field assets. These are the assets that, if compromised, pose the biggest risk to operational safety, integrity and efficiency.

With this in mind, manufacturers should address the security essentials. This means that the basic security activities should be done correctly in an automated and repetitive process across the entire ICS environment.

The following are some security essentials that must be done for every ICS environment.

  • Schedule a process to verify that qualified operating system patches and antivirus signatures are installed, and if not, trigger an automatic synchronization with head office systems, such as Microsoft Windows Server Update Services (WSUS), McAfee ePolicy Orchestrator (ePO) or Symantec Endpoint Protection Manager (SEPM)
  • Schedule the collection of device logs and send them to a centralized Security Information and Event Management (SIEM) system, where these activities can be correlated and alerted on, if necessary
  • Schedule the monitoring of ports, services and applications against the organizational whitelist and blacklist policies
  • Manage remote access authorization, privileges and accountability
  • Generate weekly compliance reports to assure that company and regulatory requirements are being met and determine what fixes are needed
  • Schedule regular scans of IP address ranges and alert on unexpected changes, such as a new device on the list or a device that is not acknowledging its presence

Improved security and compliance posture is the goal

By its nature, and considering the scale of the potential consequences, protecting an industrial environment is a complex task. To simplify the complexity and reach an improved security and compliance posture, an industrial enterprise should embrace a top-down integrated approach for deploying, automating and enforcing polices. Those policies should focus on protecting the industrial assets and their execution should be automated.

A manufacturing enterprise must do the basic things right — those security essentials that if implemented correctly will bring the highest security ROI. Once the essentials are covered, a manufacturer will then be in the position to implement additional and more advanced security measures.

This article is the fourth and final article is a series on OT security management for the manufacturing industry. The first article presented an overview of the OT security challenges faced by manufacturers connecting their IT and OT operations and offered three recommendations for improving the security posture of a connected industrial environment. The second article looked at the importance of network visibility and industrial asset inventory and the third article analyzed approaches for establishing secure connectivity among industrial assets.

About the Author

Shmulik Aran is the CEO of Nextnine, a provider of security management solutions for connected industrial control system environments.


Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..