OT: A maturing landscape
Security professionals who spoke with TechTarget Editorial generally agreed that OT security is improving overall. But they also generally agreed that an industry-wide lag exists in organizations utilizing operational technology compared to organizations that operate purely in IT.
In addition to the OT security industry being far younger than IT cybersecurity, the machinery and equipment found in OT settings is built to last decades, not years. This — combined with the critical, nonstop processes this equipment often supports — means securing an environment or even patching vulnerabilities can prove extremely complicated.
Joe Marshall, a security researcher for Cisco Talos’ intelligence group, said OT security was improving overall. But the extent of this improvement depended on the industry. Electricity, he said, has seen major improvements, while oil and gas typically has a weaker security vocabulary and a wider range of security postures. Manufacturing was hit or miss. The most mature organizations, he said, “have got strong security fundamentals like segmentation and baseline monitoring.”
Paul Griswold, Honeywell’s chief product officer of connected cybersecurity, similarly said the posture for OT-centric organizations can vary greatly. By his estimate, 15% of organizations are “very advanced” in their security journey. These organizations have implemented the latest OT technologies, have good security programs in place and see close collaboration between the CISO and OT sides of their organization.
The other 85%, he said, are in other stages of their journey.
“I think everyone is at least aware of the problem that OT cybersecurity needs to be more modernized,” Griswold said. “In some cases, you may have a bunch of municipalities that are not super well-funded. They’re not big corporations that have a CISO, security staff and things like that. There may be a bit of an awareness issue there as well, just because they don’t have the staff to fully analyze it. But on the other end of the spectrum, sometimes things slow down because of mistrust between the CISO and the people running the OT systems.”
Nozomi Networks CEO Edgard Capdevielle told TechTarget Editorial last month that another issue large organizations frequently run into is that security personnel don’t have the “budget muscle” to make consistent OT security improvements. This is often due to other forces and financial factors within that organization.
But on the whole, security postures are improving, and the OT security space is maturing. This is in part due to an increasing number of high profile cyberattacks raising awareness. But other awareness campaigns are taking root at the public and private sector level.
The research nonprofit MITRE Corporation now has a dedicated knowledge base for ICS attack techniques. There has also been a push in recent years from the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) to improve hardening at the organizational level.
In September, for example, CISA and the National Security Agency (NSA) published a joint security alert titled, “Control System Defense: Know the Opponent” dedicated primarily to how threat actors attack ICS/OT systems. It includes common intrusion tactics, how threat actors gain intelligence on target systems, and mitigations. CISA regularly publishes guidance and best practices, and they also host the Industrial Control Systems Joint Working Group (ICSJWG) to facilitate information sharing between the private and public sectors.
Capdevielle praised CISA’s role in OT security.
“CISA has been fantastic,” he said. “And I’m not somebody that naturally praises government entities. In addressing the OT security challenge, Nozomi was a founding member of the OT Cyber Coalition, a coalition of various industry participants that got together to make sure that if the government was going to start passing down guidelines that they were going to be guidelines that made sense. CISA not only embraced the coalition, but they created their own [Joint Cyber Defense Ckollaborative] and made most of the members of the coalition founding members.”
As OT security moves into the future, one emerging trend is a convergence between the IT and OT sides of an organization.
This content was originally published here.