Alliances between vendors in the world of cybersecurity are many, and not all are targeted at addressing the needs of end-users, especially at the OT layer. Alliances that promote the adoption of established standards are even more scarce, which is why the announcement of the Operational Technology Security Alliance (OTCSA) back in October is worth a more detailed look.
The Operational Technology Cyber Security Alliance (OTCSA) is a new, non-commercial industry organization established to develop guidelines for ensuring safe and secure OT in critical infrastructure and industrial automation environments. Amid an increasingly perilous cybersecurity landscape, OTCSA is promoting an open alliance with vendor-agnostic guidelines that enables OT operators to strengthen the security of their organizations throughout their entire lifecycle.
Providing Actionable Guidance for IEC 62443
The intent of OTCSA is to provide more detailed guidance for building and operating solutions that are compliant to the IEC/ISA 62443 standard. The guidance will address the realms of people, processes, and technologies for OT level cybersecurity in the form of reference architectures, workflows, responsibilities, and more. One of the ultimate goals of OTCSA is to develop workflow templates for relevant processes and reference configurations for selected combinations of specific products (or standardized interfaces) to support those workflows. ARC believes that OTCSA has good goals and we agree with the value of providing end-users with a concrete path to compliance with the internationally recognized ISA/IEC 62443 cybersecurity standard.
Current members of the OTCSA include ABB, BlackBerry Cylance, Check Point Software Technologies, Forescout Technologies, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAfence, Splunk Technology, and Wärtsilä.
How to Join
Membership is open to both end-users and suppliers at any company that operates critical infrastructure or general OT systems to run its business (OT operators) as well as companies providing IT and OT solutions (solution providers) with a desire to contribute to OTCSA goals. The organization is particularly looking for new members from the realm of OT operators who can provide guidance that challenges the group to validate the output in terms of usability as well as driving adoption of the output (e.g. by implementing it themselves and by referencing it in their RFPs). OTCSA also wants end-users that can provide suggestions and prioritization on specific cybersecurity topics. On the supplier side, OTCSA is looking for OT security solution providers who can contribute deep expertise and whose portfolio can be part of the reference solutions.
OTCSA currently has three active working groups. One is focusing on the development of the long-term vision and the big picture. Two others are focused on specific topics based on input received from OT operators during the pre-launch phase. These two working groups are called “Visibility, Intelligence and Response” and “Protection of Inherently Vulnerable Devices” – both have generated a first conceptual output that was made available at the launch of the organization and you can view those here.
“Visibility, Intelligence and Response”
The objective of this group is to provide guidance how to generate and maintain an inventory of assets and communication relationships and how to use such inventory to support/drive intelligence and response functions. These functions will include continuously identifying assets that are affected by known vulnerabilities and threats (i.e. identifying a given OT systems exposure), supporting a contextualized risk assessment of that exposure, identifying and selecting appropriate mitigations (given the exposure and operational context) and finally tracking the implementation of the selected mitigations to closure (e.g. using SOAR solutions and playbook templates). The first output focuses primarily on this part.
Further items on the Charter include monitoring a given OT system for indicators of compromise and ongoing attacks, including the mapping of such detected activities to the OT system and its various functions, identifying countermeasures against such ongoing attacks and implementing those as well as generating compliance documentation for the relevant requirements from 62443 (and other regulations identified as relevant by the stakeholders).
Protecting Inherently Vulnerable Devices
The objective of this working group is to provide guidance on how to identify “inherently vulnerable devices” and to provide strategies and tactics to protect such devices. An “inherently vulnerable device” is one that is affected by known vulnerability and cannot be changed to fix the vulnerability. This may be a permanent situation (e.g. because the device vendor has stopped support) or it may be a temporary one (e.g. because implementing a fix would require to shutdown but that is not possible for a certain period of time due to operational constraints). The first output focuses on a first small set of baseline protection recommendations and implementation guidance.