Cybersecurity is now at the forefront of all deliberations in a digitally connected world. Once again an entire day at the ARC Industry Forum in Orlando featured cybersecurity workshops. The Owl Cyber Defense workshop was hosted by Product Manager, Phil Won who provided guidelines to create a sustainable operational technology (OT) cybersecurity strategy. This blog summarizes the proceedings and quotes of the workshop. You can watch it here or on YouTube.
Phil’s presentation was divided into three broad sections:
- Defining cybersecurity sustainability – as each one’s interpretation might differ
- Unique cybersecurity sustainability challenges that implementers and technology providers face in the OT environment
- Four key guidelines to sustainable OT cybersecurity
Understanding Cybersecurity Sustainability
Phil said that “cybersecurity sustainability is the ability to maintain cybersecurity at an acceptable level on an ongoing basis. There are ways to address this, but the ability to maintain these efforts is one of the most important factors.” At the outset, a strategy may work well for a few years, but if it’s not properly monitored and maintained the glitches show up when an internal/external audit is conducted.
Besides being “fit for your purpose,” the approach needs to be:
Cybersecurity Sustainability Challenges of the OT Environment
“The lifecycle of equipment used in the OT environment is typically in the range of 10-15 years or much longer,” said Phil. Legacy equipment didn’t have built-in security, but now it has to be factored in through incremental upgrades. Although old equipment might be working well, the security aspect is very important because “it's usually the weakest link that takes an operation down. Typically, legacy equipment doesn't even have the memory or the capability to add additional security features; so security solutions have to be bolted-on,” explained Phil. Also, remote, unmanned, inaccessible systems need to be factored into the overall solutions.
Other important factors to consider:
- Downtimes have to be planned in advance and the solution has to be in place and tested under rigid time constraints.
- Shortage of cybersecurity staff. Operators need to rely on vendors, but vendor support is costly.
- Maturity of security – in terms of product (built-in security or the lack of it) and OT employees on the verge of retirement.
New IT workers may have the IT knowledge but they lack the necessary OT experience; new OT employees lack the specialized security experience to deal with interoperability issues.
“Despite identifying cybersecurity as critical, budgeting always seems to be a challenge. And the skillsets are another major challenge. So you have to work around that and plan,” said Phil. In this context, he referred to the SANS report that mentions trying to work with proprietary solutions using more open standards-based solutions.
Four Key Guidelines for Sustainable OT Cybersecurity
Comparing New Year's resolutions to cybersecurity planning, Phil said that we have good plans and strategies, but we also need the determination to see them through. He offered four guidelines to achieve sustainable OT cybersecurity:
- Know your network: It’s vital to know your starting point and the entire network (some sections might be well protected, others might have gaping holes), or else you will be wasting your money.
- Minimize connections, accesses, and privileges - all these are threat vectors. Segment your network and protect the boundaries of it as well as the specific physical assets.
- Try to reduce the resource burden. Not only in terms of cost but the total cost of ownership including ongoing maintenance fees, breakdowns, downtimes, whether domain expertise is available, etc. Implementing secure remote monitoring and assessment by third parties is essential.
- Look for future-proofing opportunities – i.e. solutions with a longer life-span that don’t require frequent updates.
- Incorporate artificial intelligence and machine learning solutions for total operations.
Owl provides solutions for commercial operations, critical infrastructure, the DoD (department of defense), the Armed Forces, DHS (Department of Homeland Security) and the US government. “We can provide full visibility into your global supply chain,” said Phil.
Summarizing, Phil said that these guidelines should be factored into the organization’s cybersecurity strategy. What is needed is an appropriate, customized, and maintainable solution. “Also, a defense-in-depth or a layered approach is always good so you don't have a single point of failure. And you should have the ability to measure the effectiveness of that solution."