OT Security Guide - Where to start?

Many companies have an increasingly digital production environment. While the focus is always on the potential benefits of digitalization, the impact of security breaches on this newly digitalized production environment is often worrying. Here is a short guide with five measures for where to start securing your OT environment.

1. Understand your risk to build reasonable mitigation:

One first step in implementing security in your OT System is to understand your risks, in particular, the business impact of your security threat scenarios. What would happen if a successful attack would occur? Without understanding this fundamental outline, it is not possible to start planning for mitigations.  

Why is that critical: with this assessment, you will be able to steer the remediations to balance your preventive and reactive measures. This will enable you to avoid a common pitfall: trying to implement security measures not fitting the environment and not making sense to site engineers.  

2. Review your network design and implement network segmentation

OT Systems are more and more connected to the network, therefore, opening an even bigger attack surface. The first level of security for these devices is to improve their network protection. And that is separating and segmenting the network from the corporate environment to the production level.  
There is a lot of literature on network segmentation: Purdue model, IEC 62443, micro-segmentation, etc. For any company operating production in a flat network, we recommend not getting confused with a complex model and starting to implement simple-to-operate segmentation.  

Why is that critical: segmentation means dividing the network into small subsets to create complexity for an attacker to pivot in the environment. This is no panacea: firewalls implemented in these zones can be opened and therefore attackers might still find a way to open firewall rules to pivot, but a well-implemented segmentation represents a challenging border for attackers to pass.

3. Strengthen users and systems authentication

In the OT environment, not only the identity of users can be usurped but also the one of systems due to the increase of IIoT (Industrial Internet of Things). Passwords and access methods are a common weak link. Review your user concepts, identify these weak points, and plan remediation: that might be with Multi-Factor Authentication (MFA), biometric authentication, privileged access management solutions, or a simple procedure to avoid password sharing, for example.

Why is it critical: Management of identities and respective authentications is essential in the OT environment. While there is neither a one-size-fits-all nor a must-implement solution, having a robust and hardened management of users and system identifies is the next "to do" from BxC´s perspective after Network Segmentation.

4. Education and socialization

People are the core of companies strength as well as its core weakness. Not only we cannot stress enough the importance of cybersecurity awareness (e.g. don´t plug an unknown USB stick into any device, don´t keep the door open to unauthorized people, etc.) but the success of security improvement progress strongly depends on the "buy-in" of the production stakeholders. To be well understood, security measures should be socialized early to site "early adopters". If you are interested in socialization, read our article: OT SECURITY STRATEGY https://www.bxc-consulting.com/blog/ot-security-strategy

Why is that critical: get the "buy-in" of your key stakeholders to ensure that you get the support you need to roll out successfully your security improvements.

5. Don´t spend time searching for complex solutions

Don´t look for the perfect tool to remediate several of your gaps. There are good tools on the market for many common security gaps. Select the most fitting according to your criteria and spend time on processes and implementation. Ensure processes are flawless for your production sites.

Why is that critical: in our experience, a well-thought architecture of the tools and process design are the most important key success factors. The well-known phrase "a fool with a tool is still a fool" can be rephrased into: "a vulnerable production environment with a security tool is still a vulnerable production environment".  

BxC Conclusion

There is no perfect approach to start the journey into OT Security. There is also no end to that journey. While a lot of companies are working on that journey, this article is written as a mere guide to avoid the pitfall seen at an early stage of some companies.  

What is important: we recommend to start the journey with small and actionable steps.