By Ben Reich, Chief Architect, OTORIO
Cybersecurity posture in general, and Operational Technology (OT) digital security in particular, are important measures of resilience that indicate the operational ability for business continuity.
In a world where threats constantly arise and exposures are identified, organizations must have a clear view of their operational security posture and a feasible action plan to continuously improve it.
Security Posture Assessments (SPA) have become a de-facto standard in the industry. As an important first step, performing effective and efficient periodic SPAs drives maturity and hence, business resilience.
In this blog, we address a fundamental aspect of OT cyber security: the Operational Security Posture. We will review the limitations of current approaches and begin to outline a framework to improve, scale, and streamline OT digital and cyber security posture via assessments, planning, and implementation by utilizing an ongoing risk-based approach.
America’s National Institute of Standards and Technology (NIST) defines security posture as: “the security status of an enterprise’s networks, information, and systems based on information security resources and capabilities in place to manage the defense of the enterprise and to react as the situation changes.”
It’s no surprise that OT digital security assessments need to focus on the posture part of the process. In most cases, the assessment process examines an organization’s business assets without proceeding to identify exposures and security controls like segmentation. Yet when discussing OT, where each asset, or “system” can have a variety of “subsystems” (each with its own IP address and software stack), and where networks often stretch deep into the organization's supply chain, measuring the security posture is no simple task.
Here we will show how using a unified risk model creates a better understanding of an organizations’ readiness to tackle OT digital and cyber security threats. We will use industry-standard metrics combined with proprietary algorithms and deep domain knowledge to lay the groundwork for a simple yet robust risk model and discuss ways it can be used in multiple assessment scenarios. We will expand upon this approach in subsequent blogs and how it impacts business resilience.
Today there is a rapid industry acceleration towards connected production floors. This is especially true for remote operations and supply chain management. However, the reality is that formerly air-gapped industrial environments are becoming far more exposed to digital misconfigurations and malicious cyber actors.
Ongoing assessments of digital security posture in industrial control systems are critical to ensure preparedness for cybersecurity threats and compliance with most OT security standards (e.g., ISA/IEC 62443).
The assessment process accounts for the security measures and potential recovery costs of an organization’s digital assets. This process also includes a list of appropriate preventive measures to reinforce its cybersecurity posture. Together, these assessment components represent an enterprise’s total cost of ownership (‘TCO’) for industrial cybersecurity.
The process must be flexible enough so that security teams can easily mitigate specific vulnerabilities for zero operational disturbance. In addition, an organization-specific policy will influence the security posture assessment by affecting vulnerability scores and determining what business impact it will have upon the enterprise’s assets. This includes assessing factors such as safety, reliability, and confidentiality of trade secrets (SRC).
However, traditional posture assessment usually yields many action items that are difficult to prioritize and implement if they lack context. That is why we have seen the introduction of risk-based approaches to cybersecurity mitigation over the last few years.
Risk-informed approaches scale operational digital security initiatives while reducing the time and cost of short- and long-term TCO. Risk assessment takes into account an organization’s security posture and puts it in context with threats to OT digital security. A cybersecurity threat or a digital misconfiguration is an event or sequence of events that are likely to exploit weak points of an organization’s security posture or generate a potential crash. Thus, risk is a function of both threat and posture.
An important factor in the assessment process is categorizing risk appropriately for different industry verticals. Threat modeling can be different, for example, in the energy industry when compared to an automated factory production line. It can also vary by geography and production processes. Such categorization can take into account the likelihood for specific cyberattack scenarios (based on historical data of attack frequency, for example) and the likelihood of impact based upon exposure and vulnerabilities. This allows organizations to be better prepared to address industry-specific risks.
The IT Cybersecurity industry has long embraced the notion that effective prioritization of action items stemming from a posture assessment depends on calculating a risk indicator. A risk-based approach to prioritization is an iterative process where practitioners must ask themselves: What are the minimal mitigations that will maximize risk reduction for either a specific asset or the entire organization?
Once such minimal mitigations are implemented, the question is repeated to identify others to carry out. This process allows operational and security teams to focus on vulnerabilities, gaps, and exposures that are most likely to be exploited and cause the most damage to the organization. Only by repeatedly performing this loop can business resilience be achieved - and with a limited amount of resources.
Since posture assessment processes do not include ongoing threat monitoring, especially when they are intermittent, practitioners need tools that let them create OT security risk scenarios based upon a “what-if” approach. This type of threat simulation allows the system to model risk in the absence of ongoing monitoring.
Subject matter experts create risk scenarios that can be applied to the organization's process, asset infrastructure, and be contextualized to the business. Apart from allowing assessors to prioritize mitigation, such risk scenarios can also be used to identify network topology and segmentation issues, including attack vectors and OT exposure to the outside world.
A risk-informed approach to OT digital and cybersecurity significantly contributes to business and operational resilience. The process is performed without a need for constant threat monitoring. The end result is a prioritized list of mitigations to perform to decrease the risk of damage to the organization from cybersecurity incidents.
This process includes:
Fortunately, much of this SPA can be streamlined and automated. This helps reduce the inconsistencies of manually evaluating and producing assessments at scale, with minimal costs.
This piece is the first in a series of OTORIO blog posts that examine significant developments impacting OT industrial cyber and digital security. Upcoming posts (see Appendix below) will address issues like vulnerability management and scoring, business impact analysis, threat modeling, and attack graphs.