Professional Documents
Culture Documents
It Ot Convergence
It Ot Convergence
CONVERGENCE
SU M M ER ED I TI O N
Contents
3 — Nine reasons why ICS/OT infrastructure is insecure
2
Nine reasons why ICS/OT
infrastructure is insecure Back to TOC
In the past, ICS/OT systems were not connected with the internet; OT security was
restricted to safeguarding the physical infrastructure with well-known solutions such as
security guards, biometrics and fences. Now, for ease of operability, all ICS/OT infra-
structure introduces internet connectivity or are in the process of doing so. However,
this transformation exposes these infrastructures to vulnerabilities that cannot be only
protected with the help of old customs. Vulnerable infrastructure results in destructive
tendencies with huge financial, environmental and/or health issues.
1. Outdated operating systems: End-of-life operating systems that have not re-
ceived any security updates from the original equipment manufacturer (OEM) are
highly vulnerable. They have the most critical vulnerabilities (e.g., remote code
execution), which generally can be exploited by a script kiddie hacker.
3
Nine reasons why ICS/OT infrastructure is insecure
3. Implementation of inaccu-
rate or cost-cutting levels
of security: Depending on
the ICS/OT infrastructure,
the level of security needed
varies and is clearly defined
in the ISA/IEC 62443 series
of standards. Many times,
inaccurate selection of se-
curity levels or cost cutting
leads to exposing the sys-
tem or indirectly opening
back doors.
4
Nine reasons why ICS/OT infrastructure is insecure
4. Insecure passwords: For easy access to networks, operators have been employ- Back to TOC
ing weak passwords. Due to this, it is easy for attackers to obtain access. Even if
the operators are forced to use critical passwords, they make another mistake by
using the same critical password for all access points, which can easily be cracked
by attackers.
(SIEM), intrusion detection system (IDS), centralized antivirus (AV), patch man- Back to TOC
agement (PM), etc. In such cases, the use of the most complex firewall rule tables
makes it very difficult to manage, and it will become an access point for an at-
tacker. To reduce this risk, follow two rules of thumb: First, do not open any in-
bound traffic unless it is very important for operability, and second, make firewall
rules simple to understand.
8. Lack of security product for OT: As we all know, most cybersecurity solutions
available in the market were designed for IT security. Now, they are retrofitted
for OT security, so they either create system performance issues or need regular
patch updates that will directly impact operations. Some cybersecurity solutions
are good to fulfill compliance but are unable to provide cybersecurity at the level
of IT infrastructure. For example, rarely can products create accurate inventory
databases for OT, and security patch installation is still a headache for OT infra-
structure. Indeed, malware protection solutions are still creating performance
issues in many use cases.
9. The mindset of OT customers: Many OT customers believe their system and in-
frastructure are in an isolated zone. Either they have never required to connect to
the internet or they only do it occasionally. Such a mindset needs to be changed
to create awareness that cyberattacks can be performed by any means and at any
time (e.g., Stuxnet).
Ritesh Srivastava
6
Proficy CSense: Predict Product Quality
Back to TOC
Proficy CSense: Predict Product Quality
In this demonstration we’ll see how a process engineer can create
a machine learning model to predict product quality that will help
reduce laboratory testing - using Proficy CSense. You will see
how to feed the optimal data into the CSense architect where the
model can be created, then publish to an external system such as
a SCADA or a DCS to improve quality and save cost.
7
Machine Learning Leverage Domain Expertise to Drive Optimization
– Without Needing a Data Scientist
Analytics for and predictive analytics. Not only can industrial organi-
zations capitalize on the IoT opportunity, optimize oper-
Engineers
ations and generate greater profitability, but engaging in
the latest technologies also helps to attract and retain the
best talent.
2. Monitoring –
early warnings
reduce down-
Figure 1: Process engineers can align
time and waste domain expertise to five capabilities.
Additionally, while today’s software features enhanced ease of use and no-code imple-
mentation extensible with Python, process engineers can still lean on product experts
9
Machine Learning and Predictive Analytics for Engineers
in combination with their own domain expertise to mine data and leverage analytics to Back to TOC
improve operations.
10
Machine Learning and Predictive Analytics for Engineers
Another example involves applying a smart predict project at a pulp and paper manu- Back to TOC
facturer to predict Critical to Quality (CTQ) KPIs to improve productivity and eliminate
wastewater regulatory issues. As a final example, a partner in mining delivered an Ad-
vanced Process Control solution that increases throughput by 10% using smart optimi-
zation technology.
Predict Product Quality with Analytics
See how a process engineer can create a machine learning
model to predict product quality that will help reduce
laboratory testing.
Nowadays, loop controllers are available as standalone devices called single loop con-
trollers, but the most common version is a piece of code that resides in a PLC (Process
Logic Controller) or a DCS (Distributed Control System). It makes it easier to combine
them to create advanced control diagrams like cascade or feed-forward control, or
split range required for the complex control of food and beverage, chemical, oil and
gas operations, and more.
12
Machine Learning and Predictive Analytics for Engineers
The complexity of the process is obviously one of the criteria. Heat jacketed devices
such as kettles, dryers, reactors or pasteurization units can be hard to control. Using
steam, the heat
transfer is not uni-
form which might
result in an overshoot
during uptimes,
making the control
loops difficult to
tune. Note that this is
less prevalent using
water. Traditional
Figure 4: An advanced analytics system
cascaded loops will only solve part of the problem. An can solve problems by looking at
advanced analytics system such as GE Digital’s Proficy historical data – including from multiple
sources – to create a model of the
CSense can help by looking at historical data to cre-
actual profile and recommend new
ate a model of the actual profile and recommend new settings accordingly.
settings accordingly. The model will take into account
the change of parameters such as viscosity and steam pressure which affect the heat
transfer coefficient and the flow pattern.
Two apparently similar machines might require different settings as they are equipped
with sensors that will react to change in a slightly different way. This might be because
13
Machine Learning and Predictive Analytics for Engineers
they use different technologies – a glass vessel vs a steel vessel, which by nature have Back to TOC
different inertia - or simply because their characteristics vary over time: aging valves,
deviating sensors, etc.
Loop tuning therefore doesn’t happen once. It must take place on a regular basis if
done manually and customized for each asset. Another option is real time monitoring
using AI and machine learning. Analytics make use of a suite of components to deter-
mine and understand the causes of process
deviation in industrial environments. Engi-
neers and data scientists can analyze, monitor,
predict, simulate, and optimize and control
set points in real time.
Bad sensor data can mean lost product, downtime, compliance issues, and safety risks Back to TOC
as well as a dirty data foundation for digital transformation and continuous improve-
ment programs. Industrial organizations need to have good data that can be leveraged
for operations, ad hoc analysis, and enterprise analytics.
Over time, sensors tend to deviate, impacting processes and operations. But, it’s time
consuming – and impossible for most organizations – to manually determine if and why
sensors are working or failing ahead of increasing risk.
15
lytics to monitor sensor health, engineers can: sensor health, leveraging predictive analytics and
machine learning.
Machine Learning and Predictive Analytics for Engineers
• Reduce downtime: Sensors are often used to provide indications that equipment Back to TOC
is running correctly. Incorrect readings can lead to equipment failure or damage.
Early detection of a sensor that is no longer giving accurate or consistent results
can provide advance warning that enables maintenance to replace or recalibrate
the sensor before the worst happens.
• Improve product quality and compliance: Sensors are often used for measuring
the results of a product or to ensure the ambient surroundings of a process are
within specification. If the sensors used to measure the product or environment
are not accurate or functioning correctly, it can lead to a product being out of
specification. Providing early warnings can reduce costs related product recalls or
scrapped product.
16
Machine Learning and Predictive Analytics for Engineers
1. Make sure that “predictive analytics” isn’t buzz hiding risky, unproven software Back to TOC
and newbie “experts.”
For example, GE Digital has offered and implemented analytics solutions for
more than 15 years, serving industrial organizations around the world across a
diverse set of industries.
Work with a partner that you can trust and know will support you for the long term.
Additionally, to support the full IoT value journey, look for capabilities from sim- Back to TOC
ple calculations to predictive machine-learning models to real-time optimization
and advanced-control algorithms.
3. Be sure that the analytics package enables engineers to rapidly develop analytic
solutions – supporting improvements in production throughput, yield, quality, and
efficiency with significant margins.
4. Confirm that the analytics package can speed deployment with templates for
greater efficiency.
18
Machine Learning and Predictive Analytics for Engineers
expert knowledge and best practices into high-value analytic templates for rapid Back to TOC
enterprise-wide deployment.
5. Focus on analytics solutions developed with engineers – not just data scientists –
in mind.
With an analytics package that is accessible to engineers, teams can create a Pro-
cess Digital Twin for smarter operations.
19
Machine Learning and Predictive Analytics for Engineers
Over time, engineers can go from small projects to pilots to multi-plant optimiza- Back to TOC
tion with deep application of analytics. Engineers’ deep domain expertise provides
a foundation for modelling processes and developing the analytics that are game
changers in very specific applications. The combination of applied analytics technol-
ogy with those Process Twin models uncovers hidden opportunities for improvement
over and over again.
If you’re ready to optimize with analytics, GE Digital’s Proficy CSense turns raw data
into real-time value with a Process Digital Twin. The software uses AI and machine
learning to enable process engineers to combine data across industrial data sources
and rapidly identify problems, discover root causes, and automate actions to continu-
ously improve quality, utilization, productivity, and delivery of production operations.
20
Requiring SBOMs and their
impact on OT Back to TOC
T he concept and benefits of a software bill of materials (SBOM) are simple to un-
derstand. SBOMs are a list of all software in an application or cyber asset.
Vendors need to create and maintain an SBOM to have any chance of credibly sup-
porting their product over time. Many vendors have an SBOM, and some of those
vendors actually track and update the software in the SBOM. The updates can be to
address security vulnerabilities, but also to fix nonsecurity-related bugs and to keep
the software components on a supported version.
Asset owners require an SBOM as part of their asset inventory to be able to know if a
vulnerability affects their system. The CODESYS runtime vulnerabilities are one of my
favorite examples. This runtime is used in hundreds of different models of programma-
ble logic controllers (PLCs), but when ICS-CERT publishes a vulnerability advisory on
CODESYS it does not include the PLC’s that rely on the CODESYS runtime as affected
products.
A tiny percentage of those PLC vendors update CODESYS in their build and put out an
advisory. Almost all of the PLC vendors don’t update the CODESYS component, be-
cause this requires resources to develop and test, and they don’t notify their custom-
ers. The same is true of industrial cybersecurity (ICS) protocol stacks, as well as com-
mon libraries used in operational technology (OT) and information technology (IT).
The hope is that the U.S. National Telecommunications and Information Administration
(NTIA) led effort to promote a common SBOM format, facilitate SBOM proof of con-
21
Requiring SBOMs and their impact on OT
Back to TOC
cept projects in various sectors and generally educate the stakeholders on the need
and use of SBOMs is gaining traction. There are whispers that SBOMs will be part of
the Biden administration’s efforts to deal with supply chain security issues.
Much like the discussion at the S4x20 panel led by NTIA’s Allen Friedman, the real
question is what will asset owners do if SBOMs exist for OT systems?
22
Requiring SBOMs and their impact on OT
The same is likely to be true when SBOMs are introduced for OT applications and
devices. An attacker with access to an SBOM will know if a PLC uses a vulnerable COD-
ESYS runtime or a compromised distributed network protocol 3 (DNP3) stack. It is fair
to generally characterize the OT environment as infrequently and unevenly patched for
known software components, while admitting some sectors and some individual asset
owners do better.
Once SBOMs for OT are created and distributed, it’s likely that it will be a step back-
ward for OT cyber risk. There will be more risk because attackers will now have infor-
mation on more ways to attack deployed systems, and the attacks on unpatched vul-
nerabilities will likely be around for years unless you expect the OT patching trends to
change dramatically.
umented features and functions rather than bother “hacking” once inside the OT secu- Back to TOC
rity perimeter. Of course, this points out again the need to implement the increasingly
available secure PLC with signed firmware and support for secure ICS protocols.
The SBOMs for the approximately 10% or less of the attack surface that either forms
the security perimeter or is directly accessible through the security perimeter is ex-
tremely important. If the defenders don’t patch or otherwise address this issue faster
than the attackers can leverage the information, which is likely, it will be a step back-
ward.
This does not mean the SBOM effort should not go forward. SBOMs are needed by
those asset owners with the maturity and resources to use them. They should not be
held hostage by those who choose to invest less in OT cybersecurity. Still, we need to
set expectations that SBOMs are unlikely to lower risk in at least the first 1-2 years they
are available, and are in fact likely to increase risk.
My prediction is that vendors will step into this issue and offer a service that will help:
24
Requiring SBOMs and their impact on OT
• Tell both vendors and asset owners when a new vulnerability affects an SBOM
In the OT, world companies such as aDolus and FiniteState offer products and services
to create SBOMs and identify vulnerabilities in the SBOM software components. (Note
that the analysis these companies do goes beyond creating and evaluating the SBOM.)
Others are sure to join as the supply chain and SBOM get more attention. But who
pays for what? Three of the many possible business models include:
1. Vendor pays for SBOM service: The vendor integrates the SBOM service into its
security development lifecycle (SDL). The vendor can buy a license so that ap-
proved asset owners can access the SBOM service. The SBOM service would pro-
vide an SBOM for each build and information on all known vulnerabilities in the
SBOM. This model would work best for vendors that deliver a whole system such
as Emerson Ovation or Honeywell Experion.
2. Asset owner pays for SBOM service: Today, most vendors are not providing
SBOMs. If an asset owner wants to get an SBOM, they would have to provide the
product and pay to have the SBOM created, maintained and monitored for vul-
nerabilities. The SBOM service vendor may agree to add it to their library at no
cost for future annual recurring revenue. Even if the vendor agreed to provide the
asset for the SBOM service to create the SBOM, the vendor may not be willing to
fund the SBOM service for a large and unknown set of end users. This would be
25
Requiring SBOMs and their impact on OT
more likely in cases where the vendor does not know who gets their product as it Back to TOC
is sold and deployed by integrators.
3. Hybrid model where vendor and asset owner pay for the SBOM service: There are
likely many combinations of the two above models.
One of the challenges for this SBOM service business is asset owners regularly mod-
ify the standard install of the cyber assets. This is often done for legitimate project
reasons, and it also occurs due to poor change control. When we go in and audit sys-
tems, it’s not unusual to see a common cyber asset, such as a human-machine interface
(HMI)/operator station, with different software installed in different computers. This
can be different versions of the same software or sometimes additional software that
got installed on only some of the operator stations. The SBOM service business is not
going to be able to help with this.
One last thought: The SBOM service will need to communicate with the vulnerability
management portion of the asset management solution. This integration will be key.
Either the SBOM service will need to feed into the vulnerability management module,
or the SBOM service will need to become the vulnerability management module and
communicate with the asset inventory module.
Dale Peterson
Dale Peterson is the founder, chief executive and head catalyst of industry security
provider Digital Bond.
26
Proven Deployments That Strengthen Your OT Cybersecurity Posture
Back to TOC
Proven Deployments That Strengthen Your
OT Cybersecurity Posture
Join #OPSWAT Senior Product Manager Matt Wiseman and
cybersecurity expert Pete Lund as they share proven OT
#cybersecurity deployments that can strengthen your overall
cybersecurity posture and advance your cybersecurity maturity.
Discover what steps you can take no matter where you are in your
cybersecurity journey to level-up your protection.
27
How the
Energy Sector
Can Power-Up
Portable Media T he energy sector frequently reports some of the high-
est rates of cyber incidents because of its critical na-
ture, with portable media presenting security challenges
Security
on multiple fronts. From Operational Technology (OT) and
Information Technology (IT) isolation to compliance regula-
tions, the energy sector needs to effectively address these
challenges and the subsequent threats, or consequently
face the risk of a cyberattack that could incapacitate every
other industry.
A Divergence of Technology
Most of the energy sector is in the
process of undertaking IT/OT con-
vergence projects. Industrial control
systems (ICS), SCADA systems, and
programmable logic controllers
(PLCs) all incorporate elements of
IT. And that means that they need
to be managed and protected just like an IT asset. Most
OT environments are deployed on air-gapped networks or
demilitarized zones (DMZ) to harden the security of ICS,
How the Energy Sector Can Power-Up Portable Media Security
but this approach introduces its own challenges. Organizations may struggle to update Back to TOC
anti-virus engines, patch systems, monitor and log system events, and otherwise man-
age isolated systems and devices – challenges that can be solved by portable media,
such as USB and external drives.
Compliance Regulations
The North American Electric Reliability Corporation (NERC)
requires all bulk electric systems (BES) to comply with its Criti-
cal Infrastructure Protection (CIP) framework. NERC CIP spans a
dozen standards, from NERC CIP 003-7 that discusses transient
cyber assets and removable media, to NERC CIP 010-4 that pro-
vides regulations for managing, authorizing, and mitigating the
risk of transient cyber assets and preventing the propagation of
malware into operational systems.
29
How the Energy Sector Can Power-Up Portable Media Security
30
Taking IT/OT convergence from
theory into practice Back to TOC
These groups are siloed, working with minimal communication, creating a political
and cultural indifference toward each other. The key is defining and aligning the
needs of OT, the revenue-generating side of the business, by collaborating and cre-
ating seamless communication and transparency. OT, with the assistance of IT, will
need to lead the party out of the OT cybersecurity wilderness to create a more seam-
less and secure plant floor.
Back to TOC
all solution doesn’t exist. IT and OT departments don’t operate the same, and they
shouldn’t. However, to improve functionality between IT and OT departments within
organizations, it’s essential to encourage deeper conversations and collaborations
between the disciplines to help bridge the gap.
digital security, a combined perspective with well-rounded expertise will benefit the Back to TOC
business and begin to move the needle toward convergence.
When IT and OT work together, businesses can gain a comprehensive view of their
operations that can help identify security risks and vulnerabilities. This visibility is
crucial, as key manufacturing industries continue to be a target for cyberattacks and
ransomware due to a variety of issues from software misconfigurations to unknown
assets on the plant floor. Being proactive with collaboration across disciplines creates
an opportunity to get safer sooner rather than waiting until it’s too late, which can
result in lost data, costly downtime and physical safety hazards.
33
Taking IT/OT convergence from theory into practice
5
MetaAccess
OT
ments can be made to
internal communications
Enterprise
4
Operational
Monitoring
and ownership of secu-
rity across the organiza-
MetaDefender Kiosk Hardened left blue Netwall Server left blue Netwall Server left blue
IT-OT DMZ
Removable
Media
MetaDefender
Kiosk
OPSWAT
NetWall
OPSWAT
NetWall
tion. This ultimately can
help with convergence by
MetaDefender Vault left blue MetaDefender Kiosk Desktop left blue MetaDefender Drive left blue Neuralyzer left blue
Operations
3
MetaDefender
Vault
Engineering
Workstation
Media
Validation
Removable
Media
MetaDefender
Drive
Transient
Device
OPSWAT
Neuraylzer
breaking down the silos
that have historically kept
MetaAccess OT left blue MetaDefender USB Firewall left blue Central Management left blue
Process
2
MetaAccess
OT Gateway
HMI MetaDefender
USB Firewall
Removable
Media
Central
Management
the departments separate.
OT Fuse Dinrail left blue
ICS DMZ
OPSWAT
OTfuse
Additionally, a tabletop
exercise can help eliminate
Edge
1/0
PLCs and
RTUs
Field Devices the “not invented here”
syndrome often found in
business. You’ll commonly
34
Taking IT/OT convergence from theory into practice
see this when a preference exists for an established approach or way of doing things, Back to TOC
even when it may not be the best approach across every department within the busi-
ness.
Businesses may see the need to standardize their practices, but if a company has a
large number of plants, it can be a challenging task to create a plan that will work
for everyone. Often, each individual plant may have different equipment and sepa-
rate management teams. A standard approach may not be practical or work for all of
them. By having an open dialogue about unique solutions, this problem can be re-
solved.
IT/OT convergence better prepares businesses for the continuously evolving manu-
facturing landscape. By prioritizing convergence and a strong digital safety and secu-
rity posture, businesses can get ahead of the curve and be ready to take advantage
of new developments in manufacturing as they emerge.
As Industry 5.0 and the Internet of Things (IoT) continues to evolve and shape the
manufacturing space, IT and OT must prioritize working together. By working as
35
Taking IT/OT convergence from theory into practice
equal partners and leveling the playing field, they can improve processes, increase Back to TOC
operational efficiency and achieve well-defined metrics that are in alignment. They
may also uncover security issues that previously have gone undetected. By having
an open mind with IT/OT convergence and making it a priority within their business,
businesses can effectively position themselves for greater digital and cyber safety
and security.
Dino Busalachi
Dino Busalachi is chief technology officer for Velta Technology, a provider of Digital
Safety as a Service (DSaaS). Velta Technology helps organizations grow awareness of
their OT & IoT/IIoT networks by detecting cyber threats, risks, and securing critical
infrastructure across all assets, while also improving process integrity through the im-
plementation of NIST Framework best practices – Identify, Protect, Detect, Respond
and Recover.
36
Good cybersecurity requires IT/
OT convergence Back to TOC
W hen an organization does not take advantage of potential synergies between in-
formation technology (IT) and operational technology (OT), it might be leaving
plant floor systems open to attack. In many organizations, the lines of communication
between these two groups are often nonexistent or strained, with each side ignoring
the other or believing they are an obstacle to work around. Bridging this gap can im-
prove performance on the floor and reduce risks to operations. A systems integrator is
a natural facilitator to help make that happen (see Figure 1).
IT/OT disconnect
This disconnect between IT and OT can arise for multiple reasons: lack of communica-
tion, lack of trust between members of the two groups or even a feeling of turf protec-
tion. Other factors that create further separation are different technology maturities,
technical skill gaps and the use of different toolsets and hardware. A few examples
where disconnects between IT and OT organizations can occur include:
• Response time and uptime requirements for systems in their respective areas
The system integrator lives in both camps. They can speak the language, make the
introductions, find or be the go-between and facilitate co-participation in several ac-
38
Good cybersecurity requires IT/OT convergence
Network and infrastructure design: The plant network creates natural touch points
between IT and OT groups and is another area where these teams and personnel
should and need to work together (see Figure 3). This is obvious when looking at
shared infrastructure such as firewalls and interconnections between networks. It may
be less obvious when designing remote access techniques, authentication methods 40
Good cybersecurity requires IT/OT convergence
and strategies for encryption among other topics. These are areas where technology Back to TOC
more familiar to IT teams can be used to improve the security and resiliency of OT sys-
tems and assets. Recently, at a cogeneration plant, the operations team was seeking
to replace an existing balance of plant (BOP) plant floor network with a modern solu-
tion. A suitable programmable logic controller (PLC) original equipment manufacturer
(OEM) ring topology was designed by the integrator, but only reusing a single existing
upstream connection. Bringing IT into the process allowed them to suggest a design
using existing virtual local area networks (VLANs) and resilient paths to two separate
areas that integrated into their own resiliency architecture. In this case, successful col-
laboration between the teams brought the design above the original requirements.
Response planning: Incident response is a great area for discussion about shared
responsibilities and planning, especially with the recent examples of ransomware shut-
ting down operations. Even if the ransomware does not impact the operations net-
works, there may be actions that need to be taken to isolate the operations networks
or even shut them down. The response to an incident is likely to be an “all-hands-on-
deck” event, so planning the roles, responsibilities and potential actions in advance
as a shared team can be a great way for all participants to understand how their part
impacts the whole. We are doing this with a large steel manufacturer, bringing IT and
OT experts together to improve the incident response and disaster recovery response
to a potential ransomware attack.
Risk assessment: Most in the OT space are starting to recognize control systems are
no longer off-the-grid from threats such as malicious programs and unauthorized ac-
cess. When assessing OT cyber maturity, it is useful to involve IT for several reasons.
IT organizations often have more experience with tools such as NISTs Cybersecurity
Framework and can help in adapting those tools to the OT space while keeping crite- 41
Good cybersecurity requires IT/OT convergence
Back to TOC
ria and basis for risk tolerance consistent between Figure 4: The Cybersecurity Framework
can be used as a basis for evaluating OT
groups (see Figure 4). When comparing and present-
and IT assets. Courtesy: Applied Control
ing assessment results to executives, companies want Engineering Inc.
to make sure the discussion stays focused on what
areas need improvement. Finally, having IT and OT resources assess each other’s scope
should result in significant learning for both groups. Nothing could be more confusing 42
Good cybersecurity requires IT/OT convergence
to senior executives than presenting two assessments that look nothing alike in terms Back to TOC
of results yet represent the same company.
Cybersecurity testing: Perhaps the best way to help integrate these teams is during
acceptance testing of the control systems, especially the testing of the cybersecuri-
ty requirements. This activity should give the IT team a chance to review what those
requirements are and how to test them using tools they may be very familiar with —
Wireshark, Nessus or even the discovery and penetration tools they choose to bring,
which may be new or unfamiliar to those on the OT side.
Looking ahead
These represent some of the opportunities for tasks and projects that will help facili-
tate understanding between the IT and OT organizations. There is so much knowledge
each of these groups could take from each other and if they are working together, the
solutions they can deliver will lead to more productivity and better security for critical
systems. A system integrator is a key resource for helping bridge the gap and provide
a space that allows the two groups to develop a long-term relationship.
Dirk Sweigart
Dirk Sweigart is the MES solutions manager at Applied Control Engineering Inc. (ACE).
He is responsible for the development and execution of manufacturing execution system
(MES) projects for ACE. He also consults on information security (CISSP) for ACE clients.
He is an experienced IT and systems project manager (PMP) with more than 35 years of
experience planning and leading projects that develop manufacturing and business sys-
tems, lab automation, supervisory control and data acquisition (SCADA), MES and pro-
cess control systems with many diverse manufacturing processes. Sweigart is a member
of MESA (Cybersecurity Working Group), and a senior member of ISA.
43
Attack surface management: Six
steps for success in OT/ICS Back to TOC
O ver the past two to three years, enterprises have realized the critical importance
of attack surface management (ASM) to identify, prioritize and minimize the
potential threat vectors in their environment. Besides the general growth in attacker
activity, the largest driver of this need is because organizations’ attack surfaces have
expanded so much in the past five years or so. And those “surfaces” are often un-
mapped and unknown — sort of like the “unknown” parts of the world prior to the
Western explorers’ “discoveries.”
Cloud and software-as-a-service (SaaS) were the initial obvious causes of attack sur-
face expansion — and were what drove the initial push to manage these unknown
dominions.
Most attack surface management tools and approaches do not understand the techni-
cal complexities and operational requirements of these OT systems. But there is a way
to effectively and efficiently conduct ASM in OT.
44
Attack surface management: Six steps for success in OT/ICS
3. Context: This adds an overlay of criticality, usage, owners, etc. to create a risk
profile of the asset as it relates to an attacker’s perspective.
above information. The eventual result is a risk score that takes into account the Back to TOC
various elements to prioritize actions.
6. Maintenance: Perhaps the hardest part of the entire process is the ongoing up-
dating and regular reviewing of threat vectors to identify new risks and continual-
ly update current risks based on the remediation actions taken and new vulnera-
bilities identified.
In OT, the first challenge is just getting an accurate “map” of the attack surface. The
traditional approach of manual or network-span port inventories just does not provide
an accurate “map of the world,” so to speak. It misses assets, incorrectly identifies vul-
nerabilities and leaves an organization with no ability to immediately take remediating
actions. Further, much of the OT threat detection creates huge volumes of alerts with
little specific attack surface insight to prioritize those alerts.
46
Attack surface management: Six steps for success in OT/ICS
Back to TOC
Remediation is challenging because of the age of many systems Courtesy: Verve Industrial
and the inability to update those systems, therefore requiring a
more holistic approach to the remediation actions. Finally, most organizations do not
have a true “enterprise” view of their OT surface — the information is often stuck at
the plant level, which makes resourcing and prioritization very challenging.
Recent attacks focused on IT that crossed over into OT systems are an example of
this lack of true visibility. Ransomware is now the No. 1 concern of OT security practi-
tioners, according to the 2021 SANS survey — it wasn’t in the top five two years ago.
47
Attack surface management: Six steps for success in OT/ICS
That threat vector — coming through the information technology (IT) side and bridg- Back to TOC
ing into OT — is part of a company’s attack surface that is often not seen completely.
Once through that connection, the attack surface within the OT environment usually
has many “dark spots” where light doesn’t shine.
Mandiant’s research shows that 99% of all attacks start with and leverage the IT-type
infrastructure that sits between IT and OT. These connections are often not well under-
stood. In our own research, Verve finds that misconfigured firewalls, dual-NICs bridging
networks, individual programmable logic controllers (PLCs) and other devices connect-
ed directly to the corporate network are present in almost every plant we assess. There
is a lack of view of that surface.
Succeeding in OT ASM
Attack surface management is possible in OT, but it requires a fundamentally different
approach than most organizations or ASM providers take today. There are six key steps
to getting this right:
On the IT side of the house, if the team came to the chief information security officer
(CISO) and said the only way to discover the attack surface is to gather manual inven-
tories or observe network traffic, the team wouldn’t last long. IT uses scanning, agents,
discovery tools, as well as manual and network approaches to capture a full picture of
its attack surface. But in OT, because of the sensitivity of these devices, security lead-
ers have been left with less than effective options.
48
Attack surface management: Six steps for success in OT/ICS
An effective assessment must include a comprehensive view of the risk to each asset.
That should take into account all of those findings from the complete discovery de-
scribed above. A 360-degree view allows the organization to make appropriate trade-
offs in risk priority.
49
Attack surface management: Six steps for success in OT/ICS
Back to TOC
3. Adding important context: Asset criticality and use is key to Courtesy: Verve Industrial
future prioritization.
As the above chart shows, a full 360-degree view needs to include important context
about an asset, described as “asset criticality/impact” in the chart. To conduct the next
step of prioritization effectively, the attack surface needs to include robust context
from the criticality of the asset, its use, its network connections to other devices, etc. In
some cases, organizations will have some of this data available from other efforts, such
as disaster recovery analysis. But in others, this context needs to be created from the
data provided based on the connections, software installed, etc.
One of the biggest challenges in OT security is the number of risks found in many of Back to TOC
these environments. In most cases, OT systems aren’t patched regularly, older devices
run out-of-date firmware, the anti-malware status may not be regularly updated, etc. In
most assessments, our platform identifies thousands of critical vulnerabilities. There’s
no way an organization can get to all of this immediately.
We also would argue that in OT, a key to this prioritization is to integrate the database
with human analysts that can help the organization bring insights from other entities
and threat data to help prioritize. This “man and machine” approach offers the great-
est source of prioritization.
The discovery of a threat is irrelevant if you can’t respond rapidly and safely for OT.
In IT, organizations will focus on weekly updating of patches, automated resetting of
configurations, network access control to refuse connections from unknown assets, etc.
In OT, however, many of these solutions can cause an operational impact on the pro-
51
Attack surface management: Six steps for success in OT/ICS
An effective OT ASM
platform needs to
enable both the pri-
oritization of risks and Courtesy: Verve Industrial
the ability to immediately pivot to remediation in a way that’s
efficient and safe for the processes. This requires an OT-safe MANAGEMENT platform
that allows you to patch, harden configurations, remove unapproved software, remove
or limit access for certain accounts or users, create network segmentation, etc. The
most efficient way to do this is to integrate it into the ASM platform rather than rely on
separate tools or manual efforts to conduct each of these different remediation ac-
tions.
The best way to think about this is what we call “Think Global: Act Local.” This archi-
tecture enables centralized analysis and prioritization of remediation actions but also
ensures that when actions are actually executed, they are controlled by those closest
52
Attack surface management: Six steps for success in OT/ICS
to the process such as DCS engineers. This balances the need for efficiency and OT Back to TOC
safety.
The “Think Global: Act Local” approach above also allows an organization to radically
reduce the costs of maintaining the attack surface. We find that many organizations are
relying on local site personnel to manage their OT security. This is just not a feasible
approach — both for consistency as well as labor efficiency.
John Livingston
John Livingston, CEO, Verve Industrial.
53
IT/OT
Convergence
Content Archive Thank you for visiting the IT/OT Convergence eBook!
2023 Spring Edition
If you have any questions or feedback about the contents
2023 Winter Edition in this eBook, please contact CFE Media at
2022 Fall Edition customerservice@cfemedia.com