IT/OT

CONVERGENCE
SU M M ER ED I TI O N
Contents
3 — Nine reasons why ICS/OT infrastructure is insecure

7 — Proficy CSense: Predict Product Quality

8 — Machine Learning and Predictive Analytics for Engineers

21 — Requiring SBOMs and their impact on OT

27 — Proven Deployments That Strengthen Your OT

Cybersecurity Posture

28 — How the Energy Sector Can Power-Up Portable

Media Security

31 — Taking IT/OT convergence from theory into practice

37 — Good cybersecurity requires IT/OT convergence

44 — Attack surface management: Six steps for success in

OT/ICS

2
Nine reasons why ICS/OT
infrastructure is insecure  Back to TOC

I ndustrial control system (ICS)/operational technology (OT) infrastructure security is

different in many ways from informational technology (IT) security, and one of the
main reasons is the reverse confidentiality, integrity and availability (CIA) triad. In OT
infrastructure, availability is the highest priority, and because of this implementing cy-
bersecurity solutions to secure OT infrastructure is a very crucial task. It requires good
command over proposed cybersecurity solutions, security standards/framework, ICS
functions and their operations.

In the past, ICS/OT systems were not connected with the internet; OT security was
restricted to safeguarding the physical infrastructure with well-known solutions such as
security guards, biometrics and fences. Now, for ease of operability, all ICS/OT infra-
structure introduces internet connectivity or are in the process of doing so. However,
this transformation exposes these infrastructures to vulnerabilities that cannot be only
protected with the help of old customs. Vulnerable infrastructure results in destructive
tendencies with huge financial, environmental and/or health issues.

Nine aspects that make ICS/OT infrastructure vulnerable

There are many aspects that make ICS/OT infrastructure insecure. Some of the most
common and critical are:

1. Outdated operating systems: End-of-life operating systems that have not re-
ceived any security updates from the original equipment manufacturer (OEM) are
highly vulnerable. They have the most critical vulnerabilities (e.g., remote code
execution), which generally can be exploited by a script kiddie hacker.
3
Nine reasons why ICS/OT infrastructure is insecure

2. Outdated firmware:  Back to TOC

Most of the switches and
firewalls from L1 to L3 are
ignored by firmware up-
dates because in general
they never impact the
operation directly. This
ignorance leads to highly
vulnerable ICS infrastruc-
ture connectivity within
different levels.

3. Implementation of inaccu-
rate or cost-cutting levels
of security: Depending on
the ICS/OT infrastructure,
the level of security needed
varies and is clearly defined
in the ISA/IEC 62443 series
of standards. Many times,
inaccurate selection of se-
curity levels or cost cutting
leads to exposing the sys-
tem or indirectly opening
back doors.

4
Nine reasons why ICS/OT infrastructure is insecure

4. Insecure passwords: For easy access to networks, operators have been employ-  Back to TOC
ing weak passwords. Due to this, it is easy for attackers to obtain access. Even if
the operators are forced to use critical passwords, they make another mistake by
using the same critical password for all access points, which can easily be cracked
by attackers.

5. No inventory database: In ICS/OT infrastructure, due to the large number of

network devices, endpoints and automation devices of many vendors, it has
become very tough to create updated inventory databases, which indirectly cre-
ates a loophole in OT infrastructure. In such cases, if there are any unauthorized
devices trying to connect or get connected into the existing infrastructure, it will
become very hard to find and isolate the network from that device.

6. Test restore of backup in case of emergency: In most ICS/OT infrastructure,

the backup of systems is either only full-system backups, or incremental or
differential full-system backups. In case of any ransomware attack, we will easily
restore the system with the available backup. However, the important point is
that we are sure that the available backup will work after restoring. If the restore
fails, then it will result in a huge financial loss for any ICS environment. To re-
duce this risk, identify the most critical system of your OT operation (e.g., ap-
plication and automation server of distributed control systems [DCS]), and in a
regular interval of time, restore this available backup in the external machine to
make sure it will work.

7. Complex firewall rules in L3.5 and above: In today’s ICS/OT infrastructure,

most plants share a common regional demilitarized zone (DMZ) and many other
applications such as remote access, security information and event management 5
Nine reasons why ICS/OT infrastructure is insecure

(SIEM), intrusion detection system (IDS), centralized antivirus (AV), patch man-  Back to TOC
agement (PM), etc. In such cases, the use of the most complex firewall rule tables
makes it very difficult to manage, and it will become an access point for an at-
tacker. To reduce this risk, follow two rules of thumb: First, do not open any in-
bound traffic unless it is very important for operability, and second, make firewall
rules simple to understand.

8. Lack of security product for OT: As we all know, most cybersecurity solutions
available in the market were designed for IT security. Now, they are retrofitted
for OT security, so they either create system performance issues or need regular
patch updates that will directly impact operations. Some cybersecurity solutions
are good to fulfill compliance but are unable to provide cybersecurity at the level
of IT infrastructure. For example, rarely can products create accurate inventory
databases for OT, and security patch installation is still a headache for OT infra-
structure. Indeed, malware protection solutions are still creating performance
issues in many use cases.

9. The mindset of OT customers: Many OT customers believe their system and in-
frastructure are in an isolated zone. Either they have never required to connect to
the internet or they only do it occasionally. Such a mindset needs to be changed
to create awareness that cyberattacks can be performed by any means and at any
time (e.g., Stuxnet).

Ritesh Srivastava

6
Proficy CSense: Predict Product Quality

 Back to TOC


Proficy CSense: Predict Product Quality
In this demonstration we’ll see how a process engineer can create
a machine learning model to predict product quality that will help
reduce laboratory testing - using Proficy CSense. You will see
how to feed the optimal data into the CSense architect where the
model can be created, then publish to an external system such as
a SCADA or a DCS to improve quality and save cost.

7
Machine Learning Leverage Domain Expertise to Drive Optimization
– Without Needing a Data Scientist

and Predictive T oday, staying competitive means progressing on a dig-

ital transformation journey, including machine learning

Analytics for and predictive analytics. Not only can industrial organi-
zations capitalize on the IoT opportunity, optimize oper-

Engineers
ations and generate greater profitability, but engaging in
the latest technologies also helps to attract and retain the
best talent.

Fortunately, the journey to success with machine learn-

ing and analytics doesn’t mean that process engineers
need to be data scientists. Proven processes and software
technologies make analytics do-able for every industrial
organization.

Engineers Are the Process Experts

Process engineers have exceptional domain expertise to
put together process models – or Process Digital Twins –
and be able to interpret the models. This is the foundation
for improving competitive advantage and success with
analytics.

To drive analytics and improve processes, process engi-

neers can align domain expertise to five capabilities:
Machine Learning and Predictive Analytics for Engineers

1. Analysis - au-  Back to TOC

tomatic root
cause identifi-
cation acceler-
ates continuous
improvement

2. Monitoring –
early warnings
reduce down-
Figure 1: Process engineers can align
time and waste domain expertise to five capabilities.

3. Prediction – proactive actions improve quality, stability, and reliability

4. Simulation – what-if simulations accelerate accurate decisions at a lower cost

5. Optimization – optimal process setpoints improve throughput at acceptable

quality by up to 10%

Advanced analytics techniques are available to industrial process engineers to fulfill on

these capabilities. To support the journey to machine learning and analytics, GE Digital
provides analytics technology training in the form of a self-serve detailed demo videos
and application advice.

Additionally, while today’s software features enhanced ease of use and no-code imple-
mentation extensible with Python, process engineers can still lean on product experts
9
Machine Learning and Predictive Analytics for Engineers

in combination with their own domain expertise to mine data and leverage analytics to  Back to TOC
improve operations.

Success with Predictive Analytics

As an example, a leading food manufacturer was able to drive down customer com-
plaints by more than 33% through analytics. The manufacturer had struggled with
weight control on a cube-shaped product.
Make the cubes too heavy, and the manufac-
turer was giving away product or producing
watery product if the excess weight was due
to too much water. When the cubes were too
light, the company was in regulatory jeopar-
dy as well as having trouble compacting the
product into a stable cube shape.

The team used Proficy CSense to get a

complete, correlated-by-lot and period pic-
ture of: ingredient specs, process variables
as run, and lab data – using the software to look for Figure 2: A leading food manufacturer
was able to drive down customer
controllable factors that correlated to excess give- complaints by more than 33% through
away and then comparing periods with better weight analytics, using Proficy CSense.
control to the factors that were true then. Now, when
the team sees how a raw material variance was successfully corrected for or a process
disturbance was overcome, that understanding is embedded into a new material spec,
recipe or SOP. The smart analysis with Proficy CSense yielded other benefits as well.

10
Machine Learning and Predictive Analytics for Engineers

Another example involves applying a smart predict project at a pulp and paper manu-  Back to TOC
facturer to predict Critical to Quality (CTQ) KPIs to improve productivity and eliminate
wastewater regulatory issues. As a final example, a partner in mining delivered an Ad-
vanced Process Control solution that increases throughput by 10% using smart optimi-
zation technology.


Predict Product Quality with Analytics
See how a process engineer can create a machine learning
model to predict product quality that will help reduce
laboratory testing.

Analytics and Control Loop Optimization

As a use case example, process optimization is key in manufacturing, and control loops
are the critical components. “Out of tune” loops can affect the quality of the product,
the material and energy consumption, and ultimately increase the risk of contamination
in regulated industries. AI and machine learning can be used to improve and optimize
11
Machine Learning and Predictive Analytics for Engineers

control loops to generate  Back to TOC

big savings and reduce
risks.

What is a control loop? A

simple form of a process
controller is the thermo-
stat which maintains the
temperature of a room
according to a given
setpoint. It operates as a closed loop control device, Figure 3: AI and machine learning can
be used to analyze and improve control
trying to minimize the difference between the room
loops to optimize performance KPIs,
temperature and the desired one. generate big savings and reduce risks.

The industrial version is the PID (Proportional-Integral-Derivative) control loop - an es-

sential part of every process applications. PID loops have been around for a very long
time. The first pneumatic instruments featuring a proportional controller were devel-
oped by Taylor Instrument Companies at the beginning of the 20th century.

Nowadays, loop controllers are available as standalone devices called single loop con-
trollers, but the most common version is a piece of code that resides in a PLC (Process
Logic Controller) or a DCS (Distributed Control System). It makes it easier to combine
them to create advanced control diagrams like cascade or feed-forward control, or
split range required for the complex control of food and beverage, chemical, oil and
gas operations, and more.

12
Machine Learning and Predictive Analytics for Engineers

Control Loops: Small Tweaks, Big Impact  Back to TOC

A lot of literature exists that describe the behavior of PID loops and how to tune them.
However, it still represents a challenge for many as all the processes are different.

The complexity of the process is obviously one of the criteria. Heat jacketed devices
such as kettles, dryers, reactors or pasteurization units can be hard to control. Using
steam, the heat
transfer is not uni-
form which might
result in an overshoot
during uptimes,
making the control
loops difficult to
tune. Note that this is
less prevalent using
water. Traditional
Figure 4: An advanced analytics system
cascaded loops will only solve part of the problem. An can solve problems by looking at
advanced analytics system such as GE Digital’s Proficy historical data – including from multiple
sources – to create a model of the
CSense can help by looking at historical data to cre-
actual profile and recommend new
ate a model of the actual profile and recommend new settings accordingly.
settings accordingly. The model will take into account
the change of parameters such as viscosity and steam pressure which affect the heat
transfer coefficient and the flow pattern.

Two apparently similar machines might require different settings as they are equipped
with sensors that will react to change in a slightly different way. This might be because
13
Machine Learning and Predictive Analytics for Engineers

they use different technologies – a glass vessel vs a steel vessel, which by nature have  Back to TOC
different inertia - or simply because their characteristics vary over time: aging valves,
deviating sensors, etc.

Loop tuning therefore doesn’t happen once. It must take place on a regular basis if
done manually and customized for each asset. Another option is real time monitoring
using AI and machine learning. Analytics make use of a suite of components to deter-
mine and understand the causes of process
deviation in industrial environments. Engi-
neers and data scientists can analyze, monitor,
predict, simulate, and optimize and control
set points in real time.

For process optimization, analytics solutions

need to provide multiple capabilities: process
modelling and troubleshooting as well as on-
line deployment and real time monitoring.

Data is prepared, visualized, and rules-based, Figure 5: Analytics solutions

data driven process models can be constructed. Using need to provide multiple
capabilities: process modelling
these models, root causes of process deviations are iden- and troubleshooting as well as
tified, so processes can be optimized. online deployment and real time
monitoring.

Predictive Analytics and Sensor Health

Applications for predictive analytics are endless, but a possible first step: engineers
can use analytics to monitor sensor health.
14
Machine Learning and Predictive Analytics for Engineers

Bad sensor data can mean lost product, downtime, compliance issues, and safety risks  Back to TOC
as well as a dirty data foundation for digital transformation and continuous improve-
ment programs. Industrial organizations need to have good data that can be leveraged
for operations, ad hoc analysis, and enterprise analytics.

Over time, sensors tend to deviate, impacting processes and operations. But, it’s time
consuming – and impossible for most organizations – to manually determine if and why
sensors are working or failing ahead of increasing risk.

Predictive Analytics and Sensors

Engineers can employ a predictive analytics app such as Proficy Sensor Health to
continuously monitor and analyze sensor data. Users can target anomalies and mini-
mize their potential impact. The analytics app provides an easy way to automate the
detection of bad sen-
sors, where data is
deviating from normal
conditions.

When an anomaly is de-

tected, the app can gen-
erate alarms to speed
repairs, replacements,
and recalibrations.

By using predictive ana- Figure 6: Follow these strategy steps to good

15
lytics to monitor sensor health, engineers can: sensor health, leveraging predictive analytics and
machine learning.
Machine Learning and Predictive Analytics for Engineers

• Reduce downtime: Sensors are often used to provide indications that equipment  Back to TOC
is running correctly. Incorrect readings can lead to equipment failure or damage.
Early detection of a sensor that is no longer giving accurate or consistent results
can provide advance warning that enables maintenance to replace or recalibrate
the sensor before the worst happens.

• Improve product quality and compliance: Sensors are often used for measuring
the results of a product or to ensure the ambient surroundings of a process are
within specification. If the sensors used to measure the product or environment
are not accurate or functioning correctly, it can lead to a product being out of
specification. Providing early warnings can reduce costs related product recalls or
scrapped product.

• Ensure sensor data quality: Ensuring data quality in downstream analytics is

part of IoT-fueled improvements. If the intent is more advanced use of analytics
for a process, the need for ensuring data quality is critical

How to Select the Right Predictive Analytics Solution

Every industrial organization knows that it’s imperative to move ahead at light speed
with predictive analytics. Consequently, new analytics startups and consulting compa-
nies are showing up every week.

How does an engineer select the right predictive analytics solution?

The following advice provides guidance for engineers.

16
Machine Learning and Predictive Analytics for Engineers

1. Make sure that “predictive analytics” isn’t buzz hiding risky, unproven software  Back to TOC
and newbie “experts.”

For example, GE Digital has offered and implemented analytics solutions for
more than 15 years, serving industrial organizations around the world across a
diverse set of industries.

Work with a partner that you can trust and know will support you for the long term.

2. Select industrial advanced analytics with a troubleshooting component that en-

ables engineers to rapidly trou-
bleshoot continuous, discrete,
or batch manufacturing process
performance by mining insight
from available sensor and produc-
tion data.

Seamless connectivity, rich visu-

alization, and predictive analytics
enable engineers to analyze op-
erating scenarios, quantifying the
impact that operational changes
will have on key performance
metrics and identifying causes for Figure 7: To support the full IoT value journey,
performance variation. look for capabilities from simple calculations to
predictive machine-learning models to real-time
optimization and advanced-control algorithms.
17
Machine Learning and Predictive Analytics for Engineers

Additionally, to support the full IoT value journey, look for capabilities from sim-  Back to TOC
ple calculations to predictive machine-learning models to real-time optimization
and advanced-control algorithms.

3. Be sure that the analytics package enables engineers to rapidly develop analytic
solutions – supporting improvements in production throughput, yield, quality, and
efficiency with significant margins.

A comprehensive analytic solution-development environment provides visual

analytic building blocks to build and test calculations, predictive analytics, and
real-time optimization and control solutions with connectivity to real-time and his-
torical data sources and drag-and-drop access to rich functional libraries.

Plug-and-play connectivity to historical and real-time data sources and automa-

tion systems make for faster configuration. Built-in support for data quality makes
real-time data cleaning and validation easy.

4. Confirm that the analytics package can speed deployment with templates for
greater efficiency.

Engineers should be able to save analytics solutions as reusable templates for

easy deployment to similar assets or process units. Additionally, while the analyt-
ics troubleshooting component should enable engineers to find answers faster
with analytics-guided data mining and process-performance troubleshooting, the
development/configuration capabilities should allow them to more easily capture

18
Machine Learning and Predictive Analytics for Engineers

expert knowledge and best practices into high-value analytic templates for rapid  Back to TOC
enterprise-wide deployment.

5. Focus on analytics solutions developed with engineers – not just data scientists –
in mind.

With an analytics package that is accessible to engineers, teams can create a Pro-
cess Digital Twin for smarter operations.

Visual drag-and-drop analytics accelerate time to value and reduce depen-

dence on data scientists and programmers. Online demos enable rapid mas-
tery of the software with easy-to-follow demonstrations and guided simula-
tions.

As previously mentioned, a rapid development environment is critical. The best

solutions provide rapid wizard-driven data mining for engineers for fast time-to-
insight, an easy visual drag-and-drop environment for subject matter experts and
engineers, and analytic solution templates without programming for simple calcu-
lations, data cleaning, maths, statistics, machine-learning models, real-time opti-
mization, and advanced process control.

From Small Projects to Multi-Plant Optimization

All automation and process engineers can and need to develop capabilities in analytics
and machine learning to remain competitive – both at an individual professional level as
well as to help their industrial organization – in our world of digital transformation.

19
Machine Learning and Predictive Analytics for Engineers

Over time, engineers can go from small projects to pilots to multi-plant optimiza-  Back to TOC
tion with deep application of analytics. Engineers’ deep domain expertise provides
a foundation for modelling processes and developing the analytics that are game
changers in very specific applications. The combination of applied analytics technol-
ogy with those Process Twin models uncovers hidden opportunities for improvement
over and over again.

If you’re ready to optimize with analytics, GE Digital’s Proficy CSense turns raw data
into real-time value with a Process Digital Twin. The software uses AI and machine
learning to enable process engineers to combine data across industrial data sources
and rapidly identify problems, discover root causes, and automate actions to continu-
ously improve quality, utilization, productivity, and delivery of production operations.

20
Requiring SBOMs and their
impact on OT  Back to TOC

T he concept and benefits of a software bill of materials (SBOM) are simple to un-
derstand. SBOMs are a list of all software in an application or cyber asset.

Vendors need to create and maintain an SBOM to have any chance of credibly sup-
porting their product over time. Many vendors have an SBOM, and some of those
vendors actually track and update the software in the SBOM. The updates can be to
address security vulnerabilities, but also to fix nonsecurity-related bugs and to keep
the software components on a supported version.

Asset owners require an SBOM as part of their asset inventory to be able to know if a
vulnerability affects their system. The CODESYS runtime vulnerabilities are one of my
favorite examples. This runtime is used in hundreds of different models of programma-
ble logic controllers (PLCs), but when ICS-CERT publishes a vulnerability advisory on
CODESYS it does not include the PLC’s that rely on the CODESYS runtime as affected
products.

A tiny percentage of those PLC vendors update CODESYS in their build and put out an
advisory. Almost all of the PLC vendors don’t update the CODESYS component, be-
cause this requires resources to develop and test, and they don’t notify their custom-
ers. The same is true of industrial cybersecurity (ICS) protocol stacks, as well as com-
mon libraries used in operational technology (OT) and information technology (IT).

The hope is that the U.S. National Telecommunications and Information Administration
(NTIA) led effort to promote a common SBOM format, facilitate SBOM proof of con-
21
Requiring SBOMs and their impact on OT

 Back to TOC

cept projects in various sectors and generally educate the stakeholders on the need
and use of SBOMs is gaining traction. There are whispers that SBOMs will be part of
the Biden administration’s efforts to deal with supply chain security issues.

Much like the discussion at the S4x20 panel led by NTIA’s Allen Friedman, the real
question is what will asset owners do if SBOMs exist for OT systems?
22
Requiring SBOMs and their impact on OT

One step back  Back to TOC

SBOMs are information — information that can be used to attack or defend a system.
Think of the Shodan tool that scans the internet and creates a database that can be
queried by anyone with an account. Shodan can help an asset owner identify inter-
net-accessible OT devices that need to be removed or protected. Shodan can also
help an attacker identify vulnerable OT devices that are internet accessible. Once
Shodan became available, it initially made the attacker’s job easier because they were
using the information more and better than the defenders.

The same is likely to be true when SBOMs are introduced for OT applications and
devices. An attacker with access to an SBOM will know if a PLC uses a vulnerable COD-
ESYS runtime or a compromised distributed network protocol 3 (DNP3) stack. It is fair
to generally characterize the OT environment as infrequently and unevenly patched for
known software components, while admitting some sectors and some individual asset
owners do better.

Once SBOMs for OT are created and distributed, it’s likely that it will be a step back-
ward for OT cyber risk. There will be more risk because attackers will now have infor-
mation on more ways to attack deployed systems, and the attacks on unpatched vul-
nerabilities will likely be around for years unless you expect the OT patching trends to
change dramatically.

For a normal system, this increased attacker knowledge of vulnerabilities would be of

great concern. In OT, it is much less so because of the PLC / Level 1 insecure by design
issue. Applying all of the SBOM identified missing patches on 90%-plus of these systems
would not make the attacker’s job much more difficult. The attacker will typically use doc-
23
Requiring SBOMs and their impact on OT

umented features and functions rather than bother “hacking” once inside the OT secu-  Back to TOC
rity perimeter. Of course, this points out again the need to implement the increasingly
available secure PLC with signed firmware and support for secure ICS protocols.

The SBOMs for the approximately 10% or less of the attack surface that either forms
the security perimeter or is directly accessible through the security perimeter is ex-
tremely important. If the defenders don’t patch or otherwise address this issue faster
than the attackers can leverage the information, which is likely, it will be a step back-
ward.

This does not mean the SBOM effort should not go forward. SBOMs are needed by
those asset owners with the maturity and resources to use them. They should not be
held hostage by those who choose to invest less in OT cybersecurity. Still, we need to
set expectations that SBOMs are unlikely to lower risk in at least the first 1-2 years they
are available, and are in fact likely to increase risk.

Business models for SBOMs

The collection, monitoring and use of SBOMs in OT is a large job. Asset owners are
lamenting the burden of patching Microsoft vulnerabilities, and more often than not,
failing to meet their own set requirements of quarterly, semi-annual or even annual
security patching. I don’t have hard numbers, but I have to imagine adding all of the
software in an SBOM to the security patching program is at least a five-times increase
in asset/patch combinations.

My prediction is that vendors will step into this issue and offer a service that will help:

24
Requiring SBOMs and their impact on OT

• Vendors create and maintain their SBOMs  Back to TOC

• Provide and update SBOMs for asset owners

• Tell both vendors and asset owners when a new vulnerability affects an SBOM

In the OT, world companies such as aDolus and FiniteState offer products and services
to create SBOMs and identify vulnerabilities in the SBOM software components. (Note
that the analysis these companies do goes beyond creating and evaluating the SBOM.)
Others are sure to join as the supply chain and SBOM get more attention. But who
pays for what? Three of the many possible business models include:

1. Vendor pays for SBOM service: The vendor integrates the SBOM service into its
security development lifecycle (SDL). The vendor can buy a license so that ap-
proved asset owners can access the SBOM service. The SBOM service would pro-
vide an SBOM for each build and information on all known vulnerabilities in the
SBOM. This model would work best for vendors that deliver a whole system such
as Emerson Ovation or Honeywell Experion.

2. Asset owner pays for SBOM service: Today, most vendors are not providing
SBOMs. If an asset owner wants to get an SBOM, they would have to provide the
product and pay to have the SBOM created, maintained and monitored for vul-
nerabilities. The SBOM service vendor may agree to add it to their library at no
cost for future annual recurring revenue. Even if the vendor agreed to provide the
asset for the SBOM service to create the SBOM, the vendor may not be willing to
fund the SBOM service for a large and unknown set of end users. This would be
25
Requiring SBOMs and their impact on OT

more likely in cases where the vendor does not know who gets their product as it  Back to TOC
is sold and deployed by integrators.

3. Hybrid model where vendor and asset owner pay for the SBOM service: There are
likely many combinations of the two above models.

One of the challenges for this SBOM service business is asset owners regularly mod-
ify the standard install of the cyber assets. This is often done for legitimate project
reasons, and it also occurs due to poor change control. When we go in and audit sys-
tems, it’s not unusual to see a common cyber asset, such as a human-machine interface
(HMI)/operator station, with different software installed in different computers. This
can be different versions of the same software or sometimes additional software that
got installed on only some of the operator stations. The SBOM service business is not
going to be able to help with this.

One last thought: The SBOM service will need to communicate with the vulnerability
management portion of the asset management solution. This integration will be key.
Either the SBOM service will need to feed into the vulnerability management module,
or the SBOM service will need to become the vulnerability management module and
communicate with the asset inventory module.

Dale Peterson
Dale Peterson is the founder, chief executive and head catalyst of industry security
provider Digital Bond.

26
Proven Deployments That Strengthen Your OT Cybersecurity Posture

 Back to TOC


Proven Deployments That Strengthen Your
OT Cybersecurity Posture
Join #OPSWAT Senior Product Manager Matt Wiseman and
cybersecurity expert Pete Lund as they share proven OT
#cybersecurity deployments that can strengthen your overall
cybersecurity posture and advance your cybersecurity maturity.
Discover what steps you can take no matter where you are in your
cybersecurity journey to level-up your protection.

27
 How the
Energy Sector
Can Power-Up
Portable Media T he energy sector frequently reports some of the high-
est rates of cyber incidents because of its critical na-
ture, with portable media presenting security challenges

Security
on multiple fronts. From Operational Technology (OT) and
Information Technology (IT) isolation to compliance regula-
tions, the energy sector needs to effectively address these
challenges and the subsequent threats, or consequently
face the risk of a cyberattack that could incapacitate every
other industry.

A Divergence of Technology
Most of the energy sector is in the
process of undertaking IT/OT con-
vergence projects. Industrial control
systems (ICS), SCADA systems, and
programmable logic controllers
(PLCs) all incorporate elements of
IT. And that means that they need
to be managed and protected just like an IT asset. Most
OT environments are deployed on air-gapped networks or
demilitarized zones (DMZ) to harden the security of ICS,
How the Energy Sector Can Power-Up Portable Media Security

but this approach introduces its own challenges. Organizations may struggle to update  Back to TOC
anti-virus engines, patch systems, monitor and log system events, and otherwise man-
age isolated systems and devices – challenges that can be solved by portable media,
such as USB and external drives.

Internal and External Threats

External threats range from nation states to financially moti-
vated cybercrime, and both look increasingly similar. Other
threats may emerge as insider attacks, a careless employee may
become an unforeseen source of risk, or a vulnerable software
update may enter through the supply chain. Whether internal
or external, removable media can serve as an attack vector and
contain malicious hardware/firmware, malware in hidden parti-
tions, as well as infected files.

Compliance Regulations
The North American Electric Reliability Corporation (NERC)
requires all bulk electric systems (BES) to comply with its Criti-
cal Infrastructure Protection (CIP) framework. NERC CIP spans a
dozen standards, from NERC CIP 003-7 that discusses transient
cyber assets and removable media, to NERC CIP 010-4 that pro-
vides regulations for managing, authorizing, and mitigating the
risk of transient cyber assets and preventing the propagation of
malware into operational systems.

29
How the Energy Sector Can Power-Up Portable Media Security

How OPSWAT Can Help  Back to TOC

The use of portable and removable media
has increased data mobility and overall
productivity within IT, OT, and SCADA
infrastructures worldwide. OPSWAT
MetaDefender Kiosk is easy to set up,
manage, and use and enables secure,
audited, authorized, authenticated, and
controlled use of media within your most
critical infrastructure and scans for mal-
ware, vulnerabilities, and sensitive data.
Check out our whitepaper to learn more
about how OPSWAT can enable secure
portable media use within the energy sector.

For more information, please contact one of our cybersecurity experts.

How the Energy Sector

Can Power-Up its Portable
Media Security

Download the Whitepaper

30
Taking IT/OT convergence from
theory into practice  Back to TOC

I nformation technology (IT) and operational technology (OT) convergence contin-

ues to be a topic of conversation among industry experts. Theoretically, it’s a good
idea, however, IT/OT convergence isn’t as simple as one may be led to believe. Fun-
damental organizational challenges need to be addressed to achieve convergence,
from political and cultural barriers to technical complexities.

IT/OT convergence is about building the relationship between information technol-

ogy and operational technology to gain clear insights to improve efficiency, enhance
operations and metrics, and harden a business’ security posture. In reality, one of the
groups is overhead and administrative and relies on OPEX, and the other defines why
the business exists, is revenue generating and relies heavily on CAPEX.

These groups are siloed, working with minimal communication, creating a political
and cultural indifference toward each other. The key is defining and aligning the
needs of OT, the revenue-generating side of the business, by collaborating and cre-
ating seamless communication and transparency. OT, with the assistance of IT, will
need to lead the party out of the OT cybersecurity wilderness to create a more seam-
less and secure plant floor.

Being proactive with IT/OT convergence

Every business and plant is unique, with its own set of challenges, priorities, equip-
ment and technology. In most instances, each manufacturing site is its own kingdom
and operates independently of corporate governance groups, such as IT. This means
there’s no standard approach to IT/OT convergence, and therefore a one-size-fits-
31
Taking IT/OT convergence from theory into practice

 Back to TOC

all solution doesn’t exist. IT and OT departments don’t operate the same, and they
shouldn’t. However, to improve functionality between IT and OT departments within
organizations, it’s essential to encourage deeper conversations and collaborations
between the disciplines to help bridge the gap.

Instead of pointing fingers or continuing to foster a culture of indifference, there

should be a shared commitment to determine where they are and how they can
come together to secure the overall business. One way to foster this newfound cul-
ture is through educating each other regarding process, people and technology.
They should work together on joint technology decision-making and determine
which group has ownership as well as responsibility and governance of people, pro-
cess and technology. Whether it’s purchasing maintenance support or planning for 32
Taking IT/OT convergence from theory into practice

digital security, a combined perspective with well-rounded expertise will benefit the  Back to TOC
business and begin to move the needle toward convergence.

Being proactive with convergence offers significant security benefits. In an increas-

ingly digital manufacturing world, businesses can’t afford to keep a line drawn in the
sand between the two departments. It also needs to be understood that IT cannot
own the plant floor industrial control systems (ICS), for obvious reasons including
safety, operation and production. When it comes to risks and threats, cyber crime
now has an $8 trillion price tag, according to a recent Security Intelligence report.
That’s another reason why IT/OT convergence is imperative.

When IT and OT work together, businesses can gain a comprehensive view of their
operations that can help identify security risks and vulnerabilities. This visibility is
crucial, as key manufacturing industries continue to be a target for cyberattacks and
ransomware due to a variety of issues from software misconfigurations to unknown
assets on the plant floor. Being proactive with collaboration across disciplines creates
an opportunity to get safer sooner rather than waiting until it’s too late, which can
result in lost data, costly downtime and physical safety hazards.

How can tabletop exercises help?

At Velta Technology, we’ve introduced a tabletop exercise to improve collaboration
and identify vulnerabilities in an organization’s ICS environments. The tabletop ex-
ercise includes step-by-step methodology that displays how vulnerable your organi-
zation is to an adverse cyber event. This exercise typically involves the C-Suite, risk
management and employees from the IT and OT disciplines.

33
 Taking IT/OT convergence from theory into practice

A tabletop exercise is vital  Back to TOC

and beneficial in estab-
lishing ownership of ICS
security. A defined plan
and ownership over digi-
The Critical Secure complex networks,
close technology gaps, and
train cybersecurity professionals.
tal safety and security can
Advantage As IT and OT environments continue to converge, OPSWAT
offer much-needed clarity.
solutions are trusted by more than 1,500 organizations,
governments, and institutions globally to protect their critical
By facilitating this compre-
networks. From IT to OT and everything in between, discover how
OPSWAT’s end-to-end platform can give your organization the
hensive conversation and
critical advantage against preventing cyberthreats.
bridging the gaps between
opswat.com
MetaAccess left blue

the two groups, improve-

Cloud

5
MetaAccess
OT
ments can be made to
internal communications
Enterprise

4
Operational
Monitoring
and ownership of secu-
rity across the organiza-
MetaDefender Kiosk Hardened left blue Netwall Server left blue Netwall Server left blue
IT-OT DMZ

Removable
Media
MetaDefender
Kiosk
OPSWAT
NetWall
OPSWAT
NetWall
tion. This ultimately can
help with convergence by
MetaDefender Vault left blue MetaDefender Kiosk Desktop left blue MetaDefender Drive left blue Neuralyzer left blue
Operations

3
MetaDefender
Vault
Engineering
Workstation
Media
Validation
Removable
Media
MetaDefender
Drive
Transient
Device
OPSWAT
Neuraylzer
breaking down the silos
that have historically kept
MetaAccess OT left blue MetaDefender USB Firewall left blue Central Management left blue
Process

2
MetaAccess
OT Gateway
HMI MetaDefender
USB Firewall
Removable
Media
Central
Management
the departments separate.
OT Fuse Dinrail left blue
ICS DMZ

OPSWAT
OTfuse
Additionally, a tabletop
exercise can help eliminate
Edge

1/0
PLCs and
RTUs
Field Devices the “not invented here”
syndrome often found in
business. You’ll commonly
34
Taking IT/OT convergence from theory into practice

see this when a preference exists for an established approach or way of doing things,  Back to TOC
even when it may not be the best approach across every department within the busi-
ness.

Businesses may see the need to standardize their practices, but if a company has a
large number of plants, it can be a challenging task to create a plan that will work
for everyone. Often, each individual plant may have different equipment and sepa-
rate management teams. A standard approach may not be practical or work for all of
them. By having an open dialogue about unique solutions, this problem can be re-
solved.

Working together for IT/OT convergence

Another way to foster collaboration between IT and OT departments is through
hands-on experience. By working directly together on the manufacturing side or
spending a little time on the plant floor, IT can gain a deeper understanding of the
challenges of physical equipment directly from engineers. This shared experience
can help break down barriers between the departments and nurture an environment
where IT and OT are aligned with priorities, goals and ways to accomplish them.

IT/OT convergence better prepares businesses for the continuously evolving manu-
facturing landscape. By prioritizing convergence and a strong digital safety and secu-
rity posture, businesses can get ahead of the curve and be ready to take advantage
of new developments in manufacturing as they emerge.

As Industry 5.0 and the Internet of Things (IoT) continues to evolve and shape the
manufacturing space, IT and OT must prioritize working together. By working as
35
Taking IT/OT convergence from theory into practice

equal partners and leveling the playing field, they can improve processes, increase  Back to TOC
operational efficiency and achieve well-defined metrics that are in alignment. They
may also uncover security issues that previously have gone undetected. By having
an open mind with IT/OT convergence and making it a priority within their business,
businesses can effectively position themselves for greater digital and cyber safety
and security.

Dino Busalachi
Dino Busalachi is chief technology officer for Velta Technology, a provider of Digital
Safety as a Service (DSaaS). Velta Technology helps organizations grow awareness of
their OT & IoT/IIoT networks by detecting cyber threats, risks, and securing critical
infrastructure across all assets, while also improving process integrity through the im-
plementation of NIST Framework best practices – Identify, Protect, Detect, Respond
and Recover.

36
Good cybersecurity requires IT/
OT convergence  Back to TOC

W hen an organization does not take advantage of potential synergies between in-
formation technology (IT) and operational technology (OT), it might be leaving
plant floor systems open to attack. In many organizations, the lines of communication
between these two groups are often nonexistent or strained, with each side ignoring
the other or believing they are an obstacle to work around. Bridging this gap can im-
prove performance on the floor and reduce risks to operations. A systems integrator is
a natural facilitator to help make that happen (see Figure 1).

IT/OT disconnect
This disconnect between IT and OT can arise for multiple reasons: lack of communica-
tion, lack of trust between members of the two groups or even a feeling of turf protec-
tion. Other factors that create further separation are different technology maturities,
technical skill gaps and the use of different toolsets and hardware. A few examples
where disconnects between IT and OT organizations can occur include:

• Response time and uptime requirements for systems in their respective areas

• Networking design and infrastructure design challenges

• Patch and antivirus management of server and client operating systems

• Identification and management of cybersecurity risks.

At the heart of IT/OT convergence is the recognition of the connected computing

37
Good cybersecurity requires IT/OT convergence

nature of OT devices  Back to TOC

and how the unique
characteristics of OT
systems require solu-
tions that may differ
from those appropri-
ate in the IT space.
At the same time,
the solutions chosen
must address all the
cybersecurity con-
cerns IT groups have
been addressing.

Operating on bad Figure 1: The gap between IT and

assumptions about what will work in the OT environ- OT can be overcome with the help of
system integrators. Courtesy: Applied
ment based on IT experience could lead to produc- Control Engineering Inc.
tion or even safety risks. For example, an IT policy
that requires screen lockout after a period of inactivity could impede an OT operator’s
ability to respond to an upset and will likely be ignored. In this example, physical secu-
rity may be the better solution. It is likely an organization’s IT experts have tools, tech-
niques and knowledge that could improve operations if they can understand the OT
environment and its challenges.

The system integrator lives in both camps. They can speak the language, make the
introductions, find or be the go-between and facilitate co-participation in several ac-
38
Good cybersecurity requires IT/OT convergence

tivities to build trust and  Back to TOC

educate the participants.
In short, they know how to
shrink the gap between IT
and OT. One way is by work-
ing together on activities
that require input from both
teams, fostering a mutual
understanding between IT
and OT (see Figure 2).
Figure 2: Your system integrator
Potential activities that can be used to facilitate trust can help facilitate the conversations
between IT and OT. Courtesy: Applied
and knowledge include:
Control Engineering Inc.

Development of requirements: These efforts can

focus on the design of an OT network, the definition of IT/OT interface or the devel-
opment of cybersecurity requirements for control systems. Discussions about risk and
how it drives requirements for backups, network segmentation, workstation hardening,
change control, documentation and auditing can raise the level of awareness and under-
standing for all participants. System integrators live in this world — they can explain to IT
why patching can be difficult or help OT understand how (and why) to harden a worksta-
tion rather than rely on an air gap. It may be best to sit down with IT and OT and discuss
these topics, ensuring each group understands the requirements and pressures the other
faces. We have led a session like this at a major food manufacturer where IT wanted to
move a critical manufacturing server to a remote data center and considered four-hour
response time to be very good. This was not acceptable to the production supervisor.
39
Good cybersecurity requires IT/OT convergence

One thing can lead  Back to TOC

to another: Setup and
maintenance of serv-
ers is an area where IT
and OT teams can help
each other. The knowl-
edge, techniques and
tools of the IT team can
help ensure systems
are secure and set up
according to best prac-
tices. Recently, at a re-
finery, we encouraged
a controls manager to
open conversations
Figure 3: IT and OT working together can
up with the local IT manager about setting up a help implement a more resilient and secure
Windows Server to ensure it was hardened and network to increase uptime. Courtesy:
Applied Control Engineering Inc.
secure within the context of the overall network.
With that effort complete, the controls manager
realized IT also could help harden the plant floor workstations and host a backup solu-
tion for disaster recovery.

Network and infrastructure design: The plant network creates natural touch points
between IT and OT groups and is another area where these teams and personnel
should and need to work together (see Figure 3). This is obvious when looking at
shared infrastructure such as firewalls and interconnections between networks. It may
be less obvious when designing remote access techniques, authentication methods 40
Good cybersecurity requires IT/OT convergence

and strategies for encryption among other topics. These are areas where technology  Back to TOC
more familiar to IT teams can be used to improve the security and resiliency of OT sys-
tems and assets. Recently, at a cogeneration plant, the operations team was seeking
to replace an existing balance of plant (BOP) plant floor network with a modern solu-
tion. A suitable programmable logic controller (PLC) original equipment manufacturer
(OEM) ring topology was designed by the integrator, but only reusing a single existing
upstream connection. Bringing IT into the process allowed them to suggest a design
using existing virtual local area networks (VLANs) and resilient paths to two separate
areas that integrated into their own resiliency architecture. In this case, successful col-
laboration between the teams brought the design above the original requirements.

Response planning: Incident response is a great area for discussion about shared
responsibilities and planning, especially with the recent examples of ransomware shut-
ting down operations. Even if the ransomware does not impact the operations net-
works, there may be actions that need to be taken to isolate the operations networks
or even shut them down. The response to an incident is likely to be an “all-hands-on-
deck” event, so planning the roles, responsibilities and potential actions in advance
as a shared team can be a great way for all participants to understand how their part
impacts the whole. We are doing this with a large steel manufacturer, bringing IT and
OT experts together to improve the incident response and disaster recovery response
to a potential ransomware attack.

Risk assessment: Most in the OT space are starting to recognize control systems are
no longer off-the-grid from threats such as malicious programs and unauthorized ac-
cess. When assessing OT cyber maturity, it is useful to involve IT for several reasons.
IT organizations often have more experience with tools such as NISTs Cybersecurity
Framework and can help in adapting those tools to the OT space while keeping crite- 41
Good cybersecurity requires IT/OT convergence

 Back to TOC

ria and basis for risk tolerance consistent between Figure 4: The Cybersecurity Framework
can be used as a basis for evaluating OT
groups (see Figure 4). When comparing and present-
and IT assets. Courtesy: Applied Control
ing assessment results to executives, companies want Engineering Inc.
to make sure the discussion stays focused on what
areas need improvement. Finally, having IT and OT resources assess each other’s scope
should result in significant learning for both groups. Nothing could be more confusing 42
Good cybersecurity requires IT/OT convergence

to senior executives than presenting two assessments that look nothing alike in terms  Back to TOC
of results yet represent the same company.

Cybersecurity testing: Perhaps the best way to help integrate these teams is during
acceptance testing of the control systems, especially the testing of the cybersecuri-
ty requirements. This activity should give the IT team a chance to review what those
requirements are and how to test them using tools they may be very familiar with —
Wireshark, Nessus or even the discovery and penetration tools they choose to bring,
which may be new or unfamiliar to those on the OT side.

Looking ahead
These represent some of the opportunities for tasks and projects that will help facili-
tate understanding between the IT and OT organizations. There is so much knowledge
each of these groups could take from each other and if they are working together, the
solutions they can deliver will lead to more productivity and better security for critical
systems. A system integrator is a key resource for helping bridge the gap and provide
a space that allows the two groups to develop a long-term relationship.

Dirk Sweigart
Dirk Sweigart is the MES solutions manager at Applied Control Engineering Inc. (ACE).
He is responsible for the development and execution of manufacturing execution system
(MES) projects for ACE. He also consults on information security (CISSP) for ACE clients.
He is an experienced IT and systems project manager (PMP) with more than 35 years of
experience planning and leading projects that develop manufacturing and business sys-
tems, lab automation, supervisory control and data acquisition (SCADA), MES and pro-
cess control systems with many diverse manufacturing processes. Sweigart is a member
of MESA (Cybersecurity Working Group), and a senior member of ISA.
43
Attack surface management: Six
steps for success in OT/ICS  Back to TOC

O ver the past two to three years, enterprises have realized the critical importance
of attack surface management (ASM) to identify, prioritize and minimize the
potential threat vectors in their environment. Besides the general growth in attacker
activity, the largest driver of this need is because organizations’ attack surfaces have
expanded so much in the past five years or so. And those “surfaces” are often un-
mapped and unknown — sort of like the “unknown” parts of the world prior to the
Western explorers’ “discoveries.”

Cloud and software-as-a-service (SaaS) were the initial obvious causes of attack sur-
face expansion — and were what drove the initial push to manage these unknown
dominions.

However, as operational technology (OT) systems — industrial control systems (ICS),

building controls, transportation controls, etc. — become more connected in the drive
for greater efficiency and effectiveness of production, OT and internet of things (IoT)
now become the “new frontier” of the attack surface management challenge. In fact,
according to a 2021 survey of CISOs and senior cybersecurity leaders, the No. 1 chal-
lenge of current ASM initiatives is the identification and management of OT/IoT and
other unknown systems.

Most attack surface management tools and approaches do not understand the techni-
cal complexities and operational requirements of these OT systems. But there is a way
to effectively and efficiently conduct ASM in OT.

44
Attack surface management: Six steps for success in OT/ICS

What is attack surface management?  Back to TOC

Attack surface management is the continuous discovery, collection, assessment, clas-
sification, prioritization, remediation and monitoring of IT/OT/IoT assets. This may
sound like traditional asset inventory or vulnerability management. However, ASM
takes an “attacker” view of the challenge. This approach adds significant value to
more traditional vulnerability management approaches because it helps to prioritize
those risks that are most likely to create a threat from attackers. When done correctly, it
allows an organization to prioritize their most critical exposures — not just based on a
CVE score, but based on the true potential for a critical event from an attacker.

OT attack surface management includes 6 key elements:

1. Discovery: The ability to see all “corners of the world” of your attack surface.
This includes the discovery of unknown assets, unknown connectivity (both actual
flows and potential flows due to misconfigured network devices), software, con-
figurations, users, etc.

2. Assessment: Identifying the risk of an asset based on a 360-degree risk assess-

ment that includes all elements of the discovery — users and account access,
network access, software and hardware vulnerabilities, missing patches, insecure
configurations, etc.

3. Context: This adds an overlay of criticality, usage, owners, etc. to create a risk
profile of the asset as it relates to an attacker’s perspective.

4. Prioritization: This is where ASM truly differs from vulnerability or inventory

management. ASM prioritizes risks based on the attacker’s perspective using the
45
Attack surface management: Six steps for success in OT/ICS

above information. The eventual result is a risk score that takes into account the  Back to TOC
various elements to prioritize actions.

5. Remediation: The consistent hardening of security directed by the prioritization

in the prior step. This includes comprehensive actions such as network protec-
tion, patching, hardening, etc.

6. Maintenance: Perhaps the hardest part of the entire process is the ongoing up-
dating and regular reviewing of threat vectors to identify new risks and continual-
ly update current risks based on the remediation actions taken and new vulnera-
bilities identified.

OT attack surface management challenge

This six-step process sounds easy, but many organizations find difficulties at various
steps along the journey. This is particularly the case for industrial organizations that
have significant OT footprints. Many organizations have discovered that traditional
vulnerability management or threat detection — especially in the OT world — creates
resource burdens that are just not feasible.

In OT, the first challenge is just getting an accurate “map” of the attack surface. The
traditional approach of manual or network-span port inventories just does not provide
an accurate “map of the world,” so to speak. It misses assets, incorrectly identifies vul-
nerabilities and leaves an organization with no ability to immediately take remediating
actions. Further, much of the OT threat detection creates huge volumes of alerts with
little specific attack surface insight to prioritize those alerts.

46
Attack surface management: Six steps for success in OT/ICS

 Back to TOC

Remediation is challenging because of the age of many systems Courtesy: Verve Industrial
and the inability to update those systems, therefore requiring a
more holistic approach to the remediation actions. Finally, most organizations do not
have a true “enterprise” view of their OT surface — the information is often stuck at
the plant level, which makes resourcing and prioritization very challenging.

Recent attacks focused on IT that crossed over into OT systems are an example of
this lack of true visibility. Ransomware is now the No. 1 concern of OT security practi-
tioners, according to the 2021 SANS survey — it wasn’t in the top five two years ago.
47
Attack surface management: Six steps for success in OT/ICS

That threat vector — coming through the information technology (IT) side and bridg-  Back to TOC
ing into OT — is part of a company’s attack surface that is often not seen completely.
Once through that connection, the attack surface within the OT environment usually
has many “dark spots” where light doesn’t shine.

Mandiant’s research shows that 99% of all attacks start with and leverage the IT-type
infrastructure that sits between IT and OT. These connections are often not well under-
stood. In our own research, Verve finds that misconfigured firewalls, dual-NICs bridging
networks, individual programmable logic controllers (PLCs) and other devices connect-
ed directly to the corporate network are present in almost every plant we assess. There
is a lack of view of that surface.

Succeeding in OT ASM
Attack surface management is possible in OT, but it requires a fundamentally different
approach than most organizations or ASM providers take today. There are six key steps
to getting this right:

1. Successful discovery: Capturing endpoint and potential network connections

accurately and comprehensively.

On the IT side of the house, if the team came to the chief information security officer
(CISO) and said the only way to discover the attack surface is to gather manual inven-
tories or observe network traffic, the team wouldn’t last long. IT uses scanning, agents,
discovery tools, as well as manual and network approaches to capture a full picture of
its attack surface. But in OT, because of the sensitivity of these devices, security lead-
ers have been left with less than effective options.
48
Attack surface management: Six steps for success in OT/ICS

There is an OT-safe and more ef-  Back to TOC

fective alternative, however. Con-
trol systems engineers interact
with their systems every day to
program, backup and tune. These
same techniques can be used to
discover the full view of the attack
surface. Using an endpoint-fo-
cused approach to asset invento-
ry rather than a network approach
allows for a much broader view
into all of the corners of the map,
but it also allows for a deeper
view of each potential asset. This
endpoint approach discovers not
Courtesy: Verve Industrial
only that a device exists, but also all of its users, accounts, soft-
ware, patch status, firmware versions, configuration status, possi-
ble (not just actual) network paths, anti-malware status, etc.

2. 360-degree assessment: A platform that allows for a comprehensive risk view.

An effective assessment must include a comprehensive view of the risk to each asset.
That should take into account all of those findings from the complete discovery de-
scribed above. A 360-degree view allows the organization to make appropriate trade-
offs in risk priority.

49
Attack surface management: Six steps for success in OT/ICS

 Back to TOC

3. Adding important context: Asset criticality and use is key to Courtesy: Verve Industrial
future prioritization.

As the above chart shows, a full 360-degree view needs to include important context
about an asset, described as “asset criticality/impact” in the chart. To conduct the next
step of prioritization effectively, the attack surface needs to include robust context
from the criticality of the asset, its use, its network connections to other devices, etc. In
some cases, organizations will have some of this data available from other efforts, such
as disaster recovery analysis. But in others, this context needs to be created from the
data provided based on the connections, software installed, etc.

4. Effective risk prioritization: Don’t get overwhelmed by all of the potential

risks you see.
50
Attack surface management: Six steps for success in OT/ICS

One of the biggest challenges in OT security is the number of risks found in many of  Back to TOC
these environments. In most cases, OT systems aren’t patched regularly, older devices
run out-of-date firmware, the anti-malware status may not be regularly updated, etc. In
most assessments, our platform identifies thousands of critical vulnerabilities. There’s
no way an organization can get to all of this immediately.

Key to threat surface management in OT is to prioritize the risks to remediate first.

These risks should begin with those most likely to be used by an attacker and to have
significant impact on the environment. This should balance the exploitability of a vul-
nerability with the extent that the attack could spread to critical assets across the en-
vironment. The only way to do this effectively is to bring all of the data into a single
database across original equipment manufacturer (OEM) systems, endpoint and net-
work risks, operational impact, etc. An effective OT ASM platform needs to enable all
of that.

We also would argue that in OT, a key to this prioritization is to integrate the database
with human analysts that can help the organization bring insights from other entities
and threat data to help prioritize. This “man and machine” approach offers the great-
est source of prioritization.

5. Rapid and safe remediation management includes MANAGEMENT!

The discovery of a threat is irrelevant if you can’t respond rapidly and safely for OT.
In IT, organizations will focus on weekly updating of patches, automated resetting of
configurations, network access control to refuse connections from unknown assets, etc.
In OT, however, many of these solutions can cause an operational impact on the pro-
51
Attack surface management: Six steps for success in OT/ICS

cesses you are trying  Back to TOC

to protect. As a result,
in OT, many of the
solutions to date have
focused on detection
only. They will focus on
anomalous patterns of
network behavior that
you may want to ad-
dress.

An effective OT ASM
platform needs to
enable both the pri-
oritization of risks and Courtesy: Verve Industrial
the ability to immediately pivot to remediation in a way that’s
efficient and safe for the processes. This requires an OT-safe MANAGEMENT platform
that allows you to patch, harden configurations, remove unapproved software, remove
or limit access for certain accounts or users, create network segmentation, etc. The
most efficient way to do this is to integrate it into the ASM platform rather than rely on
separate tools or manual efforts to conduct each of these different remediation ac-
tions.

The best way to think about this is what we call “Think Global: Act Local.” This archi-
tecture enables centralized analysis and prioritization of remediation actions but also
ensures that when actions are actually executed, they are controlled by those closest
52
Attack surface management: Six steps for success in OT/ICS

to the process such as DCS engineers. This balances the need for efficiency and OT  Back to TOC
safety.

6. Efficient maintenance: Reduce labor requirements by 70-plus%.

The No. 1 challenge of OT security is resource constraints. Industrial operations per-

sonnel are already overwhelmed — even before the great resignation of the past cou-
ple of years. This stress on resources is amplified when you overlay security knowledge
on top of this. This is seen in survey results such as the KPMG-CSAI survey of control
systems security personnel shown below.

The “Think Global: Act Local” approach above also allows an organization to radically
reduce the costs of maintaining the attack surface. We find that many organizations are
relying on local site personnel to manage their OT security. This is just not a feasible
approach — both for consistency as well as labor efficiency.

John Livingston
John Livingston, CEO, Verve Industrial.

53
 IT/OT
Convergence
Content Archive Thank you for visiting the IT/OT Convergence eBook!
2023 Spring Edition
If you have any questions or feedback about the contents
2023 Winter Edition in this eBook, please contact CFE Media at
2022 Fall Edition customerservice@cfemedia.com

We would love to hear from you!