Introduction
Considering the sudden rise of cyber risks to the OT environment, and increase of newly discovered vulnerabilities and threats posed to these environments, Cyber Security and risk management leaders need to address these pressing issues with urgent attention. These leaders should strive to accomplish the following 3 goals:
Strengthen your organization’s security strategy with the use of a hybrid approach of traditional security technologies and specialist controls to protect OT environments.
Leverage available OT security frameworks and proven practices as a guideline to update Cyber Security strategy, while continuing to look ahead for signs of looming regulations.
Assess the impact that new digital initiatives may have on your current security setup and operations.
Dexcent proposes that all organizations will need to strengthen their cyber infrastructure operations capabilities on two fronts:
Deep insights to Monitoring of Assets and Detection of Threats; and
Administration and Support of the Operational Infrastructure.
We see five key capabilities in each of these two operational services areas. These top 10 capabilities are presented in the next section.
1. Deep Insights to Monitoring of Assets and Detection of Threats
The first four of the following five core capabilities are covered in more details in another Dexcent blog called Top Five Challenges and Solutions of Network Monitoring and Anomaly Detection (NMAD) in OT Networking Environments.
1.1. OT Cyber Asset Management
This capability focuses on how to Accurately Visualize the Network and Automatically Track Industrial Cyber Assets. It provides:
Passive Asset Discovery across all levels in OT Control systems network (Purdue model layers 3.5, 3, 2, 1), supplemented with optional smart active discovery techniques where safe and justifiable; and
Asset Information Consolidation across many systems (e.g. OT infrastructure, Network and Security devices, Control Systems).
1.2. Cyber Threat Detection
Rapidly Detect Cyber Threats / Risks and Process Anomalies by:
Integration of various Technology insights and threat detection capabilities; and
Supplemented with AI techniques to detect anomalous behaviour from a baseline.
1.3. Monitoring & Insights to Network Activity and Process Data
Monitor Networks and Processes data flows with Real-time Insight and visualization by providing:
Deep Network Insight/Monitoring and proactive Cyber or Process data Threat Detection; and
Monitoring of Control Systems process data flows and deviations from normal.
Passive Vulnerabilities discovery and risk assessment that:
Identify all know Cyber Security vulnerabilities for all assets under management; and
Validate vulnerability applicability and risk to the asset, assigning priority for remediation.
1.5. Conformance or Compliance Reviews
Regulatory compliance or internal conformance management by:
Performing asset management and Information consolidation – a key capability to meet expected outcomes; and
Preparing and executing Conformance / Compliance / Audit Readiness Reviews periodically (leveraging selected Cyber Security frameworks or standards, assessment tools or services).
2. Administration and Support of the Operational Infrastructure
This group of capabilities addresses day-to-day operational support and administration services to maintain a healthy OT infrastructure and to manage and respond to changes or incidents in the OT environment.
2.1. Incident Management, Problem Troubleshooting and Resolution
Significantly reduce troubleshooting and Forensic efforts by:
Having deep insights into service interruption or incident information (qualified incident tickets with criticality classification), access to incident event logs, threat analysis and resolution procedures;
Maintaining analysis tools and experienced staff to resolve the issues; and
Performing Incident response activities, coordination, and tracking.
2.2. User Administration and Access Management
Daily User administration, access control management, and help desk support that will:
Support a zero-trust model for all system access and authorization requests;
Enforce segregation of network layers (e.g. Purdue model) with layer by layer access control;
Provide monitoring of privileged user access; and
Enable secure remote access and where applicable implement multi-factor authentication.
2.3. Infrastructure Technical Maintenance and Support
This capability addresses Administration, Configuration Change Management (CCM) and Technical Maintenance and Support services that will provide:
Risk management control over all changes;
Vendor support under approved maintenance agreements; and
Timely Software and Firmware level upgrades to maintain platforms within vendor supported maintenance plans.
2.4. Patch Management
Preparing and applying Security Patches to vulnerable systems by:
Developing and documenting comprehensive patch remediation plans;
Validating approvals from ICS vendor for software or firmware patches as it relates to their ICS products for all security patches released by software or hardware vendors;
Securely obtaining patches from various vendors with integrity of patch files guaranteed;
Testing of patches before deployment to production environments; and
Performing patch process on targeted systems and Reporting (usually a manual interaction required to reduce risk).
2.5. Data Backup and Recovery
Data Backup and Restoration of critical Systems, providing:
Effective and secure data and system backup across all assets in the OT network (no interference) – using deduplication techniques where possible;
Archives of backup data to off-site locations (or the cloud);
Seamless support for diverse system platforms in the OT network; and
Timeous data recovery when needed
Summary Conclusions
Dexcent with several years of experience in Industrial Control Systems (ICS) and having successfully delivered several industrial Cyber Security engagements and solutions, has noted that these 10 capabilities in various states of maturity are the baseline capabilities to integrate into organization’s Cyber Security program and drive the key strategic initiatives for improvement in the annual Cyber Security Roadmap.
Furthermore, we noted that modernization of OT network traffic insights is key to OT asset discovery, network monitoring, vulnerability management, and threat detection challenges that are common in the present day industrial Operational Technology (OT) environment. In addition, deploying a modern Network Monitoring and Threat Detection solution helps to align businesses’ Cyber Security goals as well as it hastens better decision making, operational support and remediation outcomes.
Ask an Expert
WANT TO LEARN MORE ABOUT the “Top Ten OT Cyber Infrastructure Operations Capabilities” and how industrial environments can strengthen their OT Cyber Security posture?
COMPLETE OUR CONTACT FORM and one of our OT experts will contact you shortly. Contact us at sales@dexcent.com, or call us directly at (780) 482 – 4100.