Full Report
Robert Lee, the CEO of industrial cybersecurity company Dragos, warns that using IT cybersecurity measures to protect operational... The post Dragos’ Lee urges enhanced IT cybersecurity for safeguarding critical OT infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Operational Technology (OT) Cybersecurity Separation and Resilience
## Overview
These practices address the critical need for industrial organizations to differentiate between Information Technology (IT) and Operational Technology (OT) cybersecurity strategies. Applying standard IT security measures to OT environments can increase risk. The focus is on implementing specialized OT security controls, building resilience, and ensuring operational continuity against threats targeting critical infrastructure.
## Key Recommendations
### Immediate Actions
1. **Differentiate IT and OT Security Budgets and Reporting:** Explicitly separate cybersecurity metrics, budget allocations, and reporting functions between the IT and OT security teams to ensure accurate risk assessment and resource prioritization.
2. **Executive Clarification Session:** Conduct an immediate session for the C-suite and Board to articulate the fundamental differences between IT security (data focus) and OT security (safety and availability focus) to eliminate a false sense of security derived solely from IT reporting.
3. **Identify Critical OT Assets:** Inventory all Programmable Logic Controllers (PLCs), Industrial Control Systems (ICS), and other OT assets that directly impact safety, production, and critical infrastructure service delivery (e.g., power, water).
### Short-term Improvements (1-3 months)
1. **Develop Specialized OT Incident Response Plans (ICS IR Plans):** Draft and begin testing incident response playbooks specifically tailored for OT environments, prioritizing system safety and operational continuity over typical IT forensic goals.
2. **Implement OT-Specific Security Controls:** Begin phasing out generic IT security tools that could impact OT operations and start deploying controls validated for use in ICS environments (e.g., specialized network monitoring for ICS protocols).
3. **Establish Foundational Cyber Hygiene for OT:** Focus on fundamental hygiene practices unique to OT systems, such as documenting all connected devices, access methods, and known system vulnerabilities (especially for legacy systems).
### Long-term Strategy (3+ months)
1. **Architect Robust, Segmented OT Networks:** Develop and implement architecture plans to reduce connectivity between IT and OT environments, employing robust segmentation and demilitarized zones (DMZs) to isolate critical control systems.
2. **Integrate Cyber Resilience into Business Continuity:** Embed the ability of OT systems to withstand, adapt to, and quickly recover from cyber incidents directly into overall business continuity and disaster recovery planning.
3. **Establish OT Cybersecurity Governance:** Formalize governance structures where OT cybersecurity decisions are made with input from operations, engineering, and IT, ensuring accountability for the protection of core revenue-producing assets.
## Implementation Guidance
### For Small Organizations
- **Focus on Visibility:** Prioritize implementing passive network monitoring tools capable of understanding OT protocols (like Modbus TCP) without actively scanning or impacting sensitive devices.
- **Vendor Collaboration:** Leverage security assurances and implementation guidance provided by OT vendors (e.g., PLC manufacturers) for asset hardening, as internal resources may be limited.
### For Medium Organizations
- **Pilot Segmentation:** Select one non-critical production line or subsystem to pilot network segmentation between IT and OT to validate architectural changes before wider deployment.
- **Formalize ICS IR Training:** Schedule the first dedicated tabletop exercise focusing exclusively on an OT scenario (e.g., a FrostyGoop-style ICS malware disruption) involving both IT and Operations staff.
### For Large Enterprises
- **Mandate Architecture Review:** Require a formal review of enterprise architecture to enforce the Purdue Model or similar frameworks, ensuring strict demarcation and controlled data paths between enterprise IT and shop-floor OT.
- **State-Actor Threat Modeling:** Incorporate threat modeling specifically focused on advanced persistent threats (APTs) known to target critical infrastructure (e.g., Volt Typhoon methodologies) into the annual risk assessment cycle.
## Configuration Examples
*(The provided context does not contain specific technical configurations like firewall rules or specific hardening settings. If it did, they would be placed here.)*
**Example of Required Documentation (As a prerequisite):**
*Document the specific firmware/software versions running on all accessible PLCs and ICS devices to facilitate targeted patching or compensating controls.*
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF) and SP 800-82:** Focus efforts on the Protect and Detect functions, ensuring controls are tailored for ICS reliability.
- **IEC 62443 Series:** Use the ISA/IEC 62443 standards as the primary framework for defining security requirements in the industrial control system environment.
- **CISA Guidance:** Regularly review and adhere to specific guidance issued by CISA regarding vulnerabilities in critical infrastructure components (e.g., advisories on PLC vulnerabilities).
## Common Pitfalls to Avoid
- **Relying on IT Metrics:** Accepting reports generated solely by IT security tools (like traditional vulnerability scanners) as proof of OT security posture.
- **Active Scanning of OT Networks:** Employing IT-centric active scanning techniques that can crash sensitive, often legacy, OT hardware or cause operational disruption.
- **Ignoring Availability/Safety Goals:** Implementing security measures that achieve confidentiality at the expense of operational availability or physical safety, which are the primary goals of OT security.
## Resources
- **Dragos Threat Intelligence Reports:** Reviewing reports from ICS-focused vendors to understand current threat actors (e.g., FrostyGoop, Pipedream) and their Tactics, Techniques, and Procedures (TTPs).
- **World Economic Forum (WEF) Cybersecurity Outlooks:** Utilize WEF publications for C-suite level understanding of geopolitical threats impacting critical infrastructure cyber resilience.
- **CISA ICS Advisories:** Subscribe to and actively monitor CISA advisories specifically addressing vulnerabilities in Industrial Control Systems.