Monday Study: Cyber Security For The U.S. Power System
Architecting the Next Generation for OT Security
December 2021 (Ponemon Institute via DNV)
Executive Summary
This is a time of change and challenges. It’s an era that is both transformative and disruptive, shaped by digital technologies that are improving billions of lives around the world, even as they make us vulnerable in ways we never anticipated.
This digitalisation has been a fact of life for quite some time, but it is also becoming a factor in the operation of critical infrastructure and other industrial environments at an accelerating speed. At the same time, the Operational Technology (OT) systems that monitor and control industrial equipment, assets, processes and events in critical infrastructure are facing more and more threats from increasingly sophisticated malicious actors, including nation states.
In this dynamic environment, it is important to understand the thoughts and concerns that drive organisations to take action to keep their OT domains safe, secure and resilient. Applied Risk has undertaken the research needed to gain that understanding and to take a forward-looking approach to crucial questions about how to architect the next generation of OT Security solutions.
In this document, we present the results of that research, which is based on data collected from IT and OT security practitioners. We use these data to assess current trends in the OT Security space, paying special attention to people-, process-, and technology-related issues, and offer recommendations on responses to these trends. Additionally, we describe current conditions in the OT Security realm and offer insight into the OT Security trends that are likely to emerge over the next two to four years.
This report was based on data compiled by the Ponemon Institute, which acted on Applied Risk’s behalf to survey 1,005 IT and OT security practitioners in the United States (597) and Europe (408).1 Respondents to the survey were asked to answer questions about how to architect the next generation of OT Security solutions. All respondents have responsibility for securing or overseeing cyber risks in the OT environment and understand how these risks impact the state of cyber security within their organisations. The research was then complemented by input from Applied Risk’s own engagements and assessments as well as analysis from our subject matter experts.
The results of this survey indicate that there are three major factors at work – People, Processes, and Technology. Here’s how they play out in relation to
Prevailing Practices
People
• Low OT Security headcount • Plans for hiring additional staff • Ownership of OT Security Leadership not adequately defined • Lack of dedicated OT Security teams
Processes
• Widespread adoption of OT-specific, risk-based standards • Legislation helps drive adoption of standards • Lack of incident response plans • Lack of clarity on third-party and supply-chain security practices
Technology
Convergence of IT/OT systems important and beneficial • Adoption of zero trust measures • Air gaps still in use • Use of advanced and enabling technologies still lagging behind • Interest in Security Operations Centres (SOCs) growing
Current Conditions
People
• Rising number of sophisticated nationstate attacks • Lack of industry-wide governance models
Processes
• Continuity and compliance are key drivers of investments in OT Security • Gaps remain in risk reduction, incident response, asset identification • Top source of concern: access management
Technology
• OT networks lack technology that can maximise security • Systems are isolated and fragmented • Emerging technologies such as cloud computing are gaining attention
Future Directions – Next 2 to 4 years
People
• Additional hires: OT Security headcount may double in 2-4 years • Making greater efforts to develop skill pool for OT Security
Processes
• Supply chain audits and introduction of vendor security requirements are likely to increase as supply chain attacks are expected to happen more often • IT/OT convergence should be part of the solution
Technology
• Adoption of advanced and enabling technologies will be crucial • Continued reliance on existing technologies • Security Operations Centres (SOCs) are likely to make an impact
Architecting the Next Generation for OT Security
Maximising safety and minimising unplanned outages are the top operational priorities for the organisations represented in this research. Reducing inefficiencies and minimising operating costs are also high priorities, as is the ability to maintain plant connectivity. Respondents see the convergence of IT and OT systems as one of the primary drivers toward meeting these organisational targets. At the same time, though, they note that attackers are focusing more and more on industrial environments and are quickly developing OT skills – and that this shift that has resulted in more sophisticated and clandestine attacks.
The results of the survey indicate that companies are struggling to develop their OT Security maturity at a pace comparable to speed with which attackers are developing their own skill sets. Meanwhile, the OT landscape is becoming more complex due to IT/OT convergence and to the introduction of Industrial Internet of Things (IIoT) devices, virtualisation, and cloud computing in these environments. The overall sense of the respondents is that they need to do more to ensure that the business benefits of these new technological developments can be realised in a secure manner.
More than half of the respondents believe that their cyber readiness is not at the right level yet and that they are not able to adequately minimise the risk of cyber exploits and breaches in the OT-environment. As such, it is clear that there is still work to be done in general and across the board.
The respondents are aware that they need to upskill their staff and that of their service providers and that they need better procedures. But above all, they understand that they will need enabling technologies to accelerate OT Security maturity. In summary, a combination of people-, process-, and technology-centric controls will remain key…
Recommendations
New challenges will require a radical shift in reviewing security strategies and proposing sustainable long term solutions. Moreover, technological developments such as IT-OT convergence and cloud computing have increased the need for enabling OT Security technologies that can help organisations become more secure. As such, Applied Risk recommends that the following actions be taken to help architect the next generation of OT Security.
• IT/OT convergence keeps OT Security decision makers awake at night, but it could also become part of the solution to safeguard the OT domain in the changing environment. Converged IT/OT networks can be secured and monitored by collecting data across systems used to identify potential cyber security threats. ***For example, IIoT sensors are seen as an extra burden on the security team, as they are yet another thing to patch. However, data from IIoT devices could be leveraged to detect intruders into OT systems, turning this non-security-driven investment into a security win.
• To achieve IT/OT convergence and at the same time mitigate cyber security risks, organisations should consider creating cross-functional IT and OT security teams to avoid conflicts created by turf wars or silo issues that could be an obstacle to successful convergence. Establishing a good governance model is key.
• Zero trust is an important concept within the future of OT Security. This concept hinges on the belief that organisations should not automatically trust anything inside or outside their perimeters and instead must verify anything and everything trying to connect to its systems before granting access. It also assumes that the OT domain must be monitored continuously for anomalies and suspicious behaviors.
• This makes concepts like Identity and Access Management (IAM) and Privileged Access Management (PAM) even more important. Access management is most often used to prevent security compromises and is seen as a priority. Fully 65% of respondents say they use two-factor authentication for all privileged services, while 57% say their organisations are developing secure password policies and enforcing them across both IT and OT domains.
• The majority of respondents say the lack of enabling technologies makes it painful to reduce cyber security risks in the OT environment and to keep up with attackers. Although it remains important to meet basics requirements (patching, anti-virus scans, management of changes, etc.), enabling technologies such as automation, machine learning, orchestration, and AI will be needed for rapid detection and response to security exploits and data breaches.
• More effort will be needed to develop the OT Security skill pool. There is a growing demand for professionals with OT Security skills. These do not all need to be OT Security specialists, but OT Security needs to be embedded in the profiles of managers, engineers, operators, procurement specialists, and others. Workforce development will be one of the most important means of achieving this goal.
• In order to respond quickly and effectively to security compromises and data breaches in the OT environment, organisations should have incident response plans that are dedicated to OT cyber security. A strong incident response capability requires a comprehensive response plan that is regularly tested. A response plan greatly reduces the cost of cyber incidents, as it is the key to swift response and sure-footed remediation.
• Supplier assurance is key. Many companies rely on third parties to manage large numbers of (or even all of) the applications, systems and networks in the OT domain. Regular reviews of third parties in the supply chain should be conducted.
• Risk assessments are critical. Organisations should conduct risk assessments on a regular basis to understand the vulnerabilities and risk in their OT environments. They should then analyse and act on the results of these assessments to improve their cyber readiness and to identify the resources necessary to address these risks, as part of continuous improvement processes…