Industrial Control System Security Demands Different Protocols and Objectives Than IT Security
The assumption that training and preparation done for the IT side of a network will extend automatically to operational technology security or industrial control systems (OT/ICS) ignores the differences between the two. While OT security may share commonalities with IT security, it demands different protocols, objectives, analysis, forensics, and security methods.
The Challenge of Incident Response in OT/ICS Security
Organisations need to understand the critical differences between IT and OT environments to navigate their way around gaps and pitfalls that could hamper successful OT/ICS incident response (IR). The following are areas where organisations commonly suffer requiring assistance during IR simulation assessments:
Shutting Down First, Asking Questions Later
While in IT environments, shutting down the infected system to prevent further infection is a common practice, in OT/ICS environments, shutting down the system can be challenging, particularly as such isolation has severe ramifications. For instance, when Colonial Pipeline responded to an attack on their IT systems, they shut down their OT systems to ensure the infection did not spread to their OT networks. Shutting down OT systems for just one minute results in a high cost of downtime and takes time to get running once again. It took Colonial pipeline five days to restore normal operations to its OT network after paying the ransom.
Stopping the Attack and Starting Remediation Too Early
While security personnel in a security operations center (SOC) are familiar with IT systems, the same personnel do not possess intimate knowledge of the OT systems. Furthermore, OT equipment can be sensitive to data transfer, making SOC personnel wait for input from OT engineers before conducting a scan for vulnerabilities. If not, they can quickly overwhelm the system and cause it to cease function, leading to massive loss in productivity and a frustrating task of fixing the chaos.
Lack of Alignment on Ultimate Responsibility
Often, IT and OT teams do not have responsibility for OT systems. As such, IT experts without knowledge or experience in OT assets pose significant problems, where OT engineers lack cybersecurity expertise, leading to conflicts of interest and no one taking ultimate responsibility for OT from a day-to-day basis. The primary problem is responsibility, with IT and OT professionals having no overlaps and cybersecurity professionals without knowledge of industrial systems.
Misunderstanding What the Other Side Is Trying to Accomplish
A perfect example of this point is when a SOC sends security reports to OT professionals to patch, fix, or change something in the OT systems. OT professionals who receive the reports trash them, leading to conflicts and no communication between them.
Recommendations to Overcome the Challenges
To overcome the challenges of cybersecurity and incident response between IT and OT teams, communication and compromise are critical in building trust. Security professionals should work with OT engineers to find common ground without hindering OT objectives to enable the network to maintain security.
To improve collaboration among the teams, CISOs and security managers can organise structured training programs that simulate the cybersecurity and incident response teams from IT and OT disciplines working together during real-life events encouraging communication and collaboration between the teams.
Training would enable the team to practice detecting, responding, and remediating cyber incidents on critical infrastructure together, improving their understanding of how to work together better in real-life scenarios. Ultimately, the goal is keeping the organisation and its people safe from industrial cyberattacks.
Final Words
Cybersecurity incident response in OT/ICS environments must be different from that of IT environments in terms of protocols, objectives, analysis, forensics, and security methods. Organisations need to appreciate the critical nuances between the two to navigate their way around the gaps and problems that could cause difficulty in successful OT/ICS incident response. The collaboration between IT and OT engineers should be proactive, based on the candid exchange of ideas and perspectives.
<< photo by Karolina Grabowska >>
You might want to read !
- Severe RCE Bugs Pose Major Threat to Industrial IoT Devices
- The Rise of Crosspoint Capital: A Glimpse into the Absolute Software Acquisition
- “Uncovering the Teltonika Vulnerabilities That Put Industrial Organizations at Risk of Remote Attacks”
- Why the reluctance to report ransomware attacks is hindering the fight against cyberattacks
- The Three Key Pillars of Security in the Modern Era: Networking, Vendor Consolidation, and OT Focus
