How CISOs Can Expand Their Security Duties into Industrial Environments
Digital attacks are a top concern for Industrial Control System (ICS) security professionals. In a survey conducted by Dimensional Research, 88 percent of these personnel told Tripwire that they were concerned about the threat of a digital attack. An even greater percentage (93 percent) attributed their concerns to the possibility of an attack producing a shutdown or downtime. Other survey respondents expressed their worry over the quality of production and data exfiltration at 86 percent and 81 percent, respectively.
Clearly, many ICS personnel are worried about the security of their operational technology (OT). That’s especially the case for organizations that are welcoming OT environments into their folds for the first time. In those organizations, the pressure is on for the CISO to extend the organization’s digital security strategy across all of its new industrial assets.
But how does the CISO provide this type of leadership in the face of securing these increasingly complex environments? How can they keep track of their security responsibilities as they expand beyond the enterprise and into industrial environments?
Negotiating Technological Differences and Legacy ICS Equipment
Divij Agarwal, senior product manager at Belden Inc., notes that this process begins by recognizing the advent of the IIoT and IT-OT convergence in which the IT (Enterprise) and OT (Industrial) networks are coming together. As part of that meeting, many industrial networks—especially those in the areas of smart grids, smart factories and smart buildings—are using many new next-gen industrial equipment. But most are still comprised of legacy devices, equipment and networking gear.
According to Agarwal, this state of affairs has everything to do with preserving the availability of those technologies found in OT environments:
That is to say, CISOs need to realize that industrial equipment is different from the types of devices found in IT networks. Agarwal points out that many of the technologies still deployed in organizations’ industrial environments hearken back to the early days of computing and programming. As such, they are generally limited by processing capability both in terms of CPU and memory. CISOs therefore need to keep these resource constraints in mind before subjecting the industrial network to extensive security audits, networks scans and data polls. Otherwise, they could hamper those devices’ normal operations and disrupt larger business functions.
Beyond their limited processing capability, many industrial technologies do not understand the new communication language models and schemes in use by IT, notes Agarwal. A large plethora of equipment still communicates using unsecured protocols such as Telnet, HTTP and TFTP, for example. This fact, when coupled with their outdated software, means these devices cannot be easily upgraded to support new protocols.
“In response, CISOs must ensure they use innovative ways to secure and protect this equipment,” explains Agarwal. “Using Application Layer Firewall to restrict traffic flow to the equipment or using a Protocol Proxy Gateway to translate between an unsecured protocol to a secured one could be some of the options a CISO can rely on make industrial networks more secure and reliable.”
This recommendation highlights the importance of appropriate digital security technology in integrating OT and ICS with their IT systems. Lane Thames, senior security researcher at Tripwire, feels that network visibility in particular— knowing what devices are on the networks, who is using the networks, how vulnerable the devices on the networks are, and so on—is crucial for monitoring this conjunction. As such, he feels that CISOs should consider vendors who have expertise in both the IT and OT domains for their security technology selections.
The CISO’s Role in Bringing People Together
Thames feels there’s more that can help bring IT and OT together than just finding the right technology, however. He explains that people also play a key role:
It’s also up to CISOs to specifically find common ground on security priorities with their organization’s OT counterparts. To do this, CISOs need to first understand where OT security professionals are coming from. They then need to talk to these personnel about what their KPIs are, what challenges they face and what barriers stand in their way.
Kristen Poulos, vice president/general manager at Belden Industrial Cyber Security, couldn’t agree more with this approach:
Welcoming the IT/OT Convergence
As organizations integrate industrial networks into their environments, there is the risk that IT and OT could misunderstand each other’s priorities and war with each other over their lack of shared perspective. To prevent this from happening, CISOs need to grasp the unique needs of IT and OT. Only then can they help these personnel find a way to work together.
Greg Hale, editor/founder at Industrial Safety and Security Source, agrees with this view: