You need to lock down cyber-physical systems: Here's how and why

Cybersecurity should focus on OT as well as IT

clock • 4 min read
Image credit: Samara Lynn / MES Computing
Image:

Image credit: Samara Lynn / MES Computing

Organisations need visibility into operational technology (OT) as well as information technology, said Gartner analyst Paul Furtado during a keynote speech.

IT environments are interconnected between SaaS apps, cloud and also physical systems. Furtado, speaking at MES IT Security in Indianapolis, focused on the need to lock down physical infrastructure.

Many of the leading security vendors address OT. Palo Alto Networks defines OT security as securing the "hardware and software systems that execute monitoring and/or control over industrial equipment and processes," while Cisco says, "OT security...refers to cybersecurity practices that help to ensure operations continuity, integrity, and safety in industrial networks and critical infrastructures."

Meanwhile, according to Fortinet, "Operational technology is the use of hardware and software to monitor and control physical processes, devices, and infrastructure."

Collectively, the industry determines that these frameworks include SCADA (systems and distributed control systems); Industrial Internet of Things (IIOT) devices, including sensors, monitors, actuators, and other technologies; building management/automation systems; physical access controls, and more. 

"We spend all our time focusing on the IT side," Furtado said. "A lot of the risk is over on the cyber-physical centre, and the bad actors know it. The reality [is] you carry more tech debt on your OT side of the business than you do the IT side of the business."

Furtado spoke about locking down the physical environment, not just IT operations, and the reasons why:

Shared credentials

One thing that happens in OT that we really don't allow on the IT side are shared credentials. Furtado cited an example: "You got three shifts a day. You've got a number of people who come in using the exact same machine. They don't all have a different username and password. They all log in as ‘operator'...so we've got a lot of shared credentials sitting in that environment."  

Remote access

"We have uncontrolled remote access. You know why? Because the folks that are responsible for facilities or plant operations, they signed a contract with Siemens or Honeywell, or Schneider Electric, or whoever, pick your vendor.

"And part of that contract was that they will do maintenance. Part of that maintenance means they just connect in. No control. Direct into that device. What does that mean? What sort of controls [do] we have in there?"

Many of these devices also have a long shelf life, which can be a weakness. "We're not replacing them [and] we're not doing a good job of configuration tracking that we need to do."

Untraditional equipment

Hackers are not going after the traditional things that you might expect, Furtado said. "Now, they get into your HVAC system… They're going to turn off your cooling in your data centre… They've also disabled the alarm, so you don't know. Now you've got a thermal alert on your server.

"By the time you can get to those machines, they're too hot. They're going to shut down. You now have an outage That's why you've got to start caring about these things," he added.

Adhere to the Purdue Model

Furtado said that the Purdue model for industrial control systems (ICS) is a good template for locking down physical systems. He called it a "game plan and model to adhere to." The model refers to securing multiple layers. "Visibility is important. You have to know what you are trying to protect," he said.  Facilities, plant operations and all other physical infrastructure must be part of the security strategy."

Stick to what you need

Resist the temptation to chase shiny new cybersecurity objects, Furtado advised. "We see these vendors are always coming out with this new magic button. How many of us have had the magic button work?  … Make sure that we're using the right tooling [for] your overall security governance to fit the needs of [your] [operational technology] environment."

Create the right security policies and use free resources

Finally, you don't have to always create new security policies, but you should make sure the ones you have in place are all-encompassing. That means, for example, including existing vendors.

SANS, the professional cybersecurity organisation, offers advice on industrial control systems for companies around the world. It also includes manuals and guidance on its site.

Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.

You may also like
Interview: Sharp UK, Security Excellence Awards finalist

Security

'We make technology easy by listening, taking the time to understand our clients, and creating seamless solutions that work'

clock 12 April 2024 • 4 min read
Fortinet addresses critical vulnerability in FortiClientLinux

Threats and Risks

FortiOS, FortiProxy, FortiClientMac and FortiSandbox also patched

clock 12 April 2024 • 3 min read
ICO breaks silence on Bank of America fraud case

Legislation and Regulation

Data regulator has maintained a 'no comment' policy for months

clock 11 April 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Interview: Sharp UK, Security Excellence Awards finalist

Interview: Sharp UK, Security Excellence Awards finalist

'We make technology easy by listening, taking the time to understand our clients, and creating seamless solutions that work'

Computing Staff
clock 12 April 2024 • 4 min read
Interview: LRQA Nettitude, Security Excellence Awards finalist

Interview: LRQA Nettitude, Security Excellence Awards finalist

'We are the only cybersecurity team in the world with a full suite of CREST accreditations'

Computing Staff
clock 11 April 2024 • 4 min read
Interview: Nationwide Building Society, Security Excellence Awards finalist

Interview: Nationwide Building Society, Security Excellence Awards finalist

'Working hard on cyber and wider operational resilience means that whatever happens we can be increasingly confident of being there for our customers when they need us'

Computing Staff
clock 10 April 2024 • 3 min read