Cyber security controls
As information technology (IT) and operational technology (OT) teams converge, industrial operations must create better cyber security plans and strategies to address modern threats.
The teams responsible for securing IT and OT technology in organizations have been able to operate so far without much interaction because the systems and software they supported were unique and isolated.
Cyber security in IT and OT
All that began to change just over a decade ago, when the IT and OT worlds began to converge. This trend is a consequence of the digital transformation and exchange technologies that push companies of all sizes, including those in the industrial sector, to digitize their infrastructure.
This often involves exposing previously isolated systems (think of a device with a Windows-based man / machine interface found on an OT network), to the broad public Internet. “IT systems are increasingly showing up in the OT environment,” said Ted Gary, senior manager of Product Marketing for Tenable.
This convergence of two important and completely different disciplines has given rise to a growing concern for cybersecurity, since manufacturing equipment and applications that were previously isolated are now exposed to the same types of attacks that have plagued hardware and software. of IT for years.
At the same time, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) have become the target of advanced persistent threat groups (APT) in cyber espionage.
Cyber security Represent CISOs
The threats to industrial systems represent a great and growing challenge for CISOs. Having responsibility for the overall security of the company, CISOs must find a way to close the gap between IT and OT and it is not an easy task, Gary said.
As the number of OT devices that add to the corporate LAN increases, the attack surface expands. At the same time, since the IT department is usually responsible for technology and business networks, there is some concern about who can handle issues such as patches on OT systems, as many cannot easily be patched. Without interrupting your operation.
The Center for Internet Security (CIS) offers six basic security controls. Gary recommends using these controls to companies to form the basis of a cybersecurity strategy and thus address the convergence between IT and OT.
These basic security controls are:
- Inventory and control of hardware assets.
- Inventory and control of software assets.
- Continuous vulnerability management.
- Controlled use of administrative privileges.
- Secure hardware and software equipment configurations.
- Maintenance, monitoring and analysis of audit records.
While starting with basic security controls can help companies begin the process of closing the gaps between IT and OT, as well as improve cyber hygiene in general, there are still other important obstacles to overcome.
in a survey conducted in November 2016 by Tenable, and the Center for Information Security, organizations face the challenge of lack of trained personnel, lack of budget, lack of defined priorities and lack of administrative support Among other issues. So what can the CISO do to face these challenges?
This is where soft skills come into play. For example, Gary urged the CISO and other security leaders to work to improve communications to close the gap between IT and OT. This can be as simple as establishing informal “lunch and learning” sessions between IT and OT during which the two groups can find topics of common interest and agree on a unified strategy. Such conversations can start the way to ensure the convergence of IT and OT of companies.