Five Questions to Get You On the Right Path to OT Cybersecurity November 13, 2024 Security News Security News November 13, 2024 Over the last year, companies have improved their IT cybersecurity defenses, and ransomware attacks that reach the stage of encrypting data have begun to decline. However, over the same period, attacks on internet exposed and poorly secured OT devices have increased. Not only have nation states ramped up their attacks on the West and noticed that OT makes for soft targets, but the line between criminals and nation state attackers has blurred. OT turns out to be an effective attack vector even for IT-hardened data centers. These, like many other facilities, rely on power management and air conditioning systems that are soft OT targets. “The OT environment is a unique place. It has special characteristics and legacies that have resulted in the use of insecure networking protocols. As of July 2024, we had identified and shared over 300 vulnerabilities in third-party OT applications.” – Microsoft Digital Defense Report 2024 Best practices are known, but far from reality Your OT organization has probably decided to follow the recommended priorities from Microsoft, IBM, NIST and other leading authorities. Protect identities – implement MFA and certificate based authentication Protect endpoints – inventory everything, ensure they are not exposed directly to the internet, microsegment your OT subnetworks, and implement zero-trust network access Secure digital assets – ensure data in motion and at rest is encrypted Detect and remediate threats – implement active threat detection Automate security operations – integrate your security systems and implement sense-and-respond capabilities But, if you are like most OT operations, you are very far from achieving any let alone all of those universally across your OT, given: OT has been installed by many vendors over multiple eras You have a small team and limited budget It only takes one breach to greatly exceed your investment in cybersecurity. IBM’s latest data shows the average cost of a data breach in 2024 was $4.88m, up 10%. It is usually about twice that in the United States and in Healthcare. – Cost of a data breach 2024 | IBM Cyber insurance is not only expensive, but may also refuse to payout if you cannot demonstrate the “safe harbor” of having implemented best practices. “Businesses should prioritize such practices as installing software updates and patches, implementing strong password policies, using multi-factor authentication, and training employees in security best practices. If they don’t, they risk invalidating coverage or having claims denied on grounds of negligence.” – Exclusions in Cyber Insurance Explained | ProWriters Five Questions Here are five questions you can ask and answer to get you into a better position to take control of your OT cybersecurity and make real progress on your priorities: 1. Identity…How can I know and control who has digital access to my OT systems? One way or another, you need to build and maintain a comprehensive list of vendors, along with a list of end users from each vendor—whether they are employees or subcontractors. Managing this information in a spreadsheet is tedious and prone to errors, and mistakes in this process can be extremely risky. “An attacker who manipulates identity can also manipulate any resource or process that identity is trusted to access, including email, other cloud services, or the on-premises environment.” – Microsoft Digital Defense Report 2024 The best practice is to implement a unified system that all vendors and their end users must use to access your OT across your entire portfolio. This is a universal secure remote access gateway. That gateway’s software keeps track of which vendors and which users you have given access to which systems, makes sure they all have and use strong identity verification including multi-factor authentication, and logs everything they do. “Password-only authentication configurations, exacerbated by archaic expiry and complexity policies, result in more than 99% of identity compromises.” – Microsoft Digital Defense Report 2024 2. Endpoints…How can I know what OT I have? Here too, the answer is that you have to maintain an inventory. And the challenge of doing this manually is even greater such that most organizations are unable to do this with any fidelity. “On average, an organization’s attack surface has over 300 new services every month. Security and remote access infrastructure represent 49.5% of exposures over the last 12 months.” – Unit 42 Attack Surface Threat Research The best practice has two elements: converged network access and digital asset discovery. The first is to require all connectivity to any OT or IOT to go through your single-per-site gateways. This means requiring vendors to remove connections that your OT is not managing, both wired and especially wireless VPN connections to their equipment. All of these alternate points of entry are potential stepping stones for an attack path that leads to serious compromise whether the particular OT asset is strategic or not. “93% of our ransomware incident response engagements revealed insufficient controls on privilege access and lateral movement. – Microsoft Digital Defense Report 2022 “80% of organizations have attack paths that expose critical assets.” – Microsoft Digital Defense Report 2024 Note that this does not require you to replace or upgrade all of that OT, that would be too expensive and slow. You are just bringing their connections together into one place. If you have devices that connect over WiFi, then your WiFi network too should get to the internet through your gateway. If you find you have IOT that only works with its LTE connection back to the vendor, you have to ensure that IOT is not connected by wire nor over your WiFi to your network, or ensure that any connections re-route to go through your security gateway. “57% of all IoT devices are vulnerable to attacks of medium- or high-severity. 41% of attacks are exploits of IoT device vulnerabilities, with the largest component of this category originating from scans through network-connected devices.” – Internet of Things (IoT) Security: Next-Generation Protection – Dgtl Infra The second is to employ advanced software for regular and ongoing digital asset discovery. Once all OT traffic passes through a central gateway for each site, you can use software utilities and applications that identify everything connected with a high degree of automation and specificity. 3. Secure digital assets…How do I know if my security vendors are following best practices, zero-trust, MFA, encryption, etc? Ideally, all of your OT vendors have credentials, like SOC 2 Type 2, and can competently answer vendor security questionnaires with evidence, like SIG. However, that is not a realistic expectation. While you are working with your vendors as they work their way towards these capabilities, you can rely on your OT gateway vendor to protect you and your vendors from cyber attacks. Therefore these are essential expectations of your gateway vendor. First, you want your gateway vendor to have up-to-date certifications and qualifications of these types. SOC 2 Type 2 – Ensures the vendor has demonstrated to an independent auditor that they use strong security practices in every aspect of their business from product development, to data and software encryption, through to hiring and training all personnel. ISO/IEC 27001– Ensures the vendor rigorous industry standards for information security in all of its operations as demonstrated to an authorized examiner. Penetration Testing by a reputable third party – Ensures the vendor submits to simulated cyber attacks and remediates any issues on an ongoing basis. Organization participation – The vendor should be active in one or more industry organizations for exchanging best cyber security practices, such as implementing the zero-trust network architecture standards outlined by NIST, such as the Real Estate Cyber Security forum among others. Second, the vendor should be able to respond promptly and with competent and well organized evidence to vendor questionnaires. There are some industry standard questionnaire such SIG and CAIQ that your vendor should be ready to answer. – SIG vs. CAIQ: You Can Have Your CAIQ And Eat It Too – Shared Assessments Many organizations will customize their questionnaire. A high quality vendor – your OT gateway vendor in this case – will have the answers and evidence that they can present back to you in an organized manner as a result of having maintained the certifications described above. 4. Threats…How do I make sure my OT applications with cloud access are not punching all kinds of new holes in my cybersecurity? Applications that use OT data hold a lot of promise. These applications include Optimizing energy use with comfort / air quality based on actual and predicted occupancy and weather. Identifying and responding to live physical security events, cybersecurity intrusions as they occur, and software and service renewal updates across OT equipment. Mapping data from multiple sources into consistent data sets to expose them to AI for improved analytics and simpler automation in the cloud. And many more. Implementing these applications introduces new risks to your OT. The first is that the applications will introduce new vendors with new end users who have remote access to the underlying OT that is generating the data. The second is that the links they use to move data need to be encrypted and protected against men-in-the-middle types of data intercepts. In both cases, you have the risks of bad actors intercepting your data, using the links as access to find vulnerabilities, and injecting harmful code. For the new remote access risk, one solution is to give application vendors access only to a common data lake or independent data layer that these applications use. Then you can rely on just one vendor to create the independent data layer, and require all other vendors to use that layer from the cloud, and not touch your OT. A robust best practice solution is to require these new application-vendor end users to use the same remote access gateway with all its controls and visibility. This applies whether it is one vendor who is creating the independent data layer, or many applications vendors access the OT data from the OT systems directly. For the risks of data intercept and code injection coming from the cloud into your systems, you have to implement rigorous network security techniques. To keep it simple, you need to make sure that you can create data tunnels that have authenticated parties on the cloud-side of the data transfer and apply strong encryption to the link and data in flight, everytime. You will also want to restrict the direction of data flows, so that data flows outbound over designated ports, to prevent unwanted traffic coming back down the line. You will find all of these secure tunneling capabilities under the category of SD-WAN solutions. A high quality OT gateway will include this functionality. You may find it a lot easier to get your SD-WAN secure tunneling as part of the same universal remote access gateway we discussed above. This is especially wise given the small teams and staff shortages that OT teams routinely face. IBM reported this year that more than 50% of organizations report staffing shortages as a major contributing factor to actual cybersecurity breaches, up 26% from last year. – Cost of a data breach 2024 | IBM 5. Automate…How do I realistically create automation across so many disparate systems? The experts at IBM who analyzed the data breaches over the last decade say that complexity is the enemy of security. Having a different system for every system and every application creates enormous complexity and with it a patchwork of risks that are essentially impossible to understand let alone control. This article has cataloged the benefits of the best practice of consolidating to one system with one console across all the OT cybersecurity, remote access, and application data tunneling. “OT monitoring is an essential solution that helps organizations keep a comprehensive inventory of devices (including all information on operating systems, firmware, vendors, and models), assess the potential risk exposure from these devices, and detect any signs of malicious activity in real-time.” – Microsoft Digital Defense Report 2024 This unified approach is also the key to automation. We have already discussed that a universal gateway enables automation of inventory and enables secure adoption of cloud-based applications. This same logic extends to all kinds of automation from simple alerts to pre-programmed sense-and-respond applications including AI. That logic is that putting automation in place through a single, modern, highly secure system that is seeing all of the remote users, all of the devices, all of the connections, and all of the cloud applications interacting with OT is a manageable project. The alternative path that many OT organizations find themselves on, quickly turns into a tangle of systems integration with custom spaghetti code that has to change as all the underlying OT changes. The cost of this approach is so high and so slow that most OT organizations never get past piloting a small fraction of the available automation and applications. For additional guidance Neeve is one of several companies with cybersecurity expertise for OT. We would be very glad to help you take action on these strategies. Neeve’s flagship product is an OT gateway called View Secure Edge. Neeve is a smarter technology foundation for intelligent buildings, deployed by leading companies around the world. We provide cybersecurity, secure remote and cloud access, edge compute, applications, and cloud management that power the OT journey to the cloud and AI.