Small- and medium-size businesses will now have access to free tools to help manage security of their operational technology environments.
Industrial controls systems/OT vendor Dragos unveiled Tuesday at the RSA Conference its OT-Cyber Emergency Readiness Team — or OT-CERT — that delivers to industrial asset owners and operators various resources to help manage risk. The program is being led by Dawn Cappelli, Dragos’s newly appointed OT-CERT director, and former chief information security officer at Rockwell Automation.
“When I was at Rockwell, our third-party risk program traditionally looked at companies with access to our IP or our network,” said Cappelli in an interview with SC Media ahead of the announcement. “Then we saw [other] suppliers, small- and medium-sized, hit with ransomware. We started having to look at the resiliency of our own operations because these suppliers that were being hit could put our operations at risk.”
The security of the SMB market became what Cappelli described as her “hot-button issue,” compelling her to accept the invitation from Dragos to “help safeguard civilization” by focusing on the companies that can’t necessarily afford to buy their products and services.
In addition to a library of OT security guidance, those that register for the service will be able to access in the first month a 14-question, cybersecurity maturity self-assessment based on what Cappelli described as “a light version” of the Department of Defense Cybersecurity Maturity Model Certification. They will also have access to a collection of resources focused on asset management: a downloadable asset management template, a training module, and a reference guide. In the second month, registrants will have access to a ransomware tabletop toolkit to run an exercise and identity potential gaps.
More resources will be filtered into the OT-CERT portal each month.
While the tools themselves cater to small- and medium-size businesses, companies of any size can be a member of OT-CERT, with the hope being that large companies and managed service providers can push the offerings to their own supply chain.
“At Rockwell, we started having to turn down some contracts with small manufacturers because they just had no security at all,” Cappelli said. “What killed me as a CISO was having nothing to offer to help. And now we will.”
Dragos also established partnerships with OEMs and organizations that have relationships with SMB markets to help amplify the message and hold workshops that identify best practices within particular verticals. Initial Dragos OT-CERT partners include the National Association of Manufacturers, Emerson, Rockwell Automation, and four Information Sharing and Analysis Centers: E-ISAC (electricity), ONG-ISAC (oil and natural gas), DNG-ISAC (downstream natural gas), and WaterISAC.
Threat intelligence will also play a role in the program. Any vulnerabilities that Dragos researchers discover in OT products will be disclosed within the OT-CERT portal, in coordination with the vendor. Similarly, when Dragos identifies a breach of a small- or medium organization — a water utility or power company, for example — the company will work through partners to deliver notifications and access to support services.
“These organizations often don't even have a security program,” Cappelli said. “Imagine getting a phone call and someone says, ‘Hey, I'm from Dragos and I wanted to let you know you've been breached.’”