Here’s a five-step security plan for industrial environments

October 20, 2020
Aerial view of a burned-out home destroyed by the Sept. 13, 2018 natural gas explosion in Merrimack Valley, Mass. In today’s columnist, Lesley Carhart of Dragos writes about how many in the cybersecurity community first thought this event was the result of a cyberattack. (NTSB photo, Creative Commons CC PDM 1.0)
  1. Increase communication between OT and IT staffs. Ensure that there’s routine honest and constructive dialogue between process operations technology (OT) teams, and IT and cybersecurity teams. Process engineers know more about operations than cybersecurity specialists ever will, and vice versa. It’s important for them to collaborate.
  2. Evaluate the organization’s industrial processes. At a high level, understand the industrial processes that occur in your organization, what safety and operational concerns surround them, and the potential consequences of process and safety device failure.
  3. Understand how OT and IT evaluate risks. Top management should understand that OT personnel typically have different (and valid) health and safety, security, and risk management priorities than IT personnel. An infection or vulnerability might not mean anything if it can’t result in a serious consequence. Alternatively, it may be a huge concern if it may cause a life, safety, or production disaster.
  4. Develop an incident response plan that includes both OT and IT. Ensure that documents critical to cybersecurity such as an incident response plan, asset inventory, collection management, and network maps exist in the operational environment, and are tailored appropriately for them with process engineer input.
  5. Determine the most realistic cybersecurity posture. Understand that industrial control systems often consist of complex technical integrations which may limit modern cybersecurity tactics. For example, downtime can cost a lot of money. Systems may require legacy or unpatched components to function safely and remain under warranty. Security teams should also explore mitigations such as passive monitoring, system isolation, data diodes, and access controls.
prestitial ad