Reinventing OT security for dynamic landscapes

From understanding the challenges of disparate OT protocols and the increasing convergence with IT to grappling with the monumental role of human error, our latest interview with Rohit Bohara, CTO at asvin, delves deep into the landscape of OT security.

As cloud solutions gain prominence and the zero-trust approach becomes more relevant, we also explore how industry standards and passive monitoring strategies shape the future.

Can you comment on the challenge of creating disparate security systems for OT environments considering the variety of OT protocols? How does the difference in standardization between IT and OT systems add to this complexity?

Emerging cyber risk management approaches are leading to increased convergence between OT and IT towards unified end-to-end cybersecurity management for all categories of protocols and environments. Most of the recent OT cyber incidents were triggered and initiated in IT environments (and in some cases, like the highly impactful Colonial Pipeline ransomware attack, were IT cyberattacks that affected OT environments).

All next-generation cybersecurity solutions for all IT and OT environments must be based on the same strong cybersecurity foundation building blocks: strong segmentation, strong digital identities, strong authentication and access control, strong vulnerability management, strong encryption and cryptography, and strong anomaly detection.

How significant is the threat of human error in OT security? What practical steps can organizations take to minimize this risk?

In general, the human factor is the weakest link in the security of systems. According to the “IBM Cyber Security Intelligence Index Report,” human error is the leading cause of cybersecurity breaches and was found to be responsible for 95% of these breaches in 2021. OT security is not untouched by the threat of human error and can result in serious consequences.

A human error could occur from lack of awareness, inadequate training, misinformation, misjudgment or unintentional mistakes. It could have a significant impact on the safety, availability, and, more importantly, security of OT systems. And because OT systems manage and control critical infrastructure processes, even a minute human error could transform into widespread disruptions, downtime, and safety hazards.

Examples of human errors which might lead to a cyber security breach are using public Wi-Fi, creating weak passwords, falling prey to phishing emails, setting the same passwords for multiple systems, not updating software etc. Organizations can take multiple steps to mitigate risks of human errors, such as effective cyber security awareness, adequate training of personnel, effective password policies, clear written procedures, multi-factor authentication, role-based access control, regular security audits, detailed documentation, create security culture.

Cloud-based solutions are becoming more popular in the ICS sector. What security challenges do they present, and how can these be mitigated?

With the advent of IIoT technology, OT systems interact more frequently with IT systems. They could collect sensor data and control physical processes, and now they are connected to cloud-based solutions where they push and pull data constantly, consequently creating cyber physical system (CPS).

The scalability, flexibility, high performance, and functionality to integrate with other cloud-based solutions have given rise to their popularity in the ICS sector. The marriage of ICS and cloud-based solutions has introduced unique attack vectors and security challenges for OT systems. The security challenges include data residency and sovereignty, data breaches on the cloud, identity and access management, men in the middle, compliance with industry-specific regulations and standards, data privacy etc.

Organizations should build an effective access and identity management, data loss prevention, data encryption, continuous monitoring, logging and assessment etc.

In the face of these myriad OT security threats, how effective is the zero-trust approach in securing OT systems?

The zero-trust approach is quite pertinent in the current chaotic security environment for OT systems.

Characteristically, OT systems are diverse and the introduction of IIoT technology has increased the heterogeneity and dynamicity of these systems and networks. Therefore, principles of zero-trust approach, verify identity, assign least privilege, micro-segmentation, continuous monitoring, automated threat management, encryption must be adapted to OT systems to minimize the potential impact of security threats.

Can you discuss how the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and standards such as ISA/IEC-62443 or ISA-99 can aid in addressing OT security threats?

Existing or future regulations at EU or national level have a significant impact especially on the prevention of cyber attacks. The measures required there are intended to make it more difficult for attackers to penetrate systems or to limit the damage that attackers can cause. While ISO 62443 defines the basics of a cyber-secure production environment, the upcoming legal requirements such as NIS2 or the Cyber Resilience Act (CRA) are much more aimed at the security of the software supply chain.

Due to the fact that 2/3 of cyber attacks happen via the supply chain of a company, the EU has now designed much stronger regulations here. These present companies with new challenges in their cybersecurity measures, but at the same time offer significantly greater protection against attacks by cybercriminals. Therefore, tools such as SBOM, update management and context-based risk analysis will be useful and indispensable components of a company’s security architecture in the future.

Finally, considering the highly sensitive nature of the sensors and systems deployed in critical infrastructure environments, what strategies can be employed for establishing passive monitoring and controls within the OT environment?

As it goes “what gets monitored gets improved”. The contribution of an effective passive monitoring and control system to OT security cannot be stressed more. Passive monitoring is the ability to observe network traffic, system behaviors, and anomalies and logging them without actively interfering with the operational processes. The strategies to achieve this include intrusion detection systems (IDS), anomaly detection, deep packet inspection, behavioral profiling, cyber threat intelligence (CTI), security information and event management (SIEM), honeypots, network segmentation etc.