[ad_1]
This voice is auto-generated. Please let us know if you have any feedback.
Information technology and operational technology are dissimilar in many ways, but the biggest difference lies not in design but in purpose, Dragos CEO and co-founder Robert M. Lee told Forrester Security & Risk on Tuesday. said at the 2022 conference.
“This isn’t about technology convergence, it’s the fact that the operational environment will eventually have to deal with physics,” he said.
Industrial control systems can treat wastewater, generate electricity, or run manufacturing plants. This creates different requirements for each from a security point of view.
IT security focuses primarily on data and systems, while OT security is concerned with systems and physical systems, Lee said. “If you have different impacts, different risks, different threats, and different manifestations of that risk, the security answer is probably a little different.”
He and his colleagues investigated previous attacks on industrial control systems.
While each industry sector is unique and has specific security requirements for the control systems of its infrastructure, there are five key points that are broadly applicable and provide the best value for organizations to face common threats across OT. There’s a lot of control, says Lee.
These are, according to Dragos, the five security every OT operator needs.
1. Establish an OT incident response plan
Start with the last in mind. According to Lee, too many organizations don’t think about response until an incident occurs, leaving their architecture, logs, and detections inconsistent.
Consider what details you need to disclose in your Securities and Exchange Commission filings or share with members of your investment team. This will give you an idea of how to structure your architecture, what kind of data you need to collect, and what your organization’s security tools need.
2. Maintain a defensible architecture
Organizations need to ensure that critical control systems can be defended. “There is no such thing as a secure product or a secure architecture, but I like defensible,” he says.
“Until you add human operators or human defenders to that environment, it will not be defended,” he said. “Technology is not the answer…It takes great humans to face the human enemy.”
3. Use network security visibility monitoring
Architectures that were great at one point can atrophy, and organizations can consistently validate their architectures by monitoring security visibility and identifying tactics that need to be detected.
A collection of purpose-built systems requires cybersecurity professionals to understand what is happening with industrial control system protocols. According to Lee, this insight can help organizations determine whether an insider or adversary used one system to manipulate another.
4. Secure remote access
Multi-factor authentication is the most popular way to secure remote access today, but not all systems support it, and MFA may eventually be replaced by something better there is.
Secure remote access is very important, says Lee.
“Most of the compromises we see in our operations result from third-party access, whether the third party itself is compromised or the access set up facilitates access to that environment,” he said. Lee said.
5. Implement a critical vulnerability management program
“As a CISO, you can’t get away with saying, ‘I don’t care about vulnerabilities,’ even if that’s true,” says Lee.
“There are some vulnerabilities that are important, but not as much as you might think. In the industrial world, we only care about vulnerabilities that actually add new functionality to the environment or help us gain access to the environment.” said Lee.
According to Lee, this represents 4% of all known vulnerabilities annually.
Through its work tracking vulnerabilities, Dragos found that the percentage that could affect industrial control systems remained stable at 4% on an annual basis.
In other words, operations staff can ignore 96% of all known vulnerabilities.
[ad_2]
Source link