FM & TECHNOLOGY
it’s incredibly difficult for operations teams to perform the scans that they need to gain visibility of all the flaws that sit within their OT networks. If they don’t know where their vulnerabilities exist, it’s impossible for them to ensure that their most exposed network elements are sufficiently cordoned off. Which can leave them feeling like a captain of a submarine hit by a torpedo: without knowing where the breach in their submarine is, all they can do is keep pumping out seawater.
“For those on the operations side,
IT intervention is often unwelcomed – any new request from, or process led by, the IT department can feel like a spoke in the wheel.”
This problem is compounded by the poor levels of security baked into the devices themselves. It’s possible that many of the passwords, configuration and security settings on their machines have not been updated since installation – at that time, the need to ensure baseline security measures was not as pressing as it is now. Wherever possible, these risky configurations, like default password usage and easily discoverable and exploitable settings, need to be updated immediately.
The difficulty with securing hybrid IT- OT networks
The initial step to securing hybrid IT-OT networks is to acknowledge that both IT and OT entities are run by two disparate teams with very different skillsets. In many organisations, IT and OT are heavily siloed. While IT teams take charge of cyber risk management, OT environments are typically focused on managing operational risk to maximise availability and reliability. Their objectives are not aligned, their skillsets are not transferable, and neither really understands how to protect the other.
For those on the operations side, IT intervention is often unwelcomed – any new request from, or process led by, the IT department can feel like a spoke in the wheel. While securing OT is increasingly falling under the purview of the CISO, it’s ultimately still operations who are working at the coalface. And they are being hindered by their limited cybersecurity-focused skills: the implementation of a number of cybersecurity fundamentals have yet to gain widespread momentum within OT spaces.
This siloing is mirrored in the make-up of a typical hybrid IT-OT environment. Each network has its own technology stack, teams, terminology and even understanding of risk. To traditional security professionals, a critical severity vulnerability under active exploit in the wild and exposed to a
www.tomorrowsfm.com
threat origin is a number one priority; to an OT engineer, the importance of the vulnerability may pale in comparison to the need for continuous uptime.
All of this makes it very difficult for organisations to gain overall IT-OT hybrid network visibility. In an ideal world, we would see the creation of a new role – that of a Hybrid Network Engineer who has the skills needed to straddle both IT and OT networks – but until that happens, work needs to be done to improve foundational levels of security. To avoid attacks on national energy infrastructure, it is imperative that security teams no longer operate with uncertainty about where all of their data and their vulnerabilities exist across their fragmented network.
A new approach is needed The current approach to cybersecurity that is taken by many energy firms is short-sighted, costly, and inefficient. Before looking at securing the entire hybrid environment, it’s important to first strip back to basics. Operations teams should first look to introduce rule flows, take advantage of dynamic firewalls, improve control access and establish ways to mitigate risk that originates from connected third- party environments. Being in command of each of these areas will give them the confidence to embrace solutions that allow them to identify and mitigate all vulnerabilities within their environment without disrupting uptime.
Further, they need to increase the pace of their scans – many only perform one or two scans a year and then only on the devices that they can take offline. The ability to discover the vulnerabilities that exist within critical OT devices and technology needs to be a prime concern for operations teams.
Only when these core capabilities are achieved will organisations with hybrid IT-OT networks be able to holistically manage risk. At that stage, they must: Passively collect data from the networking and security technology within the OT environment; build an offline model encompassing IT and OT to understand connectivity and how risks could impact either environment; use purpose–built sensors to passively discover vulnerabilities in the OT network; incorporate threat intelligence and asset exposure to prioritise OT patches; and leverage the model to identify patch alternatives to mitigate risk when patching isn’t an option
Time is of the essence If the energy industry wants to gain the ability to stave off attacks, it needs to rethink its approach to security management. Cybercriminals are taking advantage of the chaos surrounding the COVID-19 crisis, with attacks on pharmaceutical firms, research labs and national infrastructure now becoming commonplace. While much of the world feels like it’s on pause, threat actors are working harder than ever to disrupt operations.
It’s not despite the current climate but because of it that energy companies should feel the impetus to improve their security programs. The time to act is now.
www.skyboxsecurity.com/ TOMORROW’S FM | 29
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60
