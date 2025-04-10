Image: jamesteohart/stock.adobe.com

Dragos highlights common pitfalls IT cyber professionals should avoid when working with OT staff and showcases how its OT cybersecurity program can eliminate these challenges.

In the complex world of Cybersecurity, industry veterans should be aware of the common stumbling blocks that frequently impede progress in establishing a workable OT cybersecurity program.

The first is a lack of understanding of safety focus, as OT cyber incidents can cause safety problems but so can patching systems. This means risk calculations will be different.

The lack of understanding of uptime requirements compared to IT systems, similarly to above, sees uptime trumps confidentiality and even integrity concerns.

Culture disconnects between OT engineers and IT staff are also vital to avoid. OT engineers are cut from a different cloth and are running on different priorities than IT staff. Cybersecurity experts must be willing to understand the lingo and the culture in order to bridge the divide.

Failing to use OT-native capabilities is also a common stumbling block. IT tools that have been retrofitted to ‘work’ in OT environments are often unable to offer full visibility into OT systems and processes. More detrimentally, many of them introduce an unacceptable amount of downtime or disruption risk to critical industrial control systems.

A north star: SANS 5 critical controls for ICS cybersecurity

A robust OT cybersecurity program focuses on protecting the most vital assets. Although frameworks like NIST and ISA/IEC 62443 exist to guide the development of a thorough plan, their complexity can sometimes hinder prompt action. A Dragos recommendation is to start with the implementation of the SANS 5 Critical Controls for ICS Cybersecurity, which includes:

An OT-specific and operations-informed incident response plan with a focus on system integrity and recovery capabilities during an attack.

Defensible design architecture that supports visibility, log collection, asset identification, segmentation, industrial DMZs, and process-communication enforcement.

ICS network visibility and monitoring enables continuous network security monitoring of the ICS environment using protocol-aware toolsets and a system of systems, interaction analysis capabilities.

Secure remote access identifies all remote access points and allowed destination environments and implements on-demand access and multi-factor authentication (MFA) where possible.

Risk-based vulnerability management helps understand the cyber digital controls in place and device operating conditions to make risk-based vulnerability management decisions regarding your OT environment.

Working with an operations team and OT security experts to start implementing these controls ensures they are operational and can efficiently handle key scenarios. As a program evolves, a user will establish a risk management framework. This will allow the user to fine-tune their investments and enhance risk mitigation efforts.

The impact of cyber controls on operational efficiency

It is crucial to recognise that implementing the right cyber controls can lead to improvements in operational efficiency and uptime. In production environments, the question of “What happened and why?” is frequently posed. While some answers may be straightforward, identifying the root cause of emergent problems often proves challenging. Controls that enable the identification of new devices, monitor third-party remote access, and log OT system commands offer a valuable data set. This data can be analysed to understand events leading up to and following issues, enhancing OT network visibility and monitoring.

Preventing production shutdowns and managing risks

The question arises: Can we prevent a production shutdown, or if necessary, how can we execute an orderly shutdown? Implementing risk-based vulnerability management offers alternatives to IT-driven device patches that could halt production lines. In the event of an incident, a robust OT-specific incident response plan, which considers critical processes and safety systems, is essential.

Safeguarding critical assets and maintaining vigilance

Protecting critical processes and assets from IoT devices, transient network traffic, or third-party remote access is paramount. This involves creating defensible architectures that segments equipment types and networks. Such strategies lead to more resilient operating environments and minimise disruptions.

Staying vigilant and continuously searching for problems is essential for maintaining operational integrity and safety. This proactive approach helps in early detection and resolution of issues, ensuring the smooth functioning of operations.

Reframing common cyber terms and concepts for ICS/OT

Just like in IT environments, cyber attackers target ICS/OT environments with ransomware attacks. However, the risk from ransomware against OT organisations and OT assets is higher stakes all the way around, with greater risk to physical safety and continuity of critical processes at play. The 2021 ransomware attack that temporarily halted OT operations at Colonial Pipeline was a high-profile example of just such an attack.

Just as with IT security, network segmentation is a key best practice for limiting the blast radius of attacks against IT or OT assets in industrial organisations. However, the consequences of poor segmentation are much more severe, as an attacker that moves laterally from a foothold made in an IT system to a critical OT system could threaten human safety or the sustainability of the business itself.

Attacks using fileless malware and leveraging existing system utilities and remote admin capabilities to execute commands are favoured not just by advanced IT attackers but also those that target ICS/OT systems. In addition to using tools that cross OT/IT boundaries like Powershell, Windows Management Instrumentation, and Server Message Block, OT-threat groups also can use ICS protocols for living off the land (LOTL) attacks in ICS environments.

The Computer Emergency Response Coordination Centre’s (CERT/CC) now, next, never methodology, used within the Dragos Platform, is a method of prioritising patching and vulnerability remediation. It is especially important for OT assets, as patching can sometimes be riskier than leaving a flaw in place and mitigating it in some other way.

As US Security and Exchange Commission cybersecurity risk management rules tighten reporting timeframes for cyber incidents – whether in IT or OT networks – and other regulatory directives increase OT cyber response preparedness, organisations are increasingly seeing a need to practice their OT incident response procedures through OT cyber tabletop exercises.

Managing vulnerabilities in OT environments can be a different affair than in IT because the tools, the methods for mitigation, and the risks – especially in the physical realm – are all unique to OT. For example, the highest risk OT flaws are those that can cause loss of view or loss of control in ICS systems. On top of that, OT systems often run continuously, with months or years before a maintenance window allows for patches. This means creative mitigations are crucial.

As zero trust and micro-segmentation grow in importance for IT network security, many cybersecurity pros wonder if they can transfer the same principles to OT networks. Because of the unique demands and operational realities of ICS networks, organisations can’t take a cookie-cutter approach to OT zero trust. MFA is crucial, but measures like active monitoring and how zones or segments are designed will be different.

IT-style active scanning for asset discovery and vulnerability management is frequently problematic for OT systems and can have operational and compliance ramifications for industrial processes. This is why OT-native cybersecurity tooling places a heavy emphasis on well-designed passive scanning.

Just like IT environments, Internet of Things (IoT) devices are pervasive in OT settings. Industrial Internet of Things (IIoT) devices are commonly used for sensors that can help measure and optimise operational processes. The Dragos Platform extends its coverage to IoT and IIoT devices when they are used in OT processes and systems.