Securing industrial networks: the essential IT/OT relationship
In the animal kingdom, there is a history of working together for a common interest. For example, some coyotes and badgers team up while hunting. If the prey runs, the coyote takes the lead. If the target dives underground, the badger takes over.
See Also: Threat Briefing: Ransomware
IT and OT should learn from this as they share a common enemy: cyberattacks targeting industrial networks that connect Internet of Things (IoT) sensors and industrial control systems (ICS). These include everything that makes industrial operations safe and efficient: control valves, boilers, breakers, motors, robots, etc.
I'll argue that IT-OT collaboration is mandatory for securing industrial networks, while the coyote-badger partnership is helpful but not essential. Without a partnership with OT, IT will fail.
Why IT can't do it alone
Here's an example. A network is carrying a message modifying a controller configuration. The message might be legitimate. Then again, it could be an attack intended to raise boiler temperature to dangerous levels, open a valve to release toxic chemicals into the environment, or cause a robot to go berserk.
To respond appropriately, IT requires information from OT. What signs indicate maliciously modified configurations? If the message snuck through, should the assets be quarantined? Is there a safer way to contain the attack without putting the rest of the process at risk?
Making the case to OT
Many OT teams hang a "keep out" sign on their network, so be prepared to make a case for collaboration. Fortunately, you can offer a powerful incentive. This essential information for IT will also help OT maximize production output, uptime, and safety.
In summary, "Identify to protect, then detect." This strategy is generally agreeable to both IT and OT. NIST describes it in Framework for Improving Critical Infrastructure Cybersecurity, and what the International Society of Automation (ISA) recommends in ISA99/IEC 62443.
A Framework for Collaboration
The first step is “identify to protect.” If you don’t know what’s connected to the network, you’ll operate in the dark. Start by building a complete inventory of everything connected to the industrial network, noting how critical each asset is to the business.
Solutions such as Cisco Cyber Vision simplify the discovery process by building an automated asset inventory that identifies the makes and models of devices, the list of software installed and other system factors in assessing asset vulnerability. It also builds a real-time view of the industrial network to understand communication patterns.
This picture allows operations engineers to get a clear view of how their industrial network operates, better plan for safety and production continuity and work together with IT teams to document critical business processes with their associated devices.
Next, IT and OT can work together to group assets into zones and conduits that contain attacks. Industrial firewalls such as the Cisco Secure Firewall comply with OT requirements for deployment in the harshest industrial environments and wide support for industrial control protocols.
Cisco Cyber Vision also lets OT teams easily group assets into zones, giving IT the context it needs to build and enforce security policies via micro-segmentation, using solutions such as Cisco Identity Services Engine, or ISE.
Now that the industrial network is well documented and segmented, you can focus threat detection on what matters. When Cyber Vision detects process anomalies, it alerts both the IT and OT teams. IT responds by investigating and mitigating the attack, and OT responds by making adjustments to keep production going. As a side benefit, Cyber Vision gives OT the operational insights to improve production efficiency.
The Security Operations Center, however, can be overwhelmed with information. Investigating an abnormal behavior or a suspicious observable on the industrial network should be quick and easy. Platforms such as Cisco SecureX let you automatically search on a variety of observables detected by Cyber Vision or ISA 3000. It aggregates information from all your security tools - Cisco or otherwise - so that security analysts can immediately see if the industrial asset has been compromised.
OT shares its knowledge of connected devices and industrial processes, and IT applies its cybersecurity expertise to detect and mitigate threats. Neither team can succeed without the other.
To learn more about how this collaborative workflow will enable you to build a converged IT/OT security strategy, I invite you to check out this white paper.