Operational technology systems require the same fundamental IT systems management functions that enable security and reliability but with a specific approach that applies to the unique characteristics of OT systems and the processes they manage.
OT assets like HMIs, servers, programmable logic controllers, relays, and other intelligent electronic devices often are excluded from a company's IT systems management approach for a variety of reasons – from organizational boundaries, to lack of IT tools in OT, to a lack of IT personnel training on OT systems.
As a result, in many organizations, OT systems are not inventoried, patched, updated or protected with the latest anti-virus signatures or otherwise managed for security and reliability. These systems face risks of cyberattack that lead to major disasters if not addressed.
In every significant incident review, analysts call for ensuring up-to-date patches and backups, application whitelisting deployment, proper access controls and passwords. All of these are components of a robust systems management program commonly found in IT, but lacking in OT.
That’s why it is essential your organization embraces a new discipline for the management of OT assets through establishing specific policies and procedures, workforce development, automation and new mindsets about what is possible in OT.
ESTABLISH OT CYBER-SPECIFIC POLICIES AND PROCEDURES
The first step is to establish policies and procedures that match your company’s specific OT environment.
In many organizations, current procedures, policies and service agreements to manage IT systems don’t extend to the OT environment. For instance, IT standards for patching are not applicable to all OT devices, but no alternative standard exists. Or, password policies cannot apply to all OT devices, so in many cases, passwords are not managed at all.
Start by building new OT approaches on top of your existing IT policies and procedures, adding to them OT-customized targets, procedural steps and audits. This requires you to understand a system’s ability to deploy compensating controls and the technical feasibility of different policies on each system. That means OT and IT works together to define OT standards that address what you can do, not just what you cannot do in OT.
New processes are essential. Without them, you won’t be able to establish a consistent baseline for security and reliability needed for OT systems management (OTSM) to succeed.
INVEST IN OTSM-SPECIFIC WORKFORCE DEVELOPMENT
It’s essential that organizations develop OTSM-specific capabilities centrally as well as locally.
OTSM requires an organization to plan globally, but act locally, by having OT knowledge centralized for consolidated analysis/planning and trained local staff to manage systems as needed.
In IT, most systems management functions are centralized and done remotely, and with growth in the cloud, this is even more true. But with OT, systems management requires local resources or at least local oversight of patching to change configuration settings to incident response, which could take a plant offline and is too big a risk to do remotely.
In most cases, people managing the OT systems at a plant or local basis are plant IT or instrumentation and controls technicians. In many cases, they do not have experience in the requirements of a robust IT/OTSM program. These teams need specific training on OTSM functions and procedures to effectively maintain systems.
SIMPLIFY SECURITY MANAGEMENT WITH AN OTSM-SPECIFIC PLATFORM
Now that policies and a workforce have been established, make sure procedures are as efficient as possible with an emphasis on automation of tasks and, as much as possible, integration of security management tools.
You’ll need a specific OTSM platform that is proven safe to operate in OT and enables 100 percent visibility into systems management, such as installed software, vulnerabilities, configurations, status of backups/antivirus/whitelisting, and monitor time series for behavior changes. It also should monitor and detect issues remotely while providing the ability to act locally when required.
The right OT systems management platform delivers automation and simplification of tasks. This provides not only a proper foundation for cybersecurity but also improvements in plant uptime, reliability and throughput by identifying potential operational issues earlier and accelerating response to incidents in real-time.
EMBRACE NEW OT SYSTEMS MANAGEMENT POSSIBILITIES
Embracing an OT systems management mindset includes inviting key changes to established assumptions on what is possible in an OT environment.
In many organizations, the traditional mindset has been to avoid updating or changing the control system at all for fear of negative operational impact. Designing and supporting industrial control systems for 25 years, I understand the risks and challenges that come from conducting “ITSM-type” activities in an OT network. If they're not done correctly, patches, password policies, application whitelisting, and other security measures can cause negative operational impact.
The reality today is these systems need regular system management for security and reliability. Most now run Windows or Linux OS in core servers and HMIs, which increasingly connect to corporate networks for sharing of data and applications.
OTSM will require a change in mindset. It is easier, and seemingly operationally safer, not to patch, manage access control with tight password policies or conduct regular vulnerability assessments. The risks, however, are now too great.
It is possible to do these activities safely, with the right operational procedures in place. It requires real change efforts led by senior leaders to create the urgency and acceptance.
Success in OT cybersecurity and reliability requires a new foundation in OT systems management to ensure connected systems are protected and managed appropriately. To achieve success requires a change in mindset and skills as well as a new automation tools built for the unique features of the OT environment.