The amount of time it takes to make meaningful progress in overall operational technology (OT) cyber security maturity is the top challenge we hear from OT leaders and Chief Information Security Officers (CISO). The additional challenges of distributed network environments, sensitive and legacy devices, the range of tools that are needed, the testing required before deployment, and the lack of available resources to assess and remediate identified risks mean there is a long lead time prior to demonstrated progress in reducing the cyber security exposure of OT environments.
These cyber security challenges are met with the demanding needs of CISOs and boards of directors who want to see action and results at each quarterly meeting. They do not just want a plan or a statement that you’re deploying a tool. They want demonstrated improvement. Now.
Many organizations realize their most critical systems – those that integrate cyber and physical operations – have not received the same cyber security focus as the traditional IT systems. Due to an increase in digital transformation, OT cyber security is uncharted territory for most.
OT cyber maturity trails IT security
- Many OT systems have been less connected to the outside world/internet than their IT peers
- IT security tools and procedures do not work effectively or are risky to use in more sensitive, legacy and embedded OT/OT systems
- Operational requirements make managing the vulnerabilities and insecurities challenging as changes can disrupt uptime and productivity
- There is a significant knowledge and skills gap in deploying security within the OT environment
Each year for the past five years, cyberattacks on critical infrastructure has increased. These attacks cost billions of dollars and significantly impacted production capabilities in industries ranging from consumer goods to healthcare and power. Boards of directors’ patience is running out with the rationales of why these systems cannot achieve the same level of security maturity as the IT side. The rapid acceleration of remote work and the need to remotely access the plant and infrastructure, formerly seen as "air-gapped", has only made the urgency greater.
But it is time to do something. The idea that it will take six months to assess and plan, followed by 18-24 months to deploy hardware (taps, span ports, firewalls, etc.), harden endpoints, deploy robust backup solutions, and create a robust vulnerability management program for OT is no longer acceptable.
Improve OT cyber security maturity in 30 days
Over the past decade, Verve has developed a proven approach to radically reduce the time to demonstrate quantifiable improvement in OT security foundations. Our approach has been tested and proven in customers ranging from power to chemicals, pharmaceuticals, medical device, consumer packaged goods, and beyond.
The power of the Verve Security Center’s software-defined approach to OT security in conjunction with our distinctive OT security services organization demonstrates dramatic cyber security improvement in a very short period of time.
There are three critical components into an integrated OT cyber security solution to reduce the gaps in time and certainty that come with so many OT cyber security approaches. Our strategy enables an ongoing process that continually maintains and improves the maturity over time once the step change is achieved.
The three key components of the approach are:
- A rapidly deployable, software-defined security solution that deploys in hours or days, not weeks or months. Taps and span ports are not required for deployment, reducing cost on hardware and time-consuming labor. It provides rapid visibility and actionability to quickly remediate the risks and threats identified.
- The integrated platform brings together a comprehensive security solution including the identification and remediation of risks. The platform enables turnkey integration across the range of maturity requirements of standards such as NIST CSF, CIS Top 20 Security Controls, ISA99, etc.
- A distinctive group of OT expert engineers that understand cyber security and have rich experience in operations of control systems, their communications, and their sensitivities so that they can enable rapid actionability without risking operational reliability.
Gain visibility and insight into a prioritized list of risks to remediate to improve OT cyber security maturity
In IT, gaining visibility is often completed through a series of tools from a network device management platform, to a vulnerability scanning tool, to user and account management/configuration management tools, patch management, etc. Each of these functions is well-defined and usually well-resourced.
In OT, this picture changes. The inventory is unclear. Vulnerability scanning can “brick” embedded OT devices. Network management often does not extend to within the IT/OT firewalls. In OT, many turn to tools that promise inventory visibility through monitoring of network traffic. These tools provide some level of visibility, but they require expensive network tap infrastructure to see deep down into the network which can be both expensive and time-consuming to deploy. Further, the level of insight is only as good as what goes across the wire.
Verve built a software-defined solution that does not require deployment of taps or other hardware elements. The agent-agentless approach gathers deep inventory and identifies risks across the full spectrum of security requirements: patch and vulnerability, configurations, software, user and account, network device configurations, etc. This is completed within a matter of minutes or days, as opposed to weeks if additional hardware were required.
Because of the unique architecture, the time to remediation is radically reduced. There is no need for separate integration with patch or configuration hardening tools, user or account management, etc. As soon as Verve identifies a risk, the platform is used to remediate that risk. Certainly, operators will want to analyze and test any changes, but the built-in functionality enables that testing and deployment of remediation to occur in days across heterogeneous industrial control systems.
Consolidate controls into a single pane of glass to manage deployment to improve OT cyber security maturity
One of the biggest challenges facing operational technology is the lack of resources. Using a handful of independent security tools adds time and complexity to achieving maturity.
Verve brings together the key components of the NIST CSF, CIS Top 20 etc. from inventory to vulnerability management, patch management, configuration management, anti-malware, backups, etc. This enables a single, rapid deployment and accelerates mean time to maturity vs. a piecemeal approach. Further, it reduces the ongoing maintenance and operational cost. It also aggregates data from all your sites, vendors and controls into centralized reporting.
Leverage OT expertise and resources to improve OT cyber security maturity
Achieving rapid cyber security maturity requires resources that understand the myriad of control systems in a typical operating environment, but according to CyberSeek, there is a shortage of security talent in OT. This is costly in the OT world where a mistake can be fatal or operationally catastrophic.
Verve builds on our 25+ year heritage of OT engineering with a team experienced in plant management across a range of control systems. In fact, many customers tell us that our team understands their OT systems better than they do. Integrated security services are critical to accelerating the time from identifying the gaps to deploying the remediating measures in a safe and operationally secure way.
A robust cyber security journey will not be completed in 30 days, but you can demonstrate meaningful progress with measures that CISOs and boards of directors understand. Talk to us about how we can help you drive improved OT security maturity in 30 days.