OT on the Global Stage and at Warp Speed

I was recently honored to be selected as the emcee at the Fortinet Virtual OT Summit, conducted as a global campaign in NA, EMEA, and APAC. It was inspiring to interview OT thought leaders and watch in-depth sessions technical sessions focused on today's quickly-evolving OT cyber landscape. With over 14,000 registrants, the attention being given to OT is undeniable. OT may be different from IT, and it may be immature in terms of networking and security practices, but OT is also rapidly accelerating and evolving faster than many anticipated. Let me quickly take you through some of my thoughts on the Virtual OT Summit and invite you to watch the event on demand.

Grab Your Jetpack!

Those were the words of Patrick Miller, our keynote speaker and the CEO of Ampere Industrial Security, and they appropriately describe the current pace of change in OT. Of course, it's taken some time for industrial organizations to embrace the digital ecosystem. Not long ago, air-gapped industrial networks- and the assumption of no cyber risk-were their predominant security strategies. In my experience, just three years ago, there was a "not interested" response to the cloud in most industrial verticals. Now, those same organizations have adopted the cloud, sanitized their unique data, established new data markets, and monetized its value. Additionally, those engaged in the digital transformation of their OT environments are reaping operational and production gains never envisioned. The future is so bright that a jetpack may not be enough.

The Cloud-and Some Risk-Is Unavoidable

Simply put, the cloud is the future of OT. There's simply too much vital information to improve operations, or leverage competitive advantage, to deny its potential. With an aggressive cloud strategy comes cyber risk that must be quantified as part of a corporation's larger risk calculation. Additionally, we're also talking about relatively immature OT networks when it comes to cybersecurity. So, as we introduce attack vectors through cloud adoption and the rapid proliferation of IoT devices-while still dealing with the biggest threat of all (humans)-we must take an equally aggressive cybersecurity posture.

Dear OT: Make Some Friends, Even If It's the IT Team

Yes, OT is different, but cloud adoption is not, and IT has been doing it for years. With regards to security policies and governance, IT is way ahead-and OT can learn from them. To further assist, numerous compliance and security frameworks have been specifically designed for industrial environments. Most organizations need to start with the basics: asset visibility, segmentation, log collection, and a patching strategy. That last one is crucial, as your OT device patch strategy may not involve patching at all. Some environments may need to employ proximity controls such as segmentation, micro-segmentation, virtual patching, EDR, and deception to provide robust security to buy time for that patch-maybe indefinitely. You must also find a trusted partner to introduce global and cross-vertical best practices to your facility. And finally (going back to IT), what is your OT SOC strategy? Yes, an OT SOC or joint IT/OT SOC. Conversations about a SOC may be way ahead of what most OT operations have in place, so you'll need a strategy to evolve into this advanced security best practice.

Yes, OT Is Different. It Needs OT-Specific Solutions

While IT can lend a hand, the priorities, risks, devices, protocols, and people of an OT environment are fundamentally different. Therefore, in today's world of IT and OT convergence, you need to ensure that any converged solutions adequately span the technological chasm between IT and OT networks and security needs. Likewise, in the growing demand for vendor consolidation, avoid introducing weaknesses or blind spots by being "too IT" or "too OT." Instead, you must ensure the vendor solutions you implement have appropriate OT device detections built-in: IDS/IPS OT protocol coverage, topology referencing the Purdue model, implementation of the MITRE ICS ATT&CK matrix, and security policy compliance (e.g., NERC CIP, NIST, NIS, CIS, ISA99/IEC 62443).

That OT Jetpack Is Worthless Without the Right OT Person

Perhaps the biggest problem in OT is the "people problem"-i.e., we don't have enough of them. Earlier in this piece, I used "rapid adoption" and "accelerated evolution" but that progress is being delayed because we also have an OT security personnel deficit, and it's growing. Finding trained OT people is hard, so we need to look at ways to make our limited personnel more efficient.

Patching, which I mentioned above, is essential but time intensive. It's also tedious and prone to errors. Deploying compensating controls to defer or avoid patches is quicker and more efficient for everyone involved. Outright patching needs to be more selective regarding production risk, vulnerability severity, and down-time in addition to employing security solutions to protect the unpatched device.

I also mentioned leveraging IT to assist you, but you should also look at security service providers (MSSPs) that can augment your staff. Of course, your OT network comprises many devices and systems, many with unique security needs. So, it may be best to start by investigating the technology partnerships your MSSP candidates have in place.

Products and solutions are another critical area of investigation. You must look beyond features and function and examine interoperability to determine if they are a "plug 'n play" or "rip and replace" solution. You should also ask what training is available from your vendor network. And because actionable and timely threat intelligence is essential for keeping your security environment up-to-date, you also need to look at the quality and quantity of their OT threat intelligence feed to determine if it will ensure near real-time protection. And finally, you need to determine if these new solutions are easy to use, centrally managed, and simplified to enable new and junior OT security professionals to perform maintenance and optimization.

There are many ways to mitigate the people problem. Please explore these subtle yet critical considerations as you strap on your OT jetpack.

Learn more about how Fortinet protects OT environments in critical infrastructure sectors such as energy, defense, manufacturing, food, and transportation by designing security into complex infrastructure via the Fortinet Security Fabric.

Public link

Please use the above public link if you want to share this noodl on another website.