In a recent survey conducted by ABI Research, three-quarters of industrial organizations reported that they had detected malicious activity within their OT network, and 24% of them were forced to shut down OT operations within the last year due to a successful attack.
If that’s not enough to have OT companies looking for new cybersecurity solutions, European Union companies have the added pressure of NIS2’s looming October deadline. Essential and important entities are on the hunt for cybersecurity solutions that will meet their security needs while boosting their compliance.
See also: Cybersecurity report shows threats to OT skyrocketing
OT security is complicated. Manufacturing plants and critical infrastructure facilities frequently maintain equipment that is so old it hasn’t been made in decades, working alongside modern connected machinery. An effective OT security regimen must be able to secure the entire environment—the “legacy” gear as well as the latest devices.
The good news is a lot of OT cybersecurity solutions on the market deliver parts of the security solution manufacturers need. Then again, part of a solution is not the whole solution. And not all OT security tools purported to be solutions are created equal.
For example, some products deliver network visibility but lack threat-detection capabilities, while others are strong in threat detection but unwieldy and difficult to manage. In this article, we’ll look at the capabilities your OT cybersecurity platform should have to put you on the path to NIS2 compliance.
Start with full network visibility
OT cybersecurity begins with network visibility. After all, you can’t secure network connections, zones, and devices that you aren’t aware of. Your OT security solution should include non-intrusive monitoring capabilities that allow it to automatically create a visual model ofyou’re your devices, protocols, and links. Active scanning, where acceptable, is a great supplement.
Your monitoring tool should automatically establish a baseline of normal behaviors. Anomalous behaviors should be detected as potential indicators of compromise (IOC).
For example, if one machine transmits a message to the network at 20-minute intervals, and the message is now being sent every 60 minutes, there is cause for investigation. The monitoring tool should keep up with the latest threat intelligence, so it can identify new publicly known vulnerabilities (CVEs) and recommend patches and workarounds to secure those issues.
See also: Pair of new reports see glaring data, cybersecurity, content-sharing vulnerabilities
Monitoring should feed into your alert management system or have one of its own. The most effective OT monitoring tool will not only send alerts on IOCs and potential cyberattacks, but will let you know about business policy violations, abnormal topology changes, new device connections, and other changes to the network. Each alert should be prioritized automatically based on perceived severity.
Look for a solution that offers active scanning in addition to passive scanning. Active scanners are useful in discovering additional assets and data collection from components that are silent on the network. They also can help detect vulnerabilities in firmware and other components.
These capabilities help boost operational resilience against cybersecurity risks and threats, helping to bolster operational security posture and compliance with directives, security requirements and frameworks, and industry best practices.
Add in OT risk management
Monitoring your OT network is a major function of a healthy OT security program. Another is risk management. Risk management tools help you proactively manage risk and build resilient operations. Look for a data-driven solution that conducts automated risk assessments through breach simulations to detect vulnerabilities in your network and to advise you on what to do about them.
This tool should help you measure the gaps between your existing security controls and compliance with NIS and/or other standards. Running frequent assessments makes it easy for security teams to stay on top of risk while measuring their progress over time.
See also: Securing OT’s future: Strategies to adapt in an evolving environment
Look for a risk management tool that not only offers recommendations for securing vulnerabilities but takes budget into account. It’s easy for a simulator to find a vulnerability and give a laundry list of network change recommendations. However, leading tools include budget information for each change, and quantifies the reduction in risk for full and partial fixes.
For example, if a simulation detects vulnerabilities that lower a manufacturing site’s risk score to 43, it should also include multiple mitigation options to drop it even further. Replacing machinery, which might cost millions of dollars, could improve a risk score a lot, but installing a free patch would improve the risk score most of the way. Each option should include associated costs, allowing stakeholders to make budget-based risk assessments.
Multisite management with central monitoring
Organizations that operate multiple sites should look for solutions that include central monitoring and management for the entire OT estate. The convenience of these platforms is invaluable, providing visibility into OT networks regardless of their location.
Centralized platforms are cost-effective. Rather than having multiple security teams monitoring the network at each site, a single security team at an SOC can oversee and manage the entire security regime. Alerts generated at any of the sites come to the central management location, where they can be investigated and remediated.
Centralized platforms also improve security effectiveness. Organizations can implement policies across their sites from a central point, ensuring consistency.
Finding a suitable OT vendor
OT security is critical for the continued operations of manufacturing plants, critical infrastructure, and other OT environments. To be effective, organizations should look for solutions that provide full visibility into their network and applies data-driven risk management tools automatically. Organizations with multiple sites should require solution that provide central security monitoring and management.
See also: In reader survey, wide majority worries about OT vulnerabilities
While some organizations might prefer mixing and matching solutions from different vendors, this best-of-breed approach often leads to security gaps and complications in interoperability. A security platform from a single vendor—as long as it meets all requirements—is typically the best approach.