Over the last few decades, the clear path to securing operational technology has been difficult to forge as so much has come from the vast world of IT data protection, encryption and authentication. On the other hand, practitioners on the OT side of the digital network speak about the risks and unwanted consequences of this very technology to the physical systems they operate. The term SEC-OT – short for ‘Secure Operations Technology’ – is an attempt to combine all of the knowledge and best practices of secure industrial sites into one cohesive and disciplined approach.
While the traditional IT approach is focused on protecting data integrity, confidentiality and availability, SEC-OT is focused on cyber security for controlling physical operations. To this end, SEC-OT defines control system security as: protecting the safe and reliable control of physical operations from attacks embedded in information.
No matter what your network architecture, industry or level of security sophistication, there are four steps you can take now to achieve a robust security posture to protect critical industrial control networks.
Step 1: Classify Networks
Classifying cyber assets establishes a starting point to align your site with SEC-OT principles. The goal of classifying networks is to identify the cyber assets that are essential to safe and reliable physical operations. Generally speaking, asset classification follows a framework of the most control-critical assets to the least control-critical assets. France’s ANSSI has written one of the most thorough and robust guidelines for ICS security, and describes network classification in their Classification Method for Cybersecurity for Industrial Control Systems.
Step 2: Group Network Assets
The next step to protecting an ICS is deciding how to group control-critical cyber assets into sets. When defining ICS sets, group assets with similar functions, communications and security needs. A control-critical network is defined as a set of ICS networks whose cyber assets worst case compromise results in unacceptable physical consequences. When defining control-critical networks, minimize the volume and complexity of information flows into critical networks from external less-trusted networks.
As SEC-OT requires physical segmentation of control-critical networks from noncritical networks, software based segmentation may be used between network assets of the same classified control-critical network, but not between control critical networks and other networks of less control criticality. So it is important to identify any pre-existing software-only protections running between these interconnections.
Step 3: Physically Segment Networks
After identifying, classifying and grouping ICS network assets, physically separate each control-critical network from all external networks. This physical separation is a prerequisite for physical protection and therefore a SEC-OT best practice.
Additional physical separation also simplifies certain physical protection mechanisms. Such separation reduces opportunities for errors and omissions that might otherwise result in physical cross-connections between control critical and noncritical network wiring and equipment.
Step 4: Control Information/Attack Flows
With a tentative plan in place for the physical separation of control systems from other systems, start considering all information flows in your network – both offline and online – that bring information/attacks into your control-critical networks. This comprehensive survey may inspect as-built documentation, physical devices and wiring, firewall rules, control system software configurations and other sources. Remember the basics, defining critical networks has no value if you are not minimizing the volume and frequency of information flows into control-critical networks.
Finding and following a rational and secure approach to control systems security can be confusing, as guidance and advice for ICS cybersecurity tends to vary widely. However there is no arguing how already-secure industrial sites approach OT-SEC. Follow these initial steps and read further how your site can leverage the blueprint of OT-SEC best practices by ordering a free copy of Andrew Ginter’s book SEC-OT: Secure Operations Technology.