5 Best Practices for Operational Technology (OT) Security

One of the primary concerns when it comes to the integration of an OT security framework is downtime. Downtime, especially for a company that depends on operational technology, is extremely expensive. OT cybersecurity best practices therefore need to incorporate strategies for minimizing the impact of downtime while security measures are implemented.

For instance, if a metropolitan train system needs to shut down its operational technology so a cybersecurity system can be implemented, this has to be done at a time that does not bring a city’s transit system to a complete halt. Or in the case of a factory, you need to account for production schedules, when people will be working, and how you can minimize the impact on supply chains that depend on your products. This is especially true because many production facilities depend on Internet-of-Things (IoT) devices that facilitate business-critical functions.

In many situations, significant downtime may be unavoidable, especially if the security integration needs to happen across the board. For instance, you may have to momentarily shut down a supervisory control and data acquisition (SCADA) system for a period of time. This can essentially leave some physical processes headless—without the technology needed to control them. The financial and operational impact of this kind of integration can be significantly diminished with mindful step-by-step planning, another component of OT security best practices.

Some of the OT security best practices for implementing a reliable protection system include:

1. Network mapping and connectivity analysis
2. Detection of suspicious activities, exposures, and malware attacks
3. Implementing a zero-trust framework
4. Aligning the right remote access tools
5. Controlling identity and access management (IAM)

Understanding the physical and digital locations of all devices mapped within a network should be a primary concern of operational technology managers. 

For example, if a programmable logic controller (PLC) is communicating with a different PLC due to an error or a hack, it is crucial for the manager to be able to discover this issue, as well as implement a mitigation strategy as soon as possible. This can only be accomplished if the connections of all assets are accurately mapped.

Figuring out the kinds of activity that you will label as “suspicious,” including problematic exposures and malware attacks, is important because you do not want your team to be distracted by false flags. At the same time, underreporting can allow threats to sneak through. 

Detecting these kinds of activities and threats is often handled by a security information and event management (SIEM) system. Because the people and technology involved in SIEM systems have a deep familiarity with the threats on the landscape, it is easier for them to assess the kinds of attacks and activity that may impact your operational technology.

You can also identify threats using next-generation firewalls (NGFWs), which can scan data packets streaming into your network from the internet. If a threat is detected, the packet of data associated with it can be discarded, protecting your system and its assets.

A zero-trust framework is built on the principle of “never trust, always verify.” Within this kind of system, every person, device, application, and network is presumed to be a threat. Therefore, each of these entities has the responsibility of proving its legitimacy before it is allowed to connect.

This often involves multi-factor authentication (MFA) tools, which require more than one form of identity verification. For example, a team member may be required to present a password, answer a security question, and submit a fingerprint scan. This significantly decreases the likelihood of an attacker finding a way to penetrate your system. In this and other operational technology examples, the focus should be on securing the system while minimizing the amount of extra work required of employees and others. Providing brief training sessions when necessary can streamline the implementation of a zero-trust framework.

Ensuring the right people and systems have access to your operational technology is essential, especially because they may be pivotal to the flow of business. An OT system is often different from an IT system because it usually does not have a full selection of tools that can be granularly configured to enable remote access. To account for this difference, administrators should ensure the following receive attention:

1. Managing identities and credentials
2. Controlling passwords and security
3. Multi-factor authentication
4. Making sure the right people have the access they need
5. Monitoring and managing the access privileges of current and former employees

Controlling who is able to access your system plays a big role in your cybersecurity posture, particularly because allowing the wrong person inside may make it easy for an attacker to penetrate. At times, a well-meaning employee may leave their login credentials exposed or otherwise insecure, enabling a hacker to get inside a critical system. Therefore, you should take into consideration the following:

1. Educating employees about how to safeguard their access credentials
2. Ensuring that a least-privilege policy is maintained across the organization, which limits access rights only to those who absolutely need them
3. Canceling the access privileges of former employees as soon as possible
4. Revoking access that was temporarily granted to visitors and other guests

Even though it is possible to revoke access privileges too early, it is typically easier to remedy this than it is to recover from a cyberattack.