The increasing number of attacks against OT assets has not gone unnoticed by governments and organizations alike. In the United States, several government organizations in addition to training organizations and universities are working to equip cyber personnel with the tools and policies necessary to defend critical infrastructure and equipment.
Before diving into the mitigations under establishment, let’s first take a look at how OT assets are vulnerable in the first place. Attackers aren’t the only avenue for potential mishaps - companies must be willing to shore up their own policies and operational procedures in addition to building and utilizing industry best practices to ensure safe and reliable operations.
Before diving into the mitigations under establishment, let’s first take a look at how OT assets are vulnerable in the first place. Attackers aren’t the only avenue for potential mishaps - companies must be willing to shore up their own policies and operational procedures in addition to building and utilizing industry best practices to ensure safe and reliable operations.
While attackers are a growing threat to OT systems, companies are also responsible for incorporating standard best practices to keep their systems safe. What kinds of threat sources exist in the modern OT environment? NIST SP 800-82r3 Table 13 lists several types:
In addition, §C.2, Tables 14 - 20 list vulnerabilities and predisposing conditions inherent in OT systems that increase their attack surface. NIST’s findings are extensive; the points below give a high-level view of these conditions.
Cybersecurity risk is often measured by two factors: impact and likelihood. OT systems typically control critical processes and infrastructure - in other words, disrupting the availability or safety of these systems creates a high impact event. In addition, as more systems are connected to internal networks or even the internet itself, the likelihood of attacks against these systems only continues to increase. Has anyone taken notice of this, and, if so, what’s being done to quell the rise in incursions?
Fortunately, major advancements in training and policy from both the government and a variety of commercial sectors are advancing the protection of OT systems. The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has assembled a prolific catalog of materials pertaining to this cause. ICS Training is available online or in-person and includes topics such as “Operational Security (OPSEC) for Control Systems”, “Cybersecurity with IT and ICS Domains”, and a two-part series on “Mapping IT Defense-in-Depth Security Solutions to ICS”. As an added bonus, CISA repeatedly states on this page that there are no tuition costs for these courses. In addition, CISA has a specific focus on industrial control systems where anyone in the community can discover a variety of resources, partnerships, training, information exchange, and a host of other topics. It is well worth the time to visit the previous link and explore the wide range of offerings from CISA.
Before moving to the commercial sector, a few more resources offered by the government are worth exploring. The U.S. Department of Energy (DOE) offers the Operational Technology Defender Fellowship in which OT-related security managers have the opportunity to participate in a 12-month program designed to bolster their acumen in managing OT systems. This program is hosted by Idaho National Laboratory and provides managers with a wealth of information and contacts to assist in their cybersecurity efforts for the company in which they work. The National Security Agency (NSA) and CISA have offered a Cybersecurity Advisory named “Control System Defense: Know the Opponent” aimed at assisting operators in stopping malicious ICS activity and reducing OT exposure. A final resource to peruse is a bulletin titled “Improving Security of Open Source Software in Operational Technology and Industrial Control Systems”. As open source software (OSS) proliferates in the OT sector, it is important to understand how both the developers and users can effectively mitigate risks and bolster defenses.
The government isn’t the only entity providing training and resources for OT cyber defenders. The SANS Institute provides intensive training and a host of blogs and whitepapers on ICS cybersecurity. In addition, GIAC, an affiliate of SANS, offers respected certifications such as the Global Industrial Cyber Security Professional (GICSP), the GIAC Response and Industrial Defense (GRID), and the GIAC Critical Infrastructure Protection Certification (GCIP). The ICS Cybersecurity Conference is another great resource not only for training but also for learning from and partnering with industry peers to continue the march towards OT systems security.
Finally, universities have been offering degree programs specializing in this field, such as the Industrial Cybersecurity Engineering Technology program from Idaho State University or the Cyber-Physical Systems Track at Georgia Tech.
In this post, we’ve taken a look at both the multifaceted vulnerabilities inherent in OT systems and what’s being done by various security organizations to mitigate these vulnerabilities. Adversaries are definitely a key threat vector for these systems; however, vulnerabilities exist across multiple domains. Luckily, both government agencies and commercial organizations are taking bold, bespoke steps toward securing OT infrastructure.
Thanks so much for reading this post; we look forward to seeing you next time!
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform
Stay connected
to SimSpace
Want to stay on top of the latest SimSpace
and cybersecurity news and updates?
Please enter your email below
By filling out this form, you agree to SimSpace's terms of use and privacy policy