Understanding the regulations impacting compliance and operational technology when IT and OT merge.
In September 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released a new cybersecurity advisory. It warns highly regulated industries—such as finance, insurance, transportation, manufacturing, and oil and gas—of increased threats to their operational technology (OT) and industrial control systems (ICS). It recommends tightening security around your OT and ICS.
The U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity spans IT and OT to promote the protection and resilience of critical infrastructure. However, their cybersecurity framework (CSF) neither suggests an implementation order nor provides detailed control recommendations.
Therefore, many organizations adopting the CSF utilize the long-established Center for Internet Security (CIS) and the Security Technical Information Guide (STIG). These controls and benchmarks help prioritize implementation, define more granular security controls, and address regulations impacting OT STIG and CIS controls are proven throughout the federal government and defense industrial base to secure even the most sensitive systems.
As Meritalk observes, while traditional ways of securing OT and ICS can’t adequately address today’s threats to those systems, the advisory states that “owners and operators who understand cyber actors’ tactics, techniques, and procedures can use that knowledge when prioritizing hardening actions for OT and ICS.” Because OT and ICS systems often incorporate vulnerable IT components and include external connections and remote access that increase their attack surfaces, that may be an excellent place to start looking for vulnerabilities.
Meeting CIS benchmarks can secure your IT, OT and integrated systems.
Gartner states in their Market Guide for Operational Technology Security, “The OT security market is rapidly changing. The traditional niche OT security market emphasized products focused on legacy industrial systems and operations-only networks and firewalls. The market is shifting rapidly as new tools and services with an ever-increasing array of features become available. As OT continues to connect to IT systems, and newly designed CPS are deployed, OT management, governance, infrastructure, and security are evolving.” As IT and OT continue to integrate and evolve, it makes sense to secure your OT the same way as your IT.
A best practice in most organizations is to create baseline technical security configurations. However, configuring systems is one thing. Maintaining those security configurations over time is a whole different beast. CIS controls offer companies a clear pathway toward maturing their cybersecurity programs and technical guidance for establishing and maintaining secure configurations. As cyber threats reach out to plague regulated industries and critical infrastructure, CIS can provide a solid security baseline and, with continued vigilance, maintain that baseline indefinitely.
Securing systems connectivity in an increasingly integrated world.
OT and ICS assets operating, controlling, and monitoring day-to-day critical infrastructure are becoming more of a target for malicious cyber actors because they often incorporate vulnerable IT components and include external connections and remote access that increase their attack surfaces. The systems are critical in functioning physical processes, such as power generation and transmission or manufacturing production. These OT systems are built to last ten to twenty years, instead of the five-year lifecycles of traditional IT equipment.
Security becomes a more significant issue as OT and IT systems converge. Systems formerly “air-gapped” from enterprise IT and its access to the internet and communication applications, such as email and cloud interfaces, are accessing the enterprise infrastructure to take advantage of the opportunity to scale and the power of big data analytics. But this added benefit comes with risks from IT networks: ransomware, hacking for espionage, and potential disruption of physical processes to cause physical damage.
Keeping your secrets safe with SteelCloud’s ConfigOS.
To illustrate how OT and IT convergence can increase risks, we have an example. In 2021, a water treatment plant was breached in the tiny municipality of Oldsmar, FL—a town of 15,000. In this incident, the attacker attempted to change the alkaline levels in the water to a level that would severely damage human tissue. The exchange of data between physical machines, combined with human error and the lack of real-time scanning and remediation, is a critical driver for OT and IT integration.
Compliance automation is the answer to ever-increasing compliance requirements, the volumes of data, and the ability to scale demand better visibility into infrastructure assets. As mentioned before, air-gapping machines should be considered a viable solution for sensitive data that doesn’t need to be accessed over a network. While that may be a shocking example of OT/IT convergence risks, every at-risk industry, from finance to energy, has the potential to create incidents this bad and worse.
By simply implementing SteelCloud’s ConfigOS, software you can easily create—and maintain—that secure baseline you need to avoid your data getting into the wrong hands. ConfigOS automates the process of identifying vulnerabilities, mitigating control issues, and maintaining that security over time.
Simplifying the complex aspects of policy compliance.
CIS benchmarks and DISA STIGs establish policy compliance baselines around system-level controls. Making policy compliance work for you and managing a system well gives you tremendous security value. It is more than just a set of good things to do and a checklist to check them.
The bedrock principle of good security management is around good configuration management. SteelCloud’s ConfigOS is proven to automate CIS and STIG processes for simplified security, rapid hardening, and policy compliance. Contact us for a free demo and see how easy it is to thwart cyberattacks in heavily regulated, critical industries.
