The increased digital connectivity of IT and OT network infrastructure is continuing to increase cyber risk. Attack surfaces are also dynamically expanding as more users and devices are connecting to the network from remote and distributed locations. The explosion of Internet of Things (IoT) devices is only serving to further accelerate attack surface growth and innovative technologies like 5G amplify mainstream connectivity. As a result of these changes, the distinct lines that traditionally separated IT and OT networks are disappearing, and naturally security needs to be a strategic imperative for global OT stakeholders.
The need to keep operational technology secure both from a legacy point of view and a modern systems perspective was the topic of a recent discussion with Fortinet’s Rick Peters, CISO for Operational Technology, North America at Fortinet, and Jay Abdallah, the Vice President of Cybersecurity Services at Schneider Electric. The two came together to offer insights around the need for critical infrastructure security and what that actually means in practice.
Securing the Future of Operational Technology Network Infrastructure
In terms of protection strategies, what do you need to consider beyond network visibility?
Rick – As we all know, visibility is important, but there’s a whole lot more that needs to be accomplished to protect today’s operational technology, regardless of the vertical. Assuming you’ve got visibility in hand, the next cybersecurity best practice to focus on is how you control and contain within your infrastructure. That implies insisting on zero-trust access, which allows an individual, application, or device to perform a specific role or function, but strictly limits the range and level of engagement. That way if the role or access is compromised, an adversary’s ability to influence the OT network is restricted—the top of mind premise is a commitment to outmaneuvering the cyber adversary. The next critical step beyond control is realizing the value of behavioral analysis and the use of analytics to understand what’s happening within our environment at cutting edge speed.
Today, OT organizations are executing business decisions that lead to the integration of IT and OT infrastructure. OT leaders digest the same news that everybody else reads regarding the dynamic security landscape and the threat vector challenges. Successful cyberattacks occur around the world, so obviously, OT leaders are exposed and aware of the critical need to defend the cyber physical. Successful cyber campaigns have directly or indirectly impacted safe and continuous business. In either instance, we’re witnessing an increased need for integration between enterprise solutions and operational infrastructures. These discussions are no longer about isolation, but aggregation of data, that helps security practitioners make more effective decisions with now embedded device security in play. The security considerations must extend beyond the on-premise system, the operating system, and network infrastructure and take into account the increased dependence on enabled IoT and IIoT devices.
At Fortinet, we’ve been engaging our customers regarding the value of built-in security controls that are baked into the product. We’re having these timely discussions with our OT customers as their cybersecurity needs have expanded and require integration to achieve cyber resilience that is transparent and scalable. The majority of OT customers are seeking to access and leverage greater volumes of data to realize business efficiency and agility.
What approach can we take to choose and plan a framework that can protect against threats?
Rick – When you consider a continuous trust model for operations, it is then essential to adopt a comprehensive model that addresses security from the standpoint of identification, protection, detection, response and recovery. The broad attention and coverage of these elements are key when you consider a cybersecurity framework approach to resolve security gaps and defend high value cyber physical assets.
Dynamically resolving system security gaps requires the adoption of a cybersecurity platform that you can foundationally build upon to sustain proactive defense. With that basic premise in mind, Fortinet offers an ecosystem OT security approach based on our Security Fabric. Employing the industry’s highest performing cybersecurity platform delivers capabilities that span the extended digital attack surface. In turn, the OT customer achieves a robust and mature security solution that delivers on the promise of Zero Trust Access, Security-driven Networking, Adaptive Cloud Security, and AI-driven Security Operations. The commitment to foundationally designing security into systems and leveraging the strengths of an ecosystem-based approach yields a mature framework solution that checks all the boxes to cover cybersecurity gaps.
How can we foster a culture of security?
Jay – The conversation always needs to start by figuring out what is necessary. What do we need? What are our security objectives? How do we create resilience? Talking about technology needs to start by having the support of all security initiatives from physical security, logical security, networking, perimeter security, and so forth. It needs to come from executive leadership and filter on down into cultural training.
Security needs to be part of the culture. Training needs to be consistently provided to all of team members, even the ones that are not in the operational technology space. Everyone needs to understand the appropriate ways to respond when something happens that’s inconsistent with security policies. People are always the first step in building resilience. The responsibility for security needs to be shared across the entire organization.
Once you have this cultural security training, you can start to define a budget and select the appropriate security controls. But, again, the program should be multi-layered. The key is to be prepared.
Executing Operational Technology Business Decisions
What are the unique considerations for cybersecurity at the critical infrastructure level?
Jay – The foundational imperative for OT and the abiding principle is safe, continuous operations. And downtime equates to big losses. So, for OT, the most important considerations are safety, uptime and availability. Unlike enterprise IT, OT organizations don’t have flexibility when it comes to downtime, so availability is absolutely key. Critical national infrastructure mandates a certain percentage of uptime, which makes it more difficult to recognize and implement a security infrastructure. And it means you have to test and validate every single update. Every program, every application, every control has to be tested and validated to make sure that the operation is not disrupted.
Threat vectors are going to continue to evolve, so protection mechanisms must evolve too. The importance and criticality in terms of leadership, support, security, culture, sensitivity, training, that all remains the same and the focus on that should never change. But, the technologies themselves will always evolve. So, getting technically complacent is a dangerous game.
For OT, everything always comes back to understanding the nature of sustaining safe operation and delivering of the service, whether it’s a product or services such as power, delivery, or transportation. Security is a continuous challenge; it won’t be over at any point in time.
Watch the full fireside chat to learn more.
Learn how Fortinet secures the convergence of OT and IT. By designing security into complex infrastructure via the Fortinet Security Fabric, organizations have an efficient, non-disruptive way to ensure that the OT environment is protected and compliant.