In the world of cybersecurity, there is no silver bullet. What you can do in your organization is to minimize the attack surfaces and threat vectors, and be vigilant and proactive in your defense against adversaries. To that end, we suggest that you implement a multilayered defense-in-depth cybersecurity strategy and stop the cyber threat early in the kill chain across both the IT and OT environments.
Below are some basic guidelines to help in your planning. As this digital transformation continues to take shape with the convergence of IT and OT, there are some fundamental security best practices that we recommend for organizations across all industries. The specific network architecture might vary across the different verticals, but the general approach is the same.
- The vision, strategy and execution of the business plan need to include security, reliability and safety. These should be part of the business planning process at all levels of the organization (regardless if you are an IoT solution provider or a customer).
- Security should be “owned” by one person at the executive level who is responsible for both IT and operations. Security policy, governance and end-user education need to extend across the IT and OT environments as systems are interconnected.
- Technologies and threats across the IT and OT environments should be clearly understood. Technologies that work in the IT environment may not necessarily work in the OT environment. Additionally, threats may be different in the IT and OT environments.
- A threat intelligence framework needs to be set up so that the organization can be up to date on the latest information on threats and be prepared to deal with them.
- Baseline security controls should be deployed across all layers of the organization’s environments. (See Figure 2 below for the security reference diagram that provides guidance on where and how to best deploy security controls across both IT and OT.)
- Regular risk assessments across all environments must be performed to identify vulnerabilities and ensure that the appropriate security controls are in place.
- The organization and customers should consider NIST 800-5310 for IT and NIST 800-8211 and ISA/IEC 6244312 for ICS and OT.
- Establish or update the security patch process to better address vulnerabilities. Follow the recommendations laid out in IEC 62443-2-3, which describes requirements for patch management for control systems.
- Develop ICS-specific policies and procedures that are consistent with IT security, physical safety and business continuity.
To learn more about IT/OT Convergence and Cybersecurity, Security Challenges for IIoT, Cybersecurity Framework, Technologies to Consider and how to Choose a Security Vendor, download this free whitepaper.
Richard Ku has over 23+ years of hands-on experience working in the hi-tech and security industry in a number of leading roles, as individual contributor and management. Currently served as Sr. Vice President of Product and Services Management for Trend Micro Enterprise and Small Business Foundation Security Product and Services.
Joe Weiss, PE, CISM, CRISC, ISA Fellow, IEEE Senior Member, MD ISA99, is an industry expert on control systems and electronic security of control systems, with more than 40 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI) where he led a variety of programs including the Nuclear Plant Instrumentation and Diagnostics Program, the Fossil Plant Instrumentation & Controls Program, the Y2K Embedded Systems Program and, the cyber security for digital control systems.