A new research study by Skybox Security found that 83% of organizations suffered an operational technology (OT) cybersecurity breach in the prior 36 months. However, the research also uncovered that organizations underestimate the risk of a cyberattack, with 73% of CIOs and CISOs “highly confident” their organizations will not suffer an OT breach in the next year.
Wait a minute: CISOs say they’re secure but admit to being breached?
Confused? You’re not alone.
When asked to indicate what challenges they face in securing the OT infrastructure, Architects, Engineers, CIOs, CISOs, and Plant Managers selected ‘functional silos lead to process gaps and technology complexity’ as their top challenge. However, IT Directors didn’t think that functional silos were a big issue. Additionally, over one-third of all respondents said that a top barrier to improving security programs is “making decisions in individual business units with no central oversight.”
The dysfunction often starts with teams believing they don’t have a problem. Unfortunately, denying the truth doesn’t change the facts — although it appears that some in OT security believe the easiest way to solve a security problem is to deny it exists.
Dysfunction + denial = OT security trouble
The fact that functional silos lead to dysfunction is more than just an oxymoron – it’s a problem that impedes the ability of security teams to protect their OT systems.
Over 73% of CIOs and CISOs are highly confident their OT security system will not be breached in the next year compared to only 37% of plant managers, who have more firsthand experiences with the repercussion of attacks. There is no doubt that functional silos contribute to a disconnect between reality and perception, such as CISOs not hearing plant managers’ concerns.
These senior leaders are often not familiar with or responsible for the ICS/OT environments. With this in mind, we see two particular challenges that often arise:
(1) CISOs lack OT know-how
While IT leaders are very familiar with IT networks, they are not always as proficient with OT systems and processes. Often CISOs try to use trusted IT cybersecurity best practices in the OT environment. This can be counterproductive as OT environments are fundamentally different than IT environments and require a much different approach to security.
Developing an IT/OT governance body can help bridge this gap.
Successful security governance in an integrated IT/OT or a CPS environment needs to balance enterprise-wide objectives with respective risk appetites and the capability to direct delivery on security and safety requirements in the two domains. A single governance body can achieve this. Successful security governance in an integrated IT/OT or a CPS environment needs to balance enterprise-wide objectives with respective risk appetites and the capability to direct delivery on security and safety requirements in the two domains. A single governance body can achieve this.
(2) Disconnect between network security policies and operational efficiency
For organizations with a leader with a solid OT technical background, most of the time, the disconnect is merely the difference between security policies and operational efficiency. Plant managers are held to a standard to keep systems running. They recognize that system breaches can shut down operations, as seen in many manufacturers hit by ransomware. However, there has not been enough technology shift to modernize the ICS environments. To this day, we still see many devices with embedded outdated and out-of-support operating systems, such as Windows 95, Windows XP, Windows 7. Nothing can be done about these embedded systems as long as the vendor doesn’t upgrade. Even if the vendor could upgrade, there could be a significant cost associated with the downtime needed to replace these outdated systems and processes.
The network model and exposure analysis provide a unified view of IT/OT environments for informed, coordinated decision making
With our network model, Skybox helps dysfunctional organizations get on the same page by literally “showing” them the risk associated with a lack of compensating controls. Our model shows customers, step by step, how network traffic traverses through environments, graphically highlighting the functional devices that are allowing the access, thus lacking compensating controls.
With the network model, teams can conduct exposure analysis to identify exploitable vulnerabilities and correlate this data with an enterprise’s unique network configurations and security controls to determine if the system is potentially open to a cyberattack. Exposure analysis includes path analysis to ascertain which attack vectors or network paths can access vulnerable systems. This analysis is only possible when disparate data repositories are normalized and brought together into a network model, including patch and asset management systems, vulnerability data, threat intelligence feeds, and cloud and network device configurations.