Summary
Highlights
The speaker introduces the concept of situational awareness in OT, emphasizing the need to know 'everything about everything' within an OT environment. Unlike IT, where data protection is paramount, OT security prioritizes safety, uptime, and production continuity. OT encompasses various sectors like healthcare, manufacturing, and critical infrastructure, where systems often operate for 15-20 years, making them inherently different from typical IT environments.
OT environments face several security challenges due to their relative immaturity in cyber security. These include a lack of visibility, which hinders risk assessment, segmentation design, and incident response. The traditional CIA triad (Confidentiality, Integrity, Availability) is reversed in OT, with Availability (preventing downtime) being the top priority, followed by Integrity (ensuring processes operate as designed) and then Confidentiality. Safety is paramount, and production managers prioritize output, safety, and reliability over addressing CVEs. Other major risks include obsolescence, uncontrolled remote access, internet exposures, and the exposure of OT assets to IT systems.
OT systems are categorized into three tiers, each requiring a different approach to security: safety-critical, production-critical, and OT support systems. Safety-critical systems, such as those monitoring pressure or temperature, are designed to prevent human injury or catastrophes, and patching them often requires regulatory approval. Production-critical systems generate revenue, and any change or downtime leads to financial loss. OT support systems are more akin to IT systems within the OT environment, controlling configurations and being primary targets for attacks.
Unlike IT, where vulnerabilities are patched quickly, OT patching is a complex process. Every change is a significant operational risk, potentially affecting safety certifications or requiring costly re-certification. Downtime is not an option for many OT systems, which lack the redundancy common in IT. Vulnerability prioritization in OT considers factors like network exposure, asset criticality, exploitability, patch availability, regulatory approval, vendor re-certification, blast radius, operational sensitivity, and asset lifecycle.
Segmentation is identified as the highest impact control in OT cybersecurity, as 60-75% of vulnerabilities require network access to exploit. Proper segmentation limits lateral movement, reduces the attack surface, and enables proportionate monitoring. The NIS 2 directive and Cyber Fundamentals highlight the mandatory requirements for asset inventory, classification, and understanding the significance of assets to an entity's operations. This detailed visibility is crucial for compliance and effective risk management.
An effective OT cybersecurity program involves a project kickoff to define critical services and strategy, anchored in frameworks like NIS 2.0 or IEC 62443. It requires comprehensive understanding of all assets, risks, threats, and vulnerabilities, followed by threat and risk assessment. Key remediations include network segmentation, secure remote access, and life cycle management. This is a continuous improvement process, with significant maturity jumps possible in areas like network segmentation.
In response to a question about EU focus on digital sovereignty, the speaker recommends familiarizing oneself with the Critical Entities Resilience Act (CER) and Dora (Digital Operational Resilience Act), particularly regarding dependency mapping and supply chain understanding. When asked about AI in OT, the speaker expresses caution, especially concerning autonomous decision-making in safety-critical systems, preferring AI's use for gap analysis in policy alignment rather than direct operational control due to potential risks to human life.
Addressing the impact of incidents like the Colonial Pipeline and Jaguar Land Rover attacks, the speaker clarifies that these were primarily IT incidents that cascaded into OT, causing operational disruption due to dependencies. This highlights that OT is often a casualty of IT attacks, underscoring the critical need to understand and manage IT-OT dependencies and possibly even consider separating IT and OT systems to protect operational resilience from IT-borne threats.