OT Cybersecurity Best Practices
Some of the OT security best practices for implementing a robust protection system include:
- Network mapping and connectivity analysis
- Detection of suspicious activities, exposures and malware attacks
- Application of a zero trust framework
- Aligning the right tools for remote access
- Controlling identity and access management (IAM)
Network mapping and connectivity analysis
Understanding the physical and digital locations of all devices mapped on the network should be a primary concern of operational technology managers.
For example, if a programmable logic controller (PLC) communicates with a different PLC due to a bug or hack, it is critical for a manager to be able to detect this problem as well as implement a mitigation strategy as soon as possible. This can only be achieved if the relationships of all assets are accurately mapped.
Detect suspicious activity, exposures and malicious attacks
Determining the types of activity you will label as “suspicious,” including problem exposures and malware attacks, is important because you don’t want your team to be distracted by false alarms. At the same time, underreporting can allow threats to slip through the cracks.
Detection of these types of activities and threats is often done by a security information and event management (SIEM) system.. Because the people and technology involved in SIEM systems are intimately familiar with the threat landscape, it’s easier for them to assess the types of attacks and activity that could affect your operational technology.
You can also identify threats using next generation firewalls (NGFW), which can scan data packets streamed across your network from the Internet. If a threat is detected, the data packet associated with it can be discarded, protecting your system and its assets.
Applying a zero-trust framework
The zero-trust framework is built on the principle of “never trust, always verify”. Within this kind of system, every person, device, application, and network is considered a threat. Therefore, it is the responsibility of each of these entities to prove their legitimacy before they are allowed to connect.
This often includes multi-factor authentication (MFA) tools that require more than one form of identity verification. For example, a team member may be required to provide a password, answer a security question, and submit a scanned fingerprint. This greatly reduces the likelihood that an attacker will find a way to break into your system. In this and other operational technology examples, the focus should be on securing the system while minimizing the amount of additional work required of employees and others. Providing short training sessions when needed can streamline the implementation of a zero-trust framework.
Align right remote access tools
Ensuring the right people and systems have access to your operational technology is essential, especially as they can be critical to the flow of business. An OT system is often different from an IT system because it usually does not have a full set of tools that can be configured in detail to allow remote access. To account for this difference, administrators should ensure that the following receive attention:
- Identity and Credential Management
- Password control and security
- Multi-factor authentication
- Make sure the right people have the access they need
- Monitor and manage access privileges of current and former employees
Identity control and access management
Controlling who has access to your system plays a big role in your cybersecurity, especially because letting the wrong person in can make it easier for an attacker to break in. Sometimes a well-intentioned employee may leave their login credentials exposed or otherwise insecure, allowing a hacker to break into a critical system. Therefore, you should keep the following in mind:
- Training employees how to protect their access credentials
- Ensuring that a least-privilege policy is maintained across the organization that limits access rights to those who absolutely need them
- Termination of access privileges of former employees as soon as possible
- Revoking access that has been temporarily granted to visitors and other guests
While it is possible to revoke access privileges too early, this is usually easier to fix than to recover from a cyber attack.
This is an excerpt from an article published by Fortinet. Read the full article here.