Five essential steps for a converged IT/OT SOC
Establishing a converged IT/OT security operations centre presents a unified front against threats to IT and OT assets while reducing overheads.
Until recently, enterprise operational technology (OT) environments have been air-gapped from organisations’ information technology (IT) environments and connections to the internet. As such, OT has long been immune to a great extent from cyber threats, and therefore, cyber defence has not been a priority until relatively recently. The importance of OT cybersecurity has increased dramatically with digital transformation, because the convergence of the distinct worlds of IT and OT introduces cyber risk to highly vulnerable industrial control systems (ICS).
When it comes to the need for strong industrial cybersecurity, many enterprises received a major wake-up call when NotPetya — widely regarded as the one of the costliest and most destructive cyber attacks in history — caused billions in damages and affected IT and OT environments alike. NotPetya’s infiltration of OT was largely unintentional and opportunistic collateral damage made possible by IT/OT convergence. However, in the years since NotPetya, adversaries have grown more deliberate in their targeting of industrial technology, exploiting poor IT/OT segmentation to gain access to targeted systems. To combat the growing threat of cyber attacks against OT, CISOs are faced with the task of protecting industrial technology that was not designed with security in mind.
As the digitisation of OT and other industrial technologies grows increasingly ubiquitous, security leaders cannot afford to leave things to chance when it comes to the threat of a cyber attack against critical infrastructure and industrial processes. That being said, security teams face some unique challenges in defending OT assets. In particular, the use of proprietary protocols, a lack of standardised technology and the complexity of OT environments make traditional IT security tools, legacy systems and network equipment ineffective — thus necessitating purpose-built industrial cybersecurity tools.
Making the case for a converged IT/OT SOC
While OT does require specific tools for industrial cybersecurity, one area where enterprises can leverage their existing resources and personnel is the security operations centre (SOC). The best industrial cyber defence strategy is to present a unified front against threats to IT and OT assets by establishing a converged SOC that protects these once separate technology environments in a holistic manner.
The SOC is already widely accepted as a hallmark of mature IT security programs. By consolidating OT security with your existing, IT-centric SOC, you can gain greater visibility across the entire enterprise, enhanced security monitoring and comprehensive threat mitigation. IT/OT SOC convergence also enables a standardised approach to enterprise security that facilitates a secure digital transformation by enabling rapid configuration changes, new policy implementation and compliance to new regulations or industry standards from one view. Collectively, these benefits amount to better risk management.
Like any major cybersecurity initiative, executive buy-in is typically a prerequisite for moving forward with a consolidated approach to IT and OT security. To do this, you will need to clearly articulate the benefits of a converged IT/OT SOC.
Performance advantages
A holistic approach to IT and OT security grants the CISO a singular, cohesive view of risk for the entire organisation. Moreover, a converged IT/OT SOC team that is accountable for all risks allows for centralised incident response that includes triage, investigation and mitigation. As a result, organisations are able to respond to security incidents faster and more effectively.
Cyber threats to OT almost always enter via the IT network before spreading laterally to the OT environment. For this reason, a singular OT security taskforce that operates separately from existing IT security teams would be far less effective and significantly more costly than an integrated IT/OT SOC.
Efficiency advantages
In addition to delivering the performance advantages described above, properly executed convergence of the SOC to secure IT and OT can significantly reduce technology total cost of ownership (TCO) while utilising the skills of existing staff.
People
Since the approach to IT/OT SOC consolidation detailed here largely relies on leveraging existing personnel rather than hiring new employees, it is designed to optimise and expand upon current security capabilities with minimal headcount impact. Moreover, this approach requires almost no change in SOC personnels’ method of operation, and an integrated IT/OT SOC eliminates the need for redundant roles across two separate teams.
Technology
Executed properly, IT/OT SOC consolidation can also substantially reduce technology TCO and complexity, since this approach encourages the use of existing tools whenever possible. Organisations can maximise ROI on existing security management interfaces, detection and response tools, and network security technologies by integrating OT security datasets, alerts and forensic information with IT security tools and datasets.
Establishing a converged IT/OT SOC
When it comes to establishing a converged IT/OT SOC, attaining stakeholder buy-in from leadership is just a precursor to the real work. Below are some essential steps that have proven instrumental in optimising the efficacy, efficiency and implementation time of such initiatives.
Appoint a designated IT/OT cybersecurity program manager
Once you attain the stakeholder support necessary to move forward with IT/OT SOC consolidation, you need to designate one individual to lead this initiative, reporting directly to the CISO. The IT/OT cybersecurity program manager will play a central role throughout the remaining steps described below, so great care should be taken to select a strong, detail-oriented leader to oversee this undertaking.
Ideally, the IT/OT cybersecurity program manager should be appointed internally. In large part, this is because having strong, pre-existing working relationships within the organisation can be valuable for overcoming some of the challenges involved with building such a program. However, given the importance of the role, it should be treated as a full-time position in itself, rather than an additional responsibility taken on.
Given the differing — and sometimes conflicting — priorities of IT and OT personnel, the IT/OT cybersecurity program manager must be capable of finding middle ground and moving these once separate teams towards common objectives.
Achieve optimal alignment with existing cybersecurity capabilities
Since maximising ROI is one of the key advantages of a consolidated IT/OT SOC, it is important to leverage your existing cybersecurity infrastructure as much as possible. This necessitates a thorough assessment of these capabilities, with the objective of identifying areas in which tools already at your disposal can be leveraged, while zeroing in on gaps in existing technology where you will need to bring in new solutions.
When it comes to closing technology gaps in your OT security capabilities, integrations and vendor strength should be top of mind. It’s important for these new solutions to be compatible with existing IT security tools as much as possible.
A strong, centralised ecosystem of integrations can significantly bolster ease of maintenance and upgrades, while also enabling automatic health checks and monitoring. Integrations also facilitate the incorporation of existing standard operating procedures (SOPs) and other playbooks into the converged IT/OT SOC.
Gain visibility into IT and OT security alerts within the OT environment
With increased interconnectivity to IT networks, OT environments are exposed to IT-centric cyber threats they were previously isolated from. Over the past several years, cyber attacks such as WannaCry and NotPetya have wrought havoc upon OT environments around the globe. While devastating, these attacks have also led to increased awareness of the need to detect the cross-proliferation of IT cyber threats within OT environments.
As shown in Figure 1, cyber threats to OT typically enter the enterprise technology environment via the IT network, before moving laterally to compromise OT assets. Given this typical infection pattern, it is crucial to have unified visibility across IT and OT environments.
Since SOC personnel are already trained to handle IT security alerts, it is often the case that only minimal changes need to be made to existing playbooks to make them applicable to OT. And since your team likely has existing access to IT security technologies capable of detecting IT cyber threats, all that is required of this step is to ensure those abilities are properly applied to your OT environment. However, your team will need purpose-built technology that effectively establishes visibility into the OT environment in order to take advantage of these existing capabilities.
Once your SOC has visibility into IT security alerts, the next task is to gain visibility into OT-specific alerts. To effectively monitor and defend against threats to their organisation’s OT environment, IT security teams need real-time visibility into three integral dimensions:
- Asset visibility: Having detailed visibility into all devices on an OT network, covering extensive attributes is essential for identifying and assessing vulnerabilities with precision.
- Network visibility: Visibility enables easy, rapid detection of misconfigurations, traffic overloads and other issues which may pose risks to reliability, availability and safety.
- Process visibility: Being able to track OT operations — as well as the code section changes and tag values for all processes which involve OT assets — is also crucial for identifying abnormal changes in OT process values or unusual behaviours indicative of an early-stage attack, operational reliability issues or other potential risks within your industrial environment.
Designate a cybersecurity site leader for each OT site
Likely the most involved step outlined here — depending on the number of sites your team is responsible for securing — will be the need to designate an OT cybersecurity site leader (CSL) at each of your organisation’s physical OT sites who will serve as the eyes and ears of your converged IT/OT SOC for that location.
The CSL for each facility will serve as a critical liaison between OT personnel and the SOC. In contrast with the IT/OT cybersecurity program manager role, which involves a great of strategic leadership, the CSL role is an additional responsibility taken on by a designated onsite staff member to serve as a point person in the event of an incident. As such, the CSL must be knowledgeable about SOC procedures, requirements and objectives — or alternatively, undergo thorough education and training on these subject matters.
Despite the importance of the CSL role, this responsibility can typically be assumed by an existing staff member and be handled alongside their existing work responsibilities. During a security incident, the CSL must be prepared to lead rapid response, coordinating with SOC and site-specific OT personnel. The CSL must be able to accurately gauge the severity of the event and weigh the trade-off between the risk at hand and the potential operational disruptions that mitigation actions could cause. This level of nuanced decision-making necessitates proper training, as well as clear communication of expectations regarding standard operating procedures.
Establish an SIRT tasked with handling standard operating procedures
Having appointed a CSL for each physical OT site, the next step is to establish a security incident response team (SIRT), which will be in charge of overseeing all OT security practices and standard operating procedures (SOPs). By empowering your newly converged IT/OT SOC with purpose-built SOPs, the SIRT will enable your organisation to strengthen its holistic industrial cybersecurity across IT and OT environments over time by continuously adding new responses and tailoring existing responses as your organisation encounters new types of threats and incidents. The SIRT should also be tasked with investigating escalated OT security alerts, which can provide them with the insight needed to develop new SOPs, while refining existing ones.
For smaller organisations, the SIRT role(s) could be entrusted to existing employees in order to avoid unnecessary costs of hiring new personnel. Qualified individuals may include members of the security team who are familiar with OT processes or, conversely, personnel from the OT side with cybersecurity knowledge. For organisations with large IT/OT environments, hiring or appointing a dedicated individual or team to focus primarily on operating the SIRT may be beneficial.
When it comes to developing SOPs for your converged IT/OT SOC, it is important to remember that it’s not necessary to reinvent the wheel. It is best to start with some standard SOPs for addressing common scenarios. It must be noted that the same situation may require a different response in an OT context than in an IT context. As such, it’s important for security leaders who are largely unfamiliar with OT to seek guidance and expertise in establishing these initial SOPs.
In any situation where the IT/OT SOC encounters an unfamiliar situation in which existing SOPs are not effective or applicable, they should coordinate with the SIRT to determine the most appropriate course of action. When necessary, the SIRT may escalate the alert to external cybersecurity services, typically in scenarios where the threat is severe and the most effective course of action is unclear.
Once the incident at hand has been addressed, the SIRT will write a new SOP detailing how to respond to the event next time it occurs. This new response procedure will be added to the existing SOP repository for future reference and training for CSLs and IT/OT SOC personnel.
Conclusion
The five essential building blocks of a converged IT/OT SOC described in the previous section are ambitious, but they are necessary for managing risk effectively within industrial environments. The ease, effectiveness, cost efficiency and speed at which they can be implemented can be dramatically enhanced by partnering with a vendor that has tried-and-true expertise, experience and purpose-built technology for securing industrial technology environments.
Building a critical infrastructure security dream team
Today it’s essential to have a strong cyber strategy, with all corners of the business...
Anticipating maintenance problems with predictive analytics
By utilising predictive analytics, process manufacturers can predict failures, enhance...
Air-gapped networks give a false sense of security
So-called 'air-gapped' OT networks can still fall victim to cyber attacks, so what is the...