Webinar Takeaways: Transitioning to a converged IT/OT cyber security solution

Webinar covered the transition to a converged IT/OT cyber security solution

It’s not every day that Radiflow CISO Rani Kehat joins CyberProof cyber security architect Aman Malhotra to present a eye-opening webinar titled A Roadmap To Converged IT/OT Security Operations Centre, hosted by Ben Chant, which sets out a comprehensive guide for SOC teams who are looking to transition from separate IT and OT security methodologies to a converged IT/OT security system. If you missed it, read on for a synopsis.

The webinar addresses the increasingly critical issue of the convergence of IT/OT systems in recent years. Streamlining processes makes business sense, but it has created significant complications for security teams. The solution presented by Kehat and Malhotra shows that by mirroring the convergence and creating a unified security system, organizations ensure that they retain full systems visibility and are able to mitigate security risks.

If your OT organization has not yet transitioned to a converged cyber security solution, then this webinar is an essential resource and fully explains how transitioning to a converged SOC ensures that both your IT and OT elements are optimally protected. You can watch the webinar here, and below is a summary of the main takeaways.

[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]

Kehat and Malhotra outline the challenges faced by enterprises, including the increase in automation, the increase in cyber attacks and the corresponding changes in government regulations, and explain the four main steps for transitioning to a unified SOC, illustrating how a risk-based converged cyber security system is much better placed to protect your OT system than previous security solutions.

The four steps to creating a converged SOC are as follows:

• Visibility
• Assessing Risks And Prioritizing Remediation
• Baseline Vs. Abnormal Activity
• Analysis, Mitigation And Improvement

1. Visibility
Without clear network visibility, OT systems cannot be monitored, and a lack of monitoring means that threat detection is impossible. It is therefore axiomatic to create full visibility as a first step.

Visibility can be achieved by producing a digital image of the complete network. This would include all the elements of both the IT and OT environments, including all the connections and protocols, all IPs, assets and ports. In the case of multi-facility organizations, each facility should be mapped, and the interconnectivity between sites must be included.

2. Assessing Risks And Prioritizing Remediation
It is essential to bear in mind that whereas IT security systems only need to protect data, OT security systems protect physical assets, which can have a direct impact on human safety. In the past, CPS security has focused on the possibility of technical failure and human error, and has been configured accordingly. It is now imperative that SOC teams include the possibility of cyber attacks with the intent to harm, and understand the impact this has on their current security: an attacker will target all layers of security, even system redundancies, particularly if they are connected. The old systems do not offer adequate protection from the modern threat landscape.

Maturity-based security systems involved securing every element from all traffic going through the system. This is a non-starter on a practical level as greater automation and interconnectivity have increased the throughput which leads to a backlog of security alerts, or in extreme cases brings the system to a standstill. Moving to a risk-based system enables organizations to place their focus and security budget where it is most needed. Risk takes into account both the potential for financial (or other) loss, and the likelihood of that loss occurring. Therefore each asset is assigned an impact score and impact zone, and priority for security remediation and upgrades can be assigned to the critical elements of the system.

3. Baseline Vs. Abnormal Activity
Once system visibility has been achieved and assets have been graded, it is now possible to establish a baseline and monitor the system to detect abnormal activity. There are five categories of abnormal activity:

• Behavior anomaly
• Security behavior
• Operational behavior
• Signature based
• Rule based

It is also important to be able to establish a baseline for network management and any other necessary network configurations, so that abnormal activity can be detected in any situation, and the system is never left unprotected.

4. Analysis, Mitigation And Improvement
A complete cyber security solution should be both reactive and proactive. In order to implement proactivity, it is essential to understand not just the internal vulnerabilities of the organization, but also the threat landscape. MITRE ATT&CK, which was originally created to pool information and resources to understand IT cyber threats, now has a framework especially for OT cyber security. Using the MITRE framework as a basis for breach and attack simulations (BAS), it is possible to test the system virtually, using the digital image, to assess which threats pose a loss risk.

Once a converged security solution is in place, the organization is well-positioned to REACT to alerts. Bear in mind that systems are not static and neither is the threat landscape: in order to provide ongoing protection, it is necessary to maintain continuous monitoring along with continuous risk-assessment.

TLDR: If you need a quick overview, here are the takeaways
The webinar was presented live which gave viewers a chance to have their questions addressed immediately by Kehat and Malhotra:

• How does the digital image differ from CMDB or inventory mapping?
  The function of a digital image is not simply to create a list of assets, but to establish a working map which generates data, and is able to alert the SOC if there is any abnormal activity

• Is it possible to create different baselines, for example a baseline for maintenance which may be different from normal activity?
  The short answer to this is “yes”! For a more detailed explanation, the information on step three addresses this topic. The important thing is to establish a system which works well for the needs of the organization.

It Makes Business Sense
Transitioning to a risk-based cyber security system is not only best practice from a security point-of-view but also makes sense financially. A data-driven approach means that a loss threat can be measured against the cost of mitigation, creating a high return-on-investment.

Radiflow’s CIARA is a ROI-based risk assessment & management platform for OT, which empowers CISOs to manage cyber risk and mitigate loss in the most efficient way for their particular organization.

More info:

You can see how Radiflow’s complete OT cyber security solutions have been implemented in these case studies.
Watch the complete webinar to gain a deeper understanding of the importance of each of the above steps, and how these steps have been implemented for our OT clients.
Feel free to contact us if you have any further questions or for more information about implementing Radiflow’s complete IT/OT security solutions for your OT organization.