Defense-in-depth: a proven strategy to protect industrial assets
"The first step to any effective OT-security program is building alignment between executives, business leaders, IT and operations."
by Enrique Martinez, technical solutions architect--OT Security, World Wide Technology for Smart Industry
World Wide Technology recently released its WWT Research: Security Priorities Report, identifying five priorities for building security into the core of one's business and moving confidently into the future.
The convergence of industrial-automation assets with traditional IT networks introduces a new world of cyber-threats and vulnerabilities with serious implications for both business and public safety.
Security measures have not historically been included in the development and maintenance of operational technology (OT). Until very recently, there were few security vendors or solutions tailored to industrial environments. For many organizations we work with, these systems that have been in operation for years without being subject to the same upgrade and replacement cycles used in IT. Many standard IT security tools, like a simple port scan, can cause integrated computer systems (ICS) devices to stop working permanently.
The bright side is that OT-security solutions are becoming more robust. Still, many industrial leaders and their IT counterparts are playing catch-up and struggling to collaborate effectively on security.
The first step to any effective OT-security program is building alignment between executives, business leaders, IT and operations. Start by bringing key stakeholders together to establish a clear understanding of business line requirements and critical-system interdependencies. You'll need frequent and clear communication between OT, IT and engineering.
I recommend a defense-in-depth strategy, which layers various techniques and methods to cover security vulnerabilities. It's impossible to deploy all security controls at once. With your security working group, identify your biggest vulnerabilities and prioritize your efforts to address your most pressing risks. Some effective tactics to consider: