A new research study by Skybox Security found that 83% of organisations suffered an operational technology (OT) cyber security breach in the prior 36 months. However, the research also uncovered that organisations underestimate the risk of a cyber attack, with 73% of CIOs and CISOs “highly confident” their organisations will not suffer an OT breach in the next year.
Wait a minute: CISOs say they’re secure but admit to being breached?
Confused? You’re not alone.
When asked to indicate what challenges they face in securing the OT infrastructure, architects, engineers, CIOs, CISOs and plant managers selected ‘functional silos lead to process gaps and technology complexity’ as their top challenge. However, IT directors didn’t think that functional silos were a big issue. Additionally, over one-third of all respondents said that a top barrier to improving security programmes is “making decisions in individual business units with no central oversight”.
The dysfunction often starts with teams believing they don’t have a problem. Unfortunately, denying the truth doesn’t change the facts — although it appears that some in OT security believe the easiest way to solve a security problem is to deny it exists.
Dysfunction + denial = OT security trouble
The fact that functional silos lead to dysfunction is more than just an oxymoron – it’s a problem that impedes the ability of security teams to protect their OT systems.
Over 73% of CIOs and CISOs are highly confident their OT security system will not be breached in the next year compared to only 37% of plant managers, who have more first-hand experiences with the repercussion of attacks. There is no doubt that functional silos contribute to a disconnect between reality and perception, such as CISOs not hearing plant managers’ concerns.
These senior leaders are often not familiar with or responsible for the ICS/OT environments. With this in mind, we see two particular challenges that often arise:
1. CISOs lack OT know-how
While IT leaders are very familiar with IT networks, they are not always as proficient with OT systems and processes. Often CISOs try to use trusted IT cyber security best practices in the OT environment. This can be counter-productive as OT environments are fundamentally different than IT environments and require a much different approach to security.
Developing an IT/OT governance body can help bridge this gap.
“Successful security governance in an integrated IT/OT or a CPS environment needs to balance enterprise-wide objectives with respective risk appetites and the capability to direct delivery on security and safety requirements in the two domains. A single governance body can achieve this. Successful security governance in an integrated IT/OT or a CPS environment needs to balance enterprise-wide objectives with respective risk appetites and the capability to direct delivery on security and safety requirements in the two domains. A single governance body can achieve this.”
2. Disconnect between network security policies and operational efficiency
For organisations with a leader with a solid OT technical background, most of the time, the disconnect is merely the difference between security policies and operational efficiency. Plant managers are held to a standard to keep systems running. They recognise that system breaches can shut down operations, as seen in many manufacturers hit by ransomware. However, there has not been enough technology shift to modernise the ICS environments. To this day, we still see many devices with embedded outdated and out-of-support operating systems, such as Windows 95, Windows XP, Windows 7. Nothing can be done about these embedded systems as long as the vendor doesn’t upgrade. Even if the vendor could upgrade, there could be a significant cost associated with the downtime needed to replace these outdated systems and processes.
The network model and exposure analysis provide a unified view of IT/OT environments for informed, coordinated decision-making
With our network model, Skybox helps dysfunctional organisations get on the same page by literally “showing” them the risk associated with a lack of compensating controls. Our model shows customers, step by step, how network traffic traverses through environments, graphically highlighting the functional devices that are allowing the access, thus lacking compensating controls.
With the network model, teams can conduct exposure analysis to identify exploitable vulnerabilities and correlate this data with an enterprise’s unique network configurations and security controls to determine if the system is potentially open to a cyber attack. Exposure analysis includes path analysis to ascertain which attack vectors or network paths can access vulnerable systems. This analysis is only possible when disparate data repositories are normalised and brought together into a network model, including patch and asset management systems, vulnerability data, threat intelligence feeds, and cloud and network device configurations.
Share
Skybox Security
Over 500 of the largest and most security-conscious enterprises in the world rely on Skybox for the insights and assurance required to stay ahead of dynamically changing attack surfaces. Our Security Posture Management Platform delivers complete visibility, analytics and automation to quickly map, prioritise and remediate vulnerabilities across your organisation. The vendor-agnostic solution intelligently optimises security policies, actions and change processes across all corporate networks and cloud environments. With Skybox, security teams can now focus on the most strategic business initiatives while ensuring enterprises remain protected. We are Skybox.
Visit www.skyboxsecurity.com for more information.