Why OT Security Comes Down to Risk Tolerance, Not Perfect Defense
In the realm of operational technology (OT) security, the challenges often appear insurmountable. Professionals in the industry frequently find themselves facing a daunting task, encapsulated in the mantra to "secure the plant." However, the complexities posed by legacy controllers, proprietary protocols, and the necessity for uninterrupted operations render this objective much more intricate. For many, securing OT systems can feel more like an impossible climb rather than an achievable project.
Experts argue that the key to advancing in OT security lies not in searching for a technological panacea but rather in shifting one’s mindset. The prevailing approach today is misguided; the quest for "complete security" must be replaced by a commitment to strategic risk management.
The Allure of Zero Risk
The notion of achieving absolute security is a myth that must be dispelled. The stark reality is that escaping from cyber risks entirely is not feasible. In operational settings, the only scenario in which zero risk can be realized is when there is no operation at all. The presence of a wire, a wireless signal, or even a human carrying a USB drive introduces potential vulnerabilities. Embracing the fact that risk will always be a part of the operational landscape shifts the focus from the unattainable goal of threat elimination to a more pragmatic aim of reducing risks to tolerable levels for the business.
Thus, the conversation must pivot to how organizations can effectively communicate and manage risk. There are three fundamental pillars that form the foundation of this new framework:
- Risk Assessment: Identifying what could potentially go wrong and the severity of the consequences.
- Risk Tolerance: Determining the level of adverse outcomes the organization can withstand before facing potential failure.
- Risk Acceptance: Making conscious decisions about which risks the organization is willing to live with at present.
The Importance of Visibility in Risk Assessment
One of the foundational principles in security is encapsulated in the saying, "You cannot protect what you cannot see." This highlights the necessity of gaining a complete understanding of risk to effectively mitigate it. Conducting a risk assessment involves pinpointing the security posture of assets and estimating the potential harm to operations, finances, reputation, or personnel.
In the context of OT, achieving granular visibility is paramount. It’s insufficient to merely acknowledge the presence of a Programmable Logic Controller (PLC) on the factory floor; one must gather detailed information such as vendor and model numbers, firmware versions, operating systems, and software updates. Such knowledge is crucial for identifying applicable vulnerabilities and ensuring that devices are up to date with the latest security measures. Furthermore, understanding the behavioral patterns of assets, as well as their interconnections, is essential in detecting any deviations in performance. Risk assessment must be viewed as an ongoing process, continually updated to reflect new and emerging risks.
Determining Risk Tolerance: A Business Perspective
The concept of risk tolerance represents the extent of adverse outcomes an organization is prepared to tolerate to fulfill its objectives. This makes OT security a vital business consideration rather than merely a technical issue. Different processes within an organization will exhibit varying levels of vulnerability based on criticality. For instance, a non-essential packaging line may possess a recovery time objective of five hours, while a high-pressure chemical reactor might demand an actionable response in as little as five minutes to avert safety incidents.
By explicitly defining limits concerning data loss, financial implications, and recovery timelines, businesses can accurately distinguish between what constitutes a minor incident versus a critical failure. The fundamental goal of cybersecurity is to mitigate risks until they fit within an organization’s risk tolerance. If an assessment identifies a risk that surpasses the pre-established tolerance level, appropriate mitigation strategies must be implemented. Conversely, if the remaining risks are tolerable, the organization can consider that particular aspect resolved for the time being.
Making Informed Decisions with Risk Acceptance
Risk acceptance involves opting to retain a particular level of risk without immediate intervention. This exercise is justified for two primary reasons: the risk falls within acceptable limits, or the costs associated with mitigating the risk are disproportionate to its potential occurrence. It’s crucial for security teams to recognize that risk acceptance is not a permanent state. Conditions may change, rendering previously acceptable levels of risk no longer tolerable.
Planning for time-bound risk acceptance allows organizations to develop a systematic approach to risk management. For instance, a facility may accept the risks associated with an unpatched legacy human-machine interface while prioritizing the remediation of more dangerous vulnerabilities, such as an exposed remote access point that grants unrestricted access to the production network. This approach prevents "security paralysis," which can stymie progress by enabling decision-makers to focus on the most pressing concerns first.
Implementing Effective Strategies: The Microsegmentation Journey
Microsegmentation serves as a noteworthy example of employing a phased approach to security. While categorized as the gold standard for network security, microsegmentation is often complex and resource-intensive. The stakes in OT environments differ significantly from those in IT settings, making disruption costly.
Prior to any segmentation efforts, it is vital to fully comprehend the interactions within operational networks. Often, this level of visibility is absent at the outset of such initiatives. The landscape is further complicated by the diversity of legacy devices that were not designed with security in mind, while the imperative of maintaining continuous production adds to the challenge.
Organizations are encouraged to use the visibility gained during risk assessments to embark on a methodical, milestone-driven approach. This includes:
- Strengthening macro-boundaries, which may range from building to building or production line to production line.
- Accepting the temporary risk of keeping certain macro-boundaries unchanged while collecting traffic data.
- Choosing a single macro segment for further division based on identified risk levels, and initiating actions in the riskiest areas.
- Expanding segmentation efforts in subsequent phases.
By breaking down daunting projects into manageable steps, organizations can align their limited resources with where they are needed most without neglecting the security of the wider network.
Despite the challenges presented by microsegmentation within OT environments, experiences demonstrate that success is attainable. Securing an OT network does not necessitate an immediate and overwhelming overhaul of systems. What it demands is continuous asset assessment, clear definitions of risk tolerance, and strategic patience in addressing risks in phases.
Security should be regarded as a journey rather than a final destination. Each organization’s pathway will be unique, but steadfast adherence to these fundamental principles will enable leaders to transition from reactive threat responses to constructing resilient and defensible operations. As the landscape evolves, so too must the strategies employed to ensure the long-term security of operational technology.