Designing a 100-Day Sprint for OT Cybersecurity: What to Consider

Image

As we begin a new year, many organizations will enter a “goal-setting and strategic planning” season. During this time, individuals are re-energized and motivated to record new accomplishments for their professional development. Traditional corporate goal setting aligns with fiscal calendars and forces companies and individuals to build goals in chunks of 365 days. But why set your deadline based on the Earth's orbital period? What if you could achieve relevant and meaningful goals within just 100 days? That's the idea behind the 100-day sprint – to achieve radical and strategic improvements within a fraction of the calendar year.

Most recently, the Biden Administration embarked on a 100-day sprint to improve the cybersecurity of our nation's electric grid. If the U.S. government is agile enough to do one of these sprints, then surely your company is, too! But with so many OT cybersecurity frameworks, strategies, approaches, and solutions, where should you begin, and how can you apply this concept to your company?

Set a Realistic Expectation

It is very important to set a realistic expectation for what a successful 100-day OT cybersecurity sprint would look like for your organization. You should consider factors such as budget, personnel, bandwidth, and competing priorities. Don't "boil the ocean" in this exercise. Achieve attainable goals, and once those are met, schedule each succeeding phase to aim higher.

Embrace the Three-Legged Stool

In your 100 days, focus on all aspects of the three-legged stool of cybersecurity: people, process, and technology. The allure might be to focus on technology, assuming you have budget. However, we can achieve a lot of forward progress without installing a new shiny object. What's more, it might take you beyond 100 days to request quotes, compare vendors, complete the procurement process, and schedule installation services – even without considering delays in the hardware supply chain. Instead, let's use these 100 days in tangible and measurable ways while setting you up to make a better purchasing decision based on solid information and analysis.

Start with Your People

Begin by building a 100-day sprint team. Seek out your most motivated and high-performing individuals to create an all-star team with high energy. How big should your team be? That depends on the scope of OT in your organization. If you have only one or two sites, then a small team of five to nine makes sense. But if you have dozens of facilities, consider whether to pilot this 100-day sprint before rolling it out or to create sub-teams to handle tasks at the individual site level.

Take a step back and evaluate your company's organizational alignment to cybersecurity for Operational Technology. Consider creating an Office of the CISO, under which you might assign a head of OT cybersecurity. Who is responsible for OT cybersecurity at each plant or site? It may even be required to clearly define scope boundaries based on Purdue Levels or Zones. This is especially important for highly matrixed organizations wherein the O-IT (operational IT components such as Windows^TM servers) might fall to one group while the controllers, PLCss, and other embedded devices might fall to another. Are these individuals dedicated to OT cybersecurity, equipped with sufficient training, empowered with budget authority, and staffed with sufficient bandwidth? If not, look for ways to improve the organizational structure in these 100 days to align clear responsibility, set expectations, and define measurable metrics.

Consider your site's training and awareness programs for individuals coming into the facility. Many times, visitors (including service partners and vendors) are forced to watch safety training videos before entering the facility while never seeing any of your policies on cybersecurity. Employees that log in regularly to OT systems should be officially trained annually or semi-annually on important principles of your OT security policies such as password requirements, Wi-Fi, internet access, USB devices, and remote access.

Beyond formal training, consider developing a regular campaign for OT security awareness. This can be as simple as a monthly email targeted to your OT users that focuses on one of 12 cybersecurity aspects. Whatever form it takes, it should complement your corporate IT security awareness campaigns. Awareness campaigns can also be more creative. For instance, launch an internal bug bounty program that offers a nominal reward to anyone that submits and corrects a violation of the company’s security practices.

Review the list of accounts on your OT systems to evaluate which are entitled to elevated privileges including administrative access. Who is and is not authorized for remote access? Make sure your operational teams are not sharing generic accounts with names such as "Operator1" or "Engineer2." You might be surprised to find some ghost accounts on OT domains for retired or former employees. This can be especially hard to maintain if your OT Windows devices are setup as Workgroups. You may also be surprised at how many outdated service accounts are still active and that thereby pose a risk to the organization.

Dust off Your Policies

I get it. Policies can be boring. But that's exactly why a 100-day sprint is the right approach to re-invigorate your team. There's a light at the end of the 100-day tunnel, and it's critical to dust off your policies and uncover some gaps along the way. Give them a solid review, update where necessary, and re-communicate their guidance and requirements to the affected teams.

Begin with a policy inventory. Collect as many of these documents as you can, and evaluate their scope and latest revision. Here are a few examples that you might need to find:

• Information security policy
• Business continuity plan
• Acceptable use policy
• Disaster recovery plan
• Incident response policy
• Remote access policy
• Access control policy
• Change management policy
• Email/communication policy

What might surprise you is that most of these documents were probably written for IT networks, and you'll have trouble finding good references and guidance for OT networks. For example, does your enterprise's Disaster Recovery Plan also cover worst-case scenarios on your OT networks? Does your Remote Access Policy still hold true for access to Industrial Control Systems? Can a revision be made to accommodate the nuances for OT, or does your team need to create a separate policy for OT? In order to kick-start this effort, SANS has many example policy templates.

During this time, you might also consider your team's preparedness for an actual incident, large or small. How would your team respond if the OT network was infected with ransomware today? Crisis Tabletop Exercises can be as simple or complex as you desire. Create a few realistic scenarios, set aside some time with your team, and walk through the response plans. If you find this especially difficult, or if your team needs help, then start the process of seeking outside consulting. Additionally, prepare your organization by identifying three or more Incident Response service firms that you might call when necessary. Begin discussions with your procurement team to identify whether to enter into a pre-defined contract or to use a retainer that would help accelerate the timeline to get "boots on the ground." This would also be a good time to speak with your legal team to review any cybersecurity insurance policies that may be in place for your organization, as those resources also include guidance and response organizations in the event of a cybersecurity incident.

Select and establish a common framework such as NIST CSF, CIS Controls, NIST 800.82, ISA 62443, or ATT&CK for for assessing and defining your security requirements with regards to ICS. Establish and agree on a risk matrix across your OT environments. Compare and document the criticality of each site, manufacturing line, and zone. This information will be helpful to define a forward direction for the level of protective and detective controls needed. Seek out firms that deliver comprehensive cybersecurity assessments based on your preferred framework, and schedule an initial assessment at one of your most critical facilities.

Evaluate Technology Capabilities

It may not be realistic to define capability requirements and finish the procurement and installation process within 100 days. Instead, look for ways to utilize technology to achieve immediate results, analysis, and information that will help you make better procurement decisions in the future. Focus on discovery during your first 100 days, and look for solutions that can provide immediate time-to-value with zero installation effort.

Gather a comprehensive asset inventory, including device names, IP addresses, device type, manufacturer, and firmware versions. Knowing what is on your network is the first step to defending it. Augment this inventory with vulnerability awareness and prioritization, which can be automatically matched and ranked for you. Having this information across multiple facilities will allow your team to understand how far behind your OT devices are and determine whether some sites need budget prioritization for a more complete control system migration as opposed to a software or firmware upgrade.

Packet captures can also be used to provide immediate proof of concept with built-for-purpose OT network monitoring solutions. These can generate a network map, hygiene score, and even blueprint of your current zones and conduits for future segmentation improvements. Find out not only what is on your network but also where these devices are communicating and whether insecure protocols are being used.

Lastly, work with your IT security and operations team to develop an audit trail for remote connections to ICS networks. Begin to monitor and review both persistent and temporary remote access sessions with suspicion, and determine whether your current method is aligned with best practices including multi-factor authentication. Rather than relying on traditional IT remote access, which is frequently exploited and misconfigured, consider industrial solutions for remote access that keep the control in your OT team's hands while providing the benefits of SSO and MFA.

There are recommendations for multi-factor authentication in OT environments, and almost every CISA security alert recommends it, as well. Sometimes, the challenge for implementing MFA in OT environments stems from a misunderstanding with regards to compatibility and support from OT vendors. Another challenge is that many of today's MFA solutions require internet connections. Reach out to your OT system vendor and ask for their guidance. Most of them will have an answer such as physical keycards that can support "air-gapped" environments. Try to start a pilot project or proof-of-concept at one of your facilities. Evaluate the options and seek budget for this critical security control in your next cycle.

Develop a Roadmap or Vision Going Forward

This 100-day exercise can help to advance your OT security posture. But what's next? After your 100 days, you should have a solid foundation to make better decisions and further the mission. As a final step, aim to define a 1-year and 3-year roadmap to reach your ultimate objectives: comprehensive visibility, hardened devices, mitigated vulnerabilities, continuous monitoring, secured access controls, better trained personnel, and updated, relevant policies that are clearly defined and communicated. Present this roadmap to key stakeholders, rework the plan as necessary, and seek budgetary approval for these necessary improvements to your organization's critical infrastructure.