Better OT Security Starts With Asset Management
You can’t truly secure your environment if you don’t know exactly what’s out there from an OT perspective, or the potential risks to those assets.
That’s precisely why asset management, starting with asset discovery, is so important. Utilities may have hundreds or even thousands of OT assets including programmable logic controllers and distributed control systems linked up to supervisory control and data acquisition (SCADA) networks.
Once you’ve discovered all of these assets, you can inventory them and begin tracking them. It then becomes much easier to manage risk and track compliance with regulatory standards, such as the NERC Reliability Standards.
The name of the game here is passive scanning. A passive vulnerability scanner will monitor your SCADA network traffic without interacting with it. The goal is just to see and understand your OT environment. You can also use this to begin compiling accurate asset records, which is key for maintaining and demonstrating compliance.
RELATED: How law enforcement and utilities are digitizing physical security.
Going Deeper With Active Scanning and Patching
Active scanning lets you drill down and interact with your network and its devices. This entails connecting to the devices on the network to gather detailed information. Deep asset scans take this one step farther and allow for a more thorough interrogation of any OT asset on the network.
However, no utility wants to disrupt critical operations by introducing new traffic on the network. This is where vendors such as Tenable come into the picture. Tenable lets you speak in the native language of even your oldest OT equipment and understand what's going on within the device from a security perspective. It won’t overload your network with requests and can automatically reduce scan intensity to avoid disruptions.
Often, these efforts create a laundry list of OT equipment that needs to be patched. Uptime and safety are top priorities for utilities; while it may seem easier to leave well enough alone for fear of causing disruption, the long-term risks of doing nothing can be just as, if not even more, disruptive.
At this point, it’s crucial to assess the risks you’ve uncovered and make thoughtful decisions about what to deploy and what is truly best left alone. This can be challenging, especially in cases involving remote sites that would require sending personnel out to handle updates. But complexity is not a good enough reason to leave infrastructure open to compromise. If there is a genuine risk to specific OT assets, and you’re unable to handle them, reach out to someone who can help.
DIVE DEEPER: Strengthening water system cybersecurity is a top priority.
Reliability and Cyber Resilience Will Follow
Better asset management will ultimately help utilities quickly identify and address issues, minimizing service disruptions and improving reliability for customers. This includes cyber risks to OT as well as physical risks.
The electric grid, for instance, is susceptible to physical harm caused by bad actors, and if you understand those choke points, you can do more to physically secure them. This could entail strategically installing surveillance cameras, boosting access controls and physically hardening them against damage.
Critical infrastructure is the lifeblood of all public infrastructure. It can be highly challenging to manage, upgrade and protect OT, but it’s a challenge worth undertaking, and one that can be met with the right technology and resources.
