The Game Plan: Modernising OT security programmes – Technologist

The Fortinet global 2022 State of Operational Technology and Cybersecurity Report revealed that industrial control environments continue to be a target for cybercriminals. Globally, 93% experienced an intrusion in the past 12 months.

Despite Singapore reporting a slightly smaller figure at 86%, there remain widespread gaps in industrial security and indicated opportunities for improvements.

Addressing the audience during the Operational Technology Cybersecurity Expert Panel (OTCEP) Forum 2022 on 12 July, minister for Communications and Information, Josephine Teo, stressed the importance of enhancing the collaboration between the public and private sectors, supported by suitable security tools investments, which will better position Singapore to manage future OT cyber-attacks.

During a media briefing, representatives from Fortinet, including Adam Wu, regional solution architect for OT, Rashish Pandey, vice president of marketing and communications, and Jonathan Chin, OT business development manager, joined Kenny Yeo, Frost & Sullivan’s director and head of Asia Pacific cyber security practice, to talk about how organisations in Asia need to represent OT security practices.

When an OT attack occurs, what is the workflow for resolving the attack? Typically, when does the CIO/CISO/IT team get involved when an OT attack occurs?

Adam Wu: Don’t panic and don’t pull the plug. Assess the process that you have currently in your plan. Then the CIO and IT team can decide, whether they want to isolate or start an instant response. The incident response has to be formulated by the organisation based on their needs. They toned to invoke caution before hitting the brake glass button and disconnecting everything.

Frost says OT refresh cycles take longer than IT. How do you then keep OT and IT security practices synchronised and reflect the present environment?

Rashish Pandey: The refresh cycles are different and longer for OT. The patching protocols are different depending on the different types of assets. How can these two teams work together? We observe that the air gap goes away and there is a need to have a common playbook that cuts across both IT and OT, known as IIoT alignment.  Aligning the mindset of OT and IT security is a bigger concern.

Adam Wu: Organisations can do virtual patching, periodic validation, and risk assessments in their environment. Organisations should conduct risk assessments and audits regularly to ensure that the current controls are being followed.

Do you see the current variety of connectivity standards for OT, and the varying age of OT devices as frustrating the securing of OT?

Rashish Pandey: We can choose to do something about it. Organisations need to make sure that traffic is protected in transit as well and are taking security measures. We can’t rip out all the OT infrastructure and replace it with brand-new infrastructure. We need to start with where we are and put in place a pragmatic approach to protect these assets.

How would you assess the state of OT security in Asia? Is the lack of maturity in OT security a reflection of lack of understanding or it’s just not a priority?

Rashish Pandey: OT security as a discipline has come to the forefront of the day which coincided with the rise of industry 4.0. It’s mainly the lack of awareness but it’s speeding up fast. We see the board of directors getting involved in this conversation. We do see varying degrees of maturity across Asia, in which Singapore is a leading player. We have a very robust conversation happening on OT and critical infrastructure security.

Kenny Yeo: Regulation is also key, it’s the key number one factor leading to increased adoption of cybersecurity. Organisations tend to postpone OT security until something happens.

Do you think CISOs/CIO/Head of OT Ops will trust an AI to take remedial action against OT threats without human intervention?

Adam Wu: So, the level of security is according to the CVE rating, that is being assigned to a particular vulnerability. The score is derived from a variety of factors, whether it can easily exploitable, and whether it costs a lot of damage.

There is also a human element to giving that score. If the exploit is being stopped, that’s the most important.  For FortiGate, you can set what level of security you want to stop, let’s say, out of five scores, you can set maybe three and above to block anything. It is flexible.

How should an OT security program be managed? Who should oversee this?

Jonathan Chin: The conversation is about cyber resiliency, which depends on the organisation’s dynamics. For example, some organisations have a dedicated individual working specifically on readiness. They are responsible for understanding whether threats are real and critical, but also what they should be doing and who they should call.

Sometimes, the Lead Automation engineer takes charge due to OT system expertise, and the CIO/CISO acts as a consultant. In other cases, the IT teams take control regardless, and the Lead Automation engineer serves as a consultant. In an ideal case, an IT/OT specialized group should balance the IT/OT perspective.

Do you see AI/machine learning as going beyond the identification of threats and into the pre-emptive prevention of threats?

Jonathan Chin: AL/ML is utilized primarily for threat detection and automated responses upon discovery. However, we see AL/ML being increasingly used beyond threat identification to being utilized as take-down services, threat hunting at both networking, as well as endpoint levels, and actively pursuing botnet malware threats on the internet.

AI/ML models provide an effective way to counterattack by learning the pattern of these attacks. Putting in place intelligent analysis at the endpoints can also provide an enormous advantage since it protects the point where the possibility of human error is most exposed.

With IT looking at passwordless as the next level of authentication, do you see the necessity to deploy FIDO2 for IoT?

Jonathan Chin: Passwordless authentication and FIDO2 came out of consumer password fatigue while preserving the need for security. However, implementing the same for air-gapped scenarios/ private clouds will need expert supervision.

Security professionals can consider Multi-Factor Authentication (MFA) technologies which confirm the identity of users by adding a step to the authentication process. A second step is to verify a user’s identity to ensure that a cybercriminal can’t access an individual’s account even if a password is compromised.

OT organisations can also consider a Digital Risk Protection (DRP) Service that includes external attack surface management (EASM) and adversary-centric intelligence (ACI) which are essential in stopping adversaries early in their campaigns.