Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Satish Gannu
Satish Gannu
Connect Directly
E-Mail vvv

6 Steps CISOs Should Take to Secure Their OT Systems

The first question each new CISO must answer is, "What should I do on Monday morning?" My suggestion: Go back to basics. And these steps will help.

The inevitable digitalization of an industry can create strife within companies, especially between colleagues tasked with blending often old and idiosyncratic business-critical operational technology (OT) with information technology (IT).

One crucial source of confusion: Who is responsible for the all-important cybersecurity risk mitigation of OT systems as they become part of the Industrial Internet of Things? There's no universal answer yet. Some chief information security officers (CISOs) are drawn from OT, and some from IT.  

Either way, the first question each new CISO must answer is, "What should I do on Monday morning?" My suggestion: Go back to basics.

What I've noticed working with industrial companies around the world is confusion among CISOs distracted by thousands of companies — new and old — offering shiny new tools to prevent and detect threats in exciting ways. As a result, there's a good chance new CISOs could overlook the basic, fundamental steps needed to build the broadest, strongest risk mitigation.

Here are the six steps all new CISOs should take to begin protecting their OT environments in the most effective way possible:

• Step 1: Asset inventory. A company's OT systems are its crown jewels, and the CISO's primary role is to protect them. First step: Explore, discover, and inventory every OT element in the organization to learn exactly what you're protecting — data, software, systems, etc. Without a complete and accurate asset inventory, the succeeding steps will fall short in minimizing cybersecurity risk.  

• Step 2: Backup/test restore. The most effective way to protect OT systems from expensive to ruinous ransomware attacks, to cite just one risk, is to back up OT data and perform a test restore to make certain the backups are optimal. Backing up systems is crucial for multiple reasons, security among them.

(Tip: In case of ransomware attacks, don't forget the European police agency Europol's public/private No More Ransom site, which offers proven, valuable anti-ransomware tools free of charge.)

Yes, test restore can be challenging, but OT network backups are only as good as the test restore process that assures their effectiveness by protecting the network from data loss.

As we'll see in step 5, it's important to identify pertinent data for test restore on a continuous basis — often by asking users in the organization which data is most important for their work — but for the first backup/test restore, do it as widely and deeply as possible now to avoid data loss and other problems down the road.

• Step 3: Software vulnerability analysis. Step 1's asset inventory will reveal all the software in the organization's OT systems. The CISO must know the state of every software asset. Every piece of software must be subjected to vulnerability analysis. What version of the software do you have? Is it up to date? Are there more recent versions — safer and more effective — the OT system will accept and continue to thrive with?

A crucial question about the software: Does it need patching? If so, here's a critical warning: Don't do the automatic IT thing of reflexively patching everything, because OT patching is a complex and challenging process that rates an entire step onto itself.

• Step 4: Patching. Though automatic in IT, patching in OT is the proverbial briar patch. Sometimes patching OT software can make things worse. The soft underbelly of digitalizing the industrial economy is old OT machines and systems. Some absolutely vital systems have been on factory floors for 15 to 25 years or more, and they can't be taken down and patched. And even if appropriate (and safe) patches are available, old OT may not have enough memory or CPU bandwidth to accept them.

Finally, many OT systems are highly orchestrated combinations of software and hardware that develop "personalities," and when they're patched, they come back up with unpredictable results.

What to do? I suggest a threat analysis approach that can identify vulnerabilities and minimize risk short of patching.

• Step 5: Backup/test restore  again. Backup/test restore must become an ingrained habit whenever anything in the OT or IT system changes — updates, for example. The test restore process should include a plan that identifies testing frequency and the specific mode of testing. It is also important to make certain the operating system directly correlates with the version of software being used, as well as the structure of the database.

Important advice: Repeat steps 3 to 5 regularly, forever. New vulnerabilities are often found in old software.

• Step 6: Enable centralized logging. CISOs must know not just how something is working or failing, but why it's failing — and for that, centralized logging is a must. Centralized logging consolidates, manages, and analyzes logs to empower CISO teams to understand their environments, identify threats as early as possible, and optimize defenses.

In my experience, many OT systems have never been monitored. Given how much goes on in OT systems, consistent centralized logging is a must-have: It enables CISOs to confidently identify alarming security signals amid the potentially deafening routine noise.  

If new CISOs take these six basic but essential steps — and habitually repeat those that need repeating — they can go home Monday night confident they've done a solid job minimizing risk for their organization's OT.

Related Content:


Satish joined San Jose-based ABB in February 2017 as chief security officer and Group VP, architecture and analytics, ABB Ability™, responsible for the security of all products, services and cybersecurity services. Satish brings to this position a background in computer ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/19/2020 | 8:02:32 AM
new ciso
Some good basics, but if a CISO has to wonder what he or she has to do on a Monday morning then we have a problem...today we have a lot of folks who wnat the title CISO but don't have the substance to be a real CISO, they take low ball offers or get a role becuase of politics for diversity or other flavor of the month public ask...
User Rank: Apprentice
3/10/2020 | 7:17:17 AM

I will carefully read the issues you just shared, I find there are some places that are not very clear


User Rank: Apprentice
3/6/2020 | 9:12:18 PM
A warning
You should be careful running automated asset collection tools. There have been many reports of industrial devices crashing when receiving something as innocuous as a NMAP port scan. It's also worth while being very conscious of the various protocols these devices use and how those protocols are carried across various networks... most older devices don't understand how to talk ethernet.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926&qu...
PUBLISHED: 2020-10-28
Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users.
PUBLISHED: 2020-10-28
An issue was discovered in QSC Q-SYS Core Manager 8.2.1. By utilizing the TFTP service running on UDP port 69, a remote attacker can perform a directory traversal and obtain operating system files via a TFTP GET request, as demonstrated by reading /etc/passwd or /proc/version.
PUBLISHED: 2020-10-28
The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to the player. However, the applicatio...
PUBLISHED: 2020-10-28
A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread.