CGI Cyber Escape Australia

Frequently asked OT cyber questions

What are the unique cyber security challenges of OT environments? 

Many OT and ICS environments rely on legacy systems which pre-date the integration of modern security protocols. Retrospective updates are sometimes ineffective, leaving, potentially business critical and national critical infrastructure systems vulnerable.

The explosion of the Internet of Things (IoT) has meant that industrial environments and equipment, once built to operate in isolated networks, are now connected to the internet, creating a range of unforeseen entry points for threat actors.

Companies with OT functions have often developed organisational structures where IT and OT operate separately, creating silos of accountability. This can lead to gaps in overall security.

What is the difference between IT and OT cyber security?

Traditionally the priorities of the two disciplines have varied. IT security professionals focus on Confidentiality, Integrity and then Availability compared to the OT security whose focus is on maintaining the Availability of the technology, Integrity and Confidentiality.

Although there are differences, there are also many similarities between OT and IT. The cyber security skills are the same – including the processes and policies for understanding the threats, performing threat hunting and responding to incidents. The surge in elements of the OT environment that now include a digital or IoT interface, and the interest the business has in the increasing amount of data generated, means that a successful approach must include the expertise of both disciplines.

What should you consider when combining IT and OT Security Operation Centres?

The IT/OT SOC presents unique challenges and rewards for security professionals. Here's a breakdown of some key learning we have gained from our client engagements:

Event Correlation:

• SOCs receive a constant stream of IT and OT security events.
• Understanding the combined picture is crucial.
• For OT events, interpreting them requires domain expertise and context of the physical systems involved. This can be a steep learning curve for IT professionals new to OT security.

Collaboration is Key:

• A strong partnership between IT and OT security teams is critical for effective incident response.
• Without it, investigations and remediation can be slow and cumbersome.

The Right Tools Make a Difference:

• The effectiveness of an SOC heavily relies on its security tools.
• These tools need to be properly configured and optimized for both IT and OT environments.
• Skilled personnel are essential to get the most out of them.

SIEM Consolidation: A Work in Progress:

• There's ongoing debate about consolidating Security Information and Event Management (SIEM) systems for IT and OT.
• Here's a breakdown of some common approaches:
  1. Phased Integration:
     • Many organizations monitor industrial control systems (ICS) first, establishing a baseline.
  2. Asset Discovery:
     • The next step often involves a detailed asset inventory, ensuring a complete picture of all devices on the network (both IT and OT).
  3. SIEM Consolidation Strategy:
     • The approach to consolidating SIEM systems can vary depending on organizational needs and resources. Some may choose to keep separate systems, while others may look to integrate them for a more unified view.

Overall, joining an IT/OT SOC offers a dynamic and challenging environment. It requires a blend of IT security expertise, OT domain knowledge, and a strong collaborative spirit. To discuss your organisation’s challenges with an OT cyber security specialist, contact us.

How do I develop an OT cyber security strategy?

We have developed a guide for developing a strategy for securing critical infrastructure. It is written in clear business terms, aimed at business-risk decision makers. Download the cyber security THINGUIDE to Securing Critical Information Australian Edition. If you would like a hardcopy, please send us an email.