Detectando ameaças internas: The Undiscussed, Under Reported OT/ICS Cybersecurity Challenge
Registre-se agora
By understanding the unique risks associated with OT environments and implementing appropriate security measures, organizations can significantly reduce the likelihood and impact of both cyberattacks and operational disruptions.
Risk management is much more involved than vulnerability management. Especially in OT environments where patches must often be delayed until the next maintenance window — assuming they exist at all — it’s critical to understand the relationship between exposure, risk and tolerance. That involves first knowing which assets are vulnerable and then weighing the probability that a known threat will exploit them against the impact of an exploit and the organization’s tolerance for that risk. A high-impact event with a tiny probability of happening may be deemed less critical that a lower-impact event that is known to happen several times a week. Using this formula, it’s easy to prioritize mitigation of assets that are vulnerable to high-impact events that are likely to happen.
This general approach to risk applies to all cyber risk, but these are the major differences between how risk is assessed in IT vs. OT environments.
Perhaps the biggest difference is that in OT we must account for both cyber and operational risk, including process risk, because operational anomalies unrelated to a cyber threat are far more common. On the IT side, if a company’s mail server goes down, there’s minimal impact to the business. Some employees may even relish the break. But if a critical server goes down in an operational environment, you may have massive risk. Colonial Pipeline is a great example. When the DarkSide hackers ransomed data from their IT network, the attack brought down the billing and accounting systems, which was certainly going to create a costly mess. But the reason the company shut down the pipeline was they lost access to a safety monitoring tool and couldn’t see whether the pipeline itself had been breached — a massive risk they obviously couldn’t tolerate.
In OT, risk assessment is completely focused on consequences such as physical safety, the environment and continuity of operations. Whether you’re assessing risk in a postal processing facility, a meat packaging plant, a cargo ship or a warehouse, with OT you’re always planning for your worst day. What catastrophic thing could happen that could impact thousands of people?
Every component in an OT network is part of a larger process in a very distributed environment. Everything is connected and consequential. In a data center you could probably reboot every other server with no impact. In OT, if a machine has a problem, immediately you need to learn what it depends on and what is depending on it. From there, what are the consequences of an emergency shutdown? In an oil refinery, if someone hits that emergency shutdown button, you’re looking at millions of dollars gone in an instant and a few months to get that site back online.
In IT, device risk is based solely on vulnerabilities, and you can practically eliminate risk with patching. In OT, it’s multilayered. The Nozomi Networks platform calculates asset risk based on five factors: vulnerability risk, alert risk, communication risk, device risk, asset criticality and compensating controls. Customers can use these scores out of the box, or they can adjust the weight of each variable until the calculation accurately reflects how their organization assigns risk, so it’s useful.
Especially at the plant and director level, OT stakeholders have little use for numerical risk scores. Our customers often tell us, “I don’t need a number; I just need to show my boss a graph with a line going down that indicates our risk is decreasing over time, which means our cyber program is working.” There is no Richter scale for OT risk where a 5.1 means the same thing from region to region or even plant to plant.
Because industrial downtime is to be avoided, outside of safety issues industrial stakeholders have a much higher tolerance for risk. Suppose a device is exposed to Telnet, but at Purdue Level 2 it has firewalls above and below it, and nothing can talk on that port. That’s a common scenario due to the nature of OT systems. The asset owner may choose to mute an alert that’s firing because the device is exposed to Telnet (or at least dial down the vulnerability risk in the alert rule), whereas an IT analyst would see the alert and want to patch the device immediately, which you can’t and don’t need to do.
Any risk assessment starts by conducting a business impact analysis to identify your crown jewels and prioritize their protection. In industrial environments, it’s more complex because you’re not just looking at asset risk; you must also identify your most critical processes and how to protect them. A conveyor belt inside the plant that takes iron ore to the furnace is riskier than a conveyor belt that takes mail from the main building to the warehouse. They may use the same technology and the same protocols, but the risk levels are far apart.
Several vendors provide calculated risk scores to help you understand asset risk. They may look impressive in a POC, but how well do they help you monitor and reduce risk day-to-day? If they don’t reflect how your organization calculates risk, you’ll probably just disregard them.
The Nozomi Networks platform assigns risk scores to each of your assets to help you prioritize security efforts, address the most critical risks first and take the correct actions to mitigate potential threats effectively. It calculates asset risk based on five factors: vulnerability risk, alert risk, communication risk, device risk, asset criticality and compensating controls. You can use our scores out of the box – or, you can fully customize the weight of each variable until the calculation accurately reflects how your organization assigns risk. You can even apply your tuned rules by zone.
When looking at your OT asset risk, you need to be able to see at a glance what assets are riskiest by zone, site, vendor and any other way you might want to categorize them. And you need to be able to drill down to understand what makes them risky and what you can do about it. It's also important to see how individual risk scores contribute to the higher-level risk score of the site or zone the asset belongs to, and ultimately, the risk score of the entire company. Even with all of this context, individual asset risk scores provide little value. For proper risk management, you need to understand changes in risk scores over time.
The Nozomi Networks dashboard shows your current risk scores by zone, site and other categories you select. If you’re risk is trending in the wrong direction, you can drill down to see why and where you need to add the right controls. Maybe you need to lock down your insecure protocols or beef up your segmentation. Whatever you decide to do, your risk score will reflect the degree of impact your actions have made, using your own risk assumptions. If your risk score started at 70 globally and went down to 52, you now have hard ROI to justify your investment.
The Asset Risk feature offers a comprehensive overview of the risk associated with your OT/IoT assets, with clear, customizable, and actionable insights into the security posture of individual assets, zones, sites, sensors, and across the entire environment. Users can benchmark their security performance and track improvements over time, making it a critical tool for maintaining and enhancing operational resilience.
By understanding the unique risks associated with OT environments and implementing appropriate security measures, organizations can significantly reduce the likelihood and impact of both cyberattacks and operational disruptions.
Risk management is much more involved than vulnerability management. Especially in OT environments where patches must often be delayed until the next maintenance window — assuming they exist at all — it’s critical to understand the relationship between exposure, risk and tolerance. That involves first knowing which assets are vulnerable and then weighing the probability that a known threat will exploit them against the impact of an exploit and the organization’s tolerance for that risk. A high-impact event with a tiny probability of happening may be deemed less critical that a lower-impact event that is known to happen several times a week. Using this formula, it’s easy to prioritize mitigation of assets that are vulnerable to high-impact events that are likely to happen.
This general approach to risk applies to all cyber risk, but these are the major differences between how risk is assessed in IT vs. OT environments.
Perhaps the biggest difference is that in OT we must account for both cyber and operational risk, including process risk, because operational anomalies unrelated to a cyber threat are far more common. On the IT side, if a company’s mail server goes down, there’s minimal impact to the business. Some employees may even relish the break. But if a critical server goes down in an operational environment, you may have massive risk. Colonial Pipeline is a great example. When the DarkSide hackers ransomed data from their IT network, the attack brought down the billing and accounting systems, which was certainly going to create a costly mess. But the reason the company shut down the pipeline was they lost access to a safety monitoring tool and couldn’t see whether the pipeline itself had been breached — a massive risk they obviously couldn’t tolerate.
In OT, risk assessment is completely focused on consequences such as physical safety, the environment and continuity of operations. Whether you’re assessing risk in a postal processing facility, a meat packaging plant, a cargo ship or a warehouse, with OT you’re always planning for your worst day. What catastrophic thing could happen that could impact thousands of people?
Every component in an OT network is part of a larger process in a very distributed environment. Everything is connected and consequential. In a data center you could probably reboot every other server with no impact. In OT, if a machine has a problem, immediately you need to learn what it depends on and what is depending on it. From there, what are the consequences of an emergency shutdown? In an oil refinery, if someone hits that emergency shutdown button, you’re looking at millions of dollars gone in an instant and a few months to get that site back online.
In IT, device risk is based solely on vulnerabilities, and you can practically eliminate risk with patching. In OT, it’s multilayered. The Nozomi Networks platform calculates asset risk based on five factors: vulnerability risk, alert risk, communication risk, device risk, asset criticality and compensating controls. Customers can use these scores out of the box, or they can adjust the weight of each variable until the calculation accurately reflects how their organization assigns risk, so it’s useful.
Especially at the plant and director level, OT stakeholders have little use for numerical risk scores. Our customers often tell us, “I don’t need a number; I just need to show my boss a graph with a line going down that indicates our risk is decreasing over time, which means our cyber program is working.” There is no Richter scale for OT risk where a 5.1 means the same thing from region to region or even plant to plant.
Because industrial downtime is to be avoided, outside of safety issues industrial stakeholders have a much higher tolerance for risk. Suppose a device is exposed to Telnet, but at Purdue Level 2 it has firewalls above and below it, and nothing can talk on that port. That’s a common scenario due to the nature of OT systems. The asset owner may choose to mute an alert that’s firing because the device is exposed to Telnet (or at least dial down the vulnerability risk in the alert rule), whereas an IT analyst would see the alert and want to patch the device immediately, which you can’t and don’t need to do.
Any risk assessment starts by conducting a business impact analysis to identify your crown jewels and prioritize their protection. In industrial environments, it’s more complex because you’re not just looking at asset risk; you must also identify your most critical processes and how to protect them. A conveyor belt inside the plant that takes iron ore to the furnace is riskier than a conveyor belt that takes mail from the main building to the warehouse. They may use the same technology and the same protocols, but the risk levels are far apart.
Several vendors provide calculated risk scores to help you understand asset risk. They may look impressive in a POC, but how well do they help you monitor and reduce risk day-to-day? If they don’t reflect how your organization calculates risk, you’ll probably just disregard them.
The Nozomi Networks platform assigns risk scores to each of your assets to help you prioritize security efforts, address the most critical risks first and take the correct actions to mitigate potential threats effectively. It calculates asset risk based on five factors: vulnerability risk, alert risk, communication risk, device risk, asset criticality and compensating controls. You can use our scores out of the box – or, you can fully customize the weight of each variable until the calculation accurately reflects how your organization assigns risk. You can even apply your tuned rules by zone.
When looking at your OT asset risk, you need to be able to see at a glance what assets are riskiest by zone, site, vendor and any other way you might want to categorize them. And you need to be able to drill down to understand what makes them risky and what you can do about it. It's also important to see how individual risk scores contribute to the higher-level risk score of the site or zone the asset belongs to, and ultimately, the risk score of the entire company. Even with all of this context, individual asset risk scores provide little value. For proper risk management, you need to understand changes in risk scores over time.
The Nozomi Networks dashboard shows your current risk scores by zone, site and other categories you select. If you’re risk is trending in the wrong direction, you can drill down to see why and where you need to add the right controls. Maybe you need to lock down your insecure protocols or beef up your segmentation. Whatever you decide to do, your risk score will reflect the degree of impact your actions have made, using your own risk assumptions. If your risk score started at 70 globally and went down to 52, you now have hard ROI to justify your investment.
The Asset Risk feature offers a comprehensive overview of the risk associated with your OT/IoT assets, with clear, customizable, and actionable insights into the security posture of individual assets, zones, sites, sensors, and across the entire environment. Users can benchmark their security performance and track improvements over time, making it a critical tool for maintaining and enhancing operational resilience.
