The UK government’s cybersecurity arm has issued a new guide to help companies around the world better secure their operational technology (OT) and industrial control system (ICS) hardware.
The guide, issued by RITICS, outlines recommendations and best practices for companies to help avoid attacks on embedded tech.
The security body noted that there are a number of key differences between the way OT/ICS network operate that differ from traditional IT networks. Whereas protecting the confidentiality of data is the primary function of IT networks, OT security instead focuses on maintaining the availability and integrity of the devices over access to data.
“While Cyber Incident Response Plans (IRPs) should cater for both IT and ICS/OT systems, consideration must be made for the key differentiators found in ICS/OT environments,” RITICS explained.
To remedy this, the group suggested administrators take a different approach to their OT networks and how to respond to incidents.
“ICS/OT systems and networks are typically sensitive to availability and integrity requirements, requiring the Incident Response procedures to consider how systems can be interacted with for forensic collection,” the security group explains.
“Those considerations should be documented in an ICS/OT specific response plan, which may have to cater for different systems used across an ICS/OT operator’s estate, such as different sites, industrial processes, or functionality of the systems.”
Should an attack occur (somethings RITICS said is likely to happen with most companies sooner than later) the group said that properly identifying and isolating an attack will be key to minimizing damage.
“Operations, engineering, and maintenance teams will know your systems best and how they behave,” the group noted.
“Training these teams to report suspicious behavior, and building a culture that encourages the reporting of suspicious behavior is a necessary long-term organizational activity, that will increase event detection coverage, and also helps to raise awareness of cybersecurity with those who do not perform cybersecurity roles full time.”
Ultimately, RITICS said securing OT and ICS depends less on knowing what security protections an organization has in place than knowing how to properly implement them and analyze the collected data from incidents.
“Regardless of the choices that ICS/OT operators make in terms of threat detection technology deployment, services, or in-house capability, they should have a clear understanding of what logging and monitoring coverage exists today for their environment,” said RITICS.
“This is key to help understand potential gaps and improvements to logging and monitoring coverage. Even more importantly, it provides the incident response team (however it is composed) with a clear picture of where and how to collect logs to facilitate analysis.”
