Why Is Cyber Resilience Important in ICS/OT Environments?

by Edward Amoroso, Senior Analyst, TAG Infosphere

The global cybersecurity community now understands the critical role that cyber resilience plays in the avoidance of negative consequences that result from malicious attacks. As a result, security operations teams, especially in industrial control system (ICS)/operational technology (OT) environments, have begun to include cyber resilience as a primary consideration in their strategy and planning to manage risk.

The National Institute of Standards and Technology (NIST) defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that are enabled by other cyber resources.” This implies that for critical ICS/OT infrastructure to be resilient, it must handle the types of adverse conditions one might expect in environments such as power, manufacturing, or energy.

Security teams, especially in intense operational environments, are thus advised to develop insights and understanding in the basic tenets of cyber resilience and how it relates to security protection. Since the essence of resiliency lies in the proper handling of adverse conditions, security engineers should have little trouble adapting current methods to account for the desire to improve resilience, but they will have to improve their skills through training and simulation.

ICS/OT Security Architecture

For many years, the traditional ICS/OT environment has involved architectural network isolation of legacy and often non-standard supervisory control and data acquisition (SCADA) systems from the enterprise information technology (IT) network. Typically, an IT/OT gateway has served as the standard basis for such isolation, but modern attacks have begun to expose problems with this gateway approach, which is essentially a perimeter only.

As a result, security engineers have had to develop new solutions for addressing attacks to ICS/OT systems. This includes improvements in monitoring technology, remote management, and rapid incident response when incidents do occur. Such security improvements are typically coordinated with the IT security team, and many vendors are beginning to provide converged solutions that work on both sides of the IT/OT gateway.

In addition to these security control improvements, most companies are shifting toward a more zero-trust approach to security, which implies a reduced dependence on an external perimeter for protection. This is obviously consistent with the observation in the ICS/OT environment that reduced dependence on the IT/OT gateway is necessary. Cyber resilience and zero trust should thus emerge as complementary principles for security architects.

Establishing Cyber Resiliency

What does cyber resiliency actually mean in an ICS/OT environment? It’s the ability to anticipate, withstand, recover, and adapt to cyber incidents to tangible OT systems without impacting delivery of critical services. The only way to successfully meet this high bar is through establishing effective governance, building an active defense strategy, adding layers of defense on key assets, and regularly training and testing via live simulation events. 

Preparation leads to confidence in a team’s resilience strategy. It’s crucial to have a cyber simulation program that prepares IT and ICS security teams to defend against cyber threats and that accommodates their organizational structures and objectives. Cloud Range’s OT cyber simulation training allows ICS/OT security teams to practice their skills, hone their abilities, and identify any gaps, so they are measurably ready to defend against the latest threats.

EU Cyber Resiliency Act

The community watched with great interest as the European Union (EU) recently produced its landmark Cyber Resiliency Act (CRA). The prominence of such attention on the topic of cyber resiliency across the global community, including coordination between the US and EU on the topic, illustrates how serious leaders have become about ensuring that systems can continue to operate under adverse conditions. Interested readers are strongly advised to review the CRA for applicability to their environment.

Our observation at TAG is that the CRA is a first step toward a more comprehensive focus on resiliency for all aspects of both IT and OT architecture and operations. Such focus will demand the ability for teams to simulate adverse conditions to test and validate their cyber resiliency – and this implies the need for live-fire exercises that can be used to help teams prepare for such attacks.

Guest Blog Series from TAG

This is the first of a series of guest blogs from the analyst team at TAG Infosphere, in coordination with the security team at Cloud Range. The blogs explore key aspects of ICS/OT from the perspective of establishing cyber resilience. The goal of the series is to help security and business leaders, but practitioners should also find the information helpful as they work to advance their efforts in resiliency. 

In the opinion of the TAG analysts, few topics in the coming years will be as urgent or consequential as establishing an effective program of cyber resilience, particularly in ICS/OT environments. In fact, we can see that with the progression toward zero trust, where operational applications, devices, and workloads are more exposed to the internet than ever before, that cyber resilience will increase in both relevance and importance.