The needs for a security officer with developments such as Industry 4.0 and Internet of Things (IoT)
IoT Security Blog Series
Operational Technology (OT), such as critical infrastructures and industrial plants, has always been isolated from the Internet. So, for several decades their information security has been paid little attention. Today’s developments, such as Industry 4.0 and the Internet of Things (IoT), organizations are increasingly attracted to also connecting their factories and nation state critical components to the Internet. Think of new solutions, such as tweaking the production rates in real time based on energy prizes and 24/7 online and offline support for external suppliers, based on sensors placed on critical components in the production process.
By Michel van Veen
- OT environments connected to internet
- The first day as Global OT security officer
- How to interpret the pyramid?
- More information?
Maslow’s Pyramid for the Global OT Security Officer
At first sight, the current OT security situation may look like the IT security situation of 25 years ago, with lots of open TCP ports, missing patches and outdated anti-virus programs. Besides lots of overlap, there are also substantial differences. Instead of confidentiality, within the OT environment availability has the highest CIA score. And obviously, in OT environments it turns out to be way harder to set up a development, test and acceptance environment for testing patches.
So, how to deal with the trend of OT environments being connected to the Internet?
This question is relevant for several roles within organizations with industrial systems. Think for example about accountable Chief Information Security Officers (CISOs), (senior) engineers and (senior) operators at industrial sites who more and more need to deal with daily OT security, Supply Chain Leads who are facing OT security risks, and the Local and Global OT Security Officers who are ultimately responsible for OT security. The model presented here is of interest to all of these roles. It is presented from the perspective of a Global OT Security Officer, starting at the very beginning of his/her first day.
Your first day as Global OT security officer
Congratulations! It’s your first day as a Global OT Security Officer, working for a large industrial organization. An organization in medicals, transport or Oil & Gas. And although you hoped it to be different, this day confirms your expectations: the OT security maturity is still in its infancy. You see more people with access to the factories than strictly necessary, you see lots of accessible USB sockets, the disaster recovery plan was set up 12 years ago and has not been retested in the last years, since it wasn’t considered necessary, and so on and so forth. Your first chats with engineers and middle management are not that promising either. You hear them say things like "our organization an unlikely target", "security is the integrator’s responsibility", "security does not help us sell more products" and "we are not vulnerable, because our systems are isolated". The latter argument (not connected to the Internet) is actually no longer fully true, and is not realistic because of customer and business needs. This history of an isolated environment in which each update is considered as a big availability risk, led to the current situation. A situation with a flat and vulnerable OT network, and an organizational culture in which the majority of the employees perceive OT security to be unnecessary. Not the board, however. Inspired by recent incidents at competitors, reported in the news and predicted by management websites such as Gartner, the board was convinced they needed to create this position for you, and using all your IT and OT security knowledge and relevant experience you convinced them you are the ideal candidate for the job. So, here you are.
And now what? Where to start with all this room for improvement? With all these colleagues who seem to need some security awareness? All these potential threats out there, and open vulnerabilities that even seem to warmly welcome attackers to come and have some fun. Abraham Maslow came up with the theory that human needs can be prioritized in 1943.1 The base of the pyramid shows physiological needs such as water, rest and food. Needs such as intimate relationships and prestige are at a higher level. Maslow’s theory is that a human being is not interested in any of the higher needs as long as lower needs have not been sufficiently fulfilled.
In the scenario sketched, with you on your first day as Global OT Security Officer of a not very security mature organization, you also have a lot of needs to deal with. A structural prioritization of these needs would at least create a modicum of order in the chaos you have just landed in. To help you along on your first day, let’s use a model comparable to Maslow’s to sketch a prioritization of the needs a Global OT Security Officer would have.
How to interpret the pyramid?
The pyramid of needs presented for the Global OT Security Officer is a copy of Maslow’s pyramid. The base of the pyramid shows the basic needs you have in your new role. The higher layers are only of interest to you once the needs in the lower layers have been fulfilled. To be clear: It makes no sense to map the layers in this pyramid with the layers in Maslow’s pyramid, only the order of the needs makes the two pyramids comparable.
The second point worth mentioning is that in line with Maslow’s pyramid needs in a certain layer have to be fulfilled up to a certain level, before someone is interested in the next level. Just like you don’t have to be stuffed with food before you are interested in having a nice conversation with a friend, there is no need to have perfectly up-to-date and complete diagram network before you can start with hardening. This aspect needs a practical approach, to avoid you focusing on Layer 1 for infinity, because it will never be perfect. Its practical implementation is as follows:
- Continued improvement: the first time you build up the pyramid up to layer 7, you follow a kind of time-boxed approach. You decide upfront how much time you want to invest in each of the activities. For example: for the first time, you invest 1 month in fastening your lifeline, 2 months in inventorying your assets, etc. Once you have reached the top, you start again at the bottom to raise the maturity to the next level.
- Build the ‘golden factory’, after which you start rolling out this concept to the other factories. In this approach, you first focus on one of the factories, and invest substantially to raise the maturity of each of the activities in the pyramid in this factory to the desired level. After that you use this factory as an example to move towards the same maturity level in the other factories.
For the full insight of the pyramid layers, please download the report.
For more information about IoT and security, please contact Dana Spataru or Michel van Veen via their contact details below.