Three essentials for a secure OT environment

Utilities looking to secure operational technology should start by understanding what they have out there, cutting out vulnerabilities, and automating the approach to risk. Get these steps right, and you will mitigate the risk of attacks on your OT by hackers.

To secure your OT systems, ServiceNow has a number of recommendations for utilities, but the top three are:

Gain visibility of industrial networks and environments with technology that won’t introduce extra load or capacity risk.

This means not just adding technology but understanding the context in which it is operating: how are programmable logic controllers connected to human-machine interfaces? What is your SCADA capability, and what does it connect to? What does all of this mean for an electricity substation or water pump station on the network? In this way, it’s possible to see how network resilience is affected.

“We can map all of that information and deliver it in a very secure way so that it can be used to support other workflows and capabilities that add value to the organisation,” says industry specialist and product director Ben Barker of ServiceNow. ServiceNow works to standards including ISA 95, an International Society of Automation standard for developing an automated interface between enterprise and control systems, and the Purdue model for industrial control security. These standards provide the foundation for end-to-end OT management.

Remediate industrial vulnerabilities.

It’s important your OT company partners with all major equipment vendors to mitigate new threats. “When they have a known CVE [common vulnerability and exposure], we pull that into ServiceNow and can match it against the manufacturer, the model number and the type of device, and we can show you where your vulnerabilities are on the network.”

It can be very challenging to know when and where to patch or when to remediate. “Because we understand the industrial context, we can help with which vulnerabilities to focus on,” Barker says. “Typically, we identify the 1% chance that will have the majority of the impact on the utility. We pull in the maintenance schedule to exploit scheduled downtime, rather than introducing extra downtime. Extra downtime is a non-starter for most organisations.”

Automate the approach to OT risk within the environment.

ServiceNow uses industry frameworks like IEC 62443, a series of standards defining requirements and processes for implementing and maintaining electronically secure industrial automation and control systems. Barker says: “That mandates organisations to fully understand and discover OT devices; when we discover a device, we can as an example automatically register a risk.” If the system combats a security threat, it automatically registers a near miss, so ServiceNow can see where risks are highest.

Want more information? Read the Utility Week Intelligence Explains report in full here.