Safety hard hat helmet hanging on factory shelf showing OT security

How To Stop a Shutdown Before It Happens: The Importance of OT Security, Monitoring, and Response

What if your organization was forced to shut down all of its operating equipment for several days?

That nightmare scenario was made real for Colonial Pipeline when the company suffered a cyberattack in May of this year. The oil and gas provider—responsible for the largest pipeline in the U.S.— was left with no choice but to shut down roughly 5,500 miles of pipeline systems. They also paid more than $4 million in ransom to the hackers who breached their system.

In this case, the hack wasn’t intended to affect Colonial Pipeline’s operational technology (or OT)—it was aimed instead at their IT systems. But the company couldn’t take any chances. If the hackers had gained access to the physical devices that make up the pipeline, the damage could have been irreparable.

In hindsight, we can see how Colonial Pipeline was teetering on the edge of complete disaster. What most leaders don’t realize, however, is how gaps in their own OT systems could leave them vulnerable to a similar shutdown.

How can they prevent this? The first step is to understand exactly what OT is, and then ensure they have a system in place to monitor and protect it.

OT can be defined as all of an organization’s non-IT devices and equipment that are connected to the network. Examples might include a building management system, an ATM machine, or even a diagnostic device used in a hospital. The network connectivity of these devices gives hackers an opportunity to compromise them and gain unauthorized access to business systems.

The good news is that there is an increasing awareness about the importance of addressing OT security concerns. Headlines like the Colonial Pipeline hack are convincing leaders to make an organizational and financial commitment to protecting their OT devices.

But of course, for most organizations, that will mean closing a few gaps between IT and OT in the process.

IT security teams tend to have mature active monitoring capabilities, vulnerability management tools, and remote remediation capabilities for IT devices—but most of those tools and resources are not available or can’t be used for OT security.

For example, active monitoring simply can’t be performed on most OT devices because the installed operating system is often not configured for active monitoring tools. So, in many cases, active monitoring may cause these OT devices to crash or become unresponsive.

Further complicating the issue is the problem of authorization. Oftentimes security remediation for OT devices can only be executed by authorized, trained, and certified technicians and engineers—not IT security teams. And in some cases, that may only include OEM or third-party service providers.

For these reasons, closing the IT-OT gap will require process improvements and the implementation of modern, cloud-based service management technology. So, what does that look like, exactly?

Often, organizations track their devices and equipment procurement, onboarding and maintenance records in multiple inventory databases and work order management systems. This introduces ambiguity and complexity, making achieving a successful OT security posture expensive, and time-consuming. There’s a constant need to correlate, contextualize, and normalize data.

Thus, first and foremost your team responsible for OT should have a trusted OT inventory housed on one platform with a single database, containing information reflecting condition, disposition, and location of all OT devices.

What’s more, you need to record device data as part of your standard onboarding process; without it, it’s difficult to determine device disposition, maintenance, and cyber security status. This allows for full visibility into the context of each device, including—but not limited to—what software it’s running, when it was last updated, and who the device owner is.

Without this common database for device matching, contextualization, and OT security event correlation, timely remediation becomes far more difficult. And in a situation like a cyberattack, where every second counts, speed of remediation can mean everything.

Next, this database needs to be integrated with an OT security monitoring tool. These tools are designed specifically for the intricacies and uniqueness of OT devices such as embedded software and differing network communications protocols. That means that when a security event takes place, the response team will be able to see this information, matched to the device details in that single inventory, all in one place. They’ll know exactly what kind of work order should be generated—and which qualified technician should be dispatched—to remediate the issue quickly and effectively.

And remediation is the critical step. So, the single inventory, the security monitoring must be coupled with pre-integrated vulnerability data sources. Examples are the National Institute of Standards and Technology (NIST), Common Weakness Enumeration (CWE), Common Platform Enumeration (CPE), and Common Vulnerabilities and Exposures (CVE) vulnerability data import​s. And, matching of documented vulnerabilities from NIST/MITRE Corporation​.

Because an organization may have thousands of OT devices, an orchestrated, automated response is necessary. Thus, what’s needed is a rules-based identification algorithm that identifies your OT device or OT devices that are affected by the event or vulnerability. And, the security context and impact of the event, including what patch, configuration change, or mitigating controls are required to then determine the remediation priority. Then the orchestration of the next steps, including kicking off remediation workflows to generate a work order or investigative work order can be achieved.

An additional benefit of using a single platform to manage OT devices is that it allows for every event to be tracked, time stamped, date stamped and available as data for reporting and compliance purposes. This includes security events as well as routine maintenance like software updates and device onboarding.

Using this model, information security, IT, and device support teams each have full visibility and reporting on all OT-related activities. This combination of device context, team collaboration, and well-documented remediation processes—bolstered by a single enterprise-wide platform—helps keep all OT equipment safe and resilient.

Closing the IT-OT gap will require process improvements and the implementation of modern service management technology. #cybersecurity #respectdataClick to Tweet

In a world where a single security breach can shut down an entire coastline’s worth of equipment, the capabilities mentioned above will only become more important. Being prepared early will save your organization time and costs while helping to prevent major logistical headaches.


Founder and CEO at Nuvolo