Which low-hanging fruits to grab on the OT security journey

New Zealand’s Peter Jackson from SGS (not of Lord of the Rings fame!) speaks about right-sizing cybersecurity legislature, OT security assessments and the low-hanging fruits in building resilience. He discusses with host Klaus Mochalski how an OT security assessment helps understand the risk landscape, how resilience can be hardened fast and easy, what challenges prevail in segmentation and isolation processes and why it is important to talk about genuine risks and not the bogeyman.

Duration:

25 min

Guest in this episode:

Peter Jackson

SGS

Transcript

Keywords

ICS, SANS, New Zealand, cybersecurity cost, risk analysis, vulnerabilities

‍

Takeaways

New Zealand cybersecurity legislation is likely to be similar to Australia’s SoCI regulations.

Cost of living from the power side is a strong factor in defining measures for critical infrastructure.

An OT vulnerability assessment is the first step in the OT security journey.

Risk analysis involves people, processes,networks, technologies and communication.

Any assessment will identify both low-hanging fruits and more strategic long-term measures.

OT companies should define and test their isolation processes to ensure fast and reliable disconnection of OT from IT in case of an attack.

There are several low-hanging fruits that organization can grab to build OT security fast.

To make spill-over more difficult, a clean protocol break between IT and OT can help.

Cyber resilience must be based on genuine risk scenarios that are real and palpable to get that budget.

Sound Bites

"For most industrial organizations, their core business is in that OT world. That's where they should be spending their time to improve their resilience and outcomes."

"One of my favorite tools is the SANS “5 critical controls for ICS”. It’s basically about being prepared for a bad day."

"As we've built up that connectivity and we're increasing risk, we want to move from that robustness piece into that resilience piece."

"Security always makes things a little bit harder, but we don't want to make it too hard,because then it's impossible for people to do their jobs."

Chapters

00:00 Introduction

02:00 Legislationin New Zealand

03:40 Right-sizinglegislation

04:40 Riskfrom a holistic perspective

05:10 Howan OT vulnerability assessment as the first step works

08:00 UnderstandingOT as core business

10:15 3low-hanging fruits in OT security

15:06 Thecylinder of excellence in OT security

16:52 Howto segment correctly

18:50 Challengeof new technologies in OT

20:10 Cyberresilience based on genuine risk scenarios

23:10 CommunicatingOT security to the management

23:50 Wrap-up

‍

Which low-hanging fruits to grab on the OT security journey

The 3 main homework tasks for making an IDS work

How the threat landscape for OT has changed since Colonial Pipeline

How can you train crisis management of cyber events?

OT risk analysis

OT security monitoring & NIDS

Building OT cybersecurity know-how

SIEM Integration

Security compliance

Asset detection & inventory

Condition monitoring

Mitre Att&ck for ICS integration