Industrial Security controls

Posted on by Secudea

While preparing for a talk on Industrial Security Controls earlier this year for students of an Executive Master in CyberSecurity, I reflected on these controls and their presence within the different OT environments I had the privilege to walk into or assess during risk assessments.

It became very clear to me that there were a lot of similarities between each one of these environments, namely the most identified present security controls and the most identified absent or insufficient security controls.

Note that this list might not reflect the actual situation in your industrial environment, but it gives food for thought on how to identify and select the necessary security controls.

The most identified present controls over the years were:

  • Governance – while present, it is still mostly stuck in people’s heads and actions
  • Backup/Recovery – often because they had to do it already
  • Spare parts mgmt. – this one is logical as availability is most important, cooperation with solution vendors have spare parts of have these spare parts yourselves.
  • Inventory – still mostly done “on paper” and often in various documents (XLS, as built docs…)
  • Safety/Availability

The most identified missing controls over the years are (there might be more than just this list):

  • Governance – while present, it is still mostly stuck in people’s heads and actions
  • Vendor verification (including FAT/SAT testing)
  • Controlling accessibility to industrial equipment – not only physical but also logical
    • Physical access to industrial equipment – not only perimeter access but also location and device access
    • Logical – controlling what devices can be connected to the industrial equipment
    • Logical – setting up a decent account & password management system for OT
  • Secured network environment – Network Segmentation, Secure remote access, Network authentication (logical access control)
  • Complete asset inventory – this can be (partially) automated using the correct tools
  • Controlling Vulnerabilities – which includes patching within industrial environments or taking other mitigating measures

Identifying missing controls and setting priorities is best done through performing a risk assessment, taking into account all necessary factors on Logical, Human, Physical and Governance levels.