1. Define roles and responsibilities
Appoint an OT security manager for each facility, who is responsible for assigning and documenting roles and responsibilities related to security for all workers, senior managers and any third parties.
2. Ensure appropriate training and awareness
All OT staff must have the required skills for their roles. Employees at each facility must be trained to recognize security risks, the most common attack vectors and what to do in case of a security incident.
3. Implement and test incident response
Ensure each facility implements and maintains an OT specific security incident management process that includes four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity.
4. Backup, restore and disaster recovery
Ensure proper backup, restore and disaster recovery procedures are in place. To limit the impact of physical events such as a fire, do not store backup media in the same location as the backed up system. The backup media must also be protected from unauthorized disclosure or misuse. To cope with high severity incidents, it must be possible to restore the backup on a new system or virtual machine.
5. Manage portable media
Create a policy to ensure all portable data storage media such as USB sticks and portable computers are scanned, regardless whether a device belongs to an internal employee or external parties such as subcontractors or equipment manufacturer representatives. Only media found to be free from malicious code or software can be connected to the OT.
6. Have an up-to-date asset inventory
The security manager must keep a continuously updated inventory of all OT equipment and software.
7. Establish proper network segregation
OT networks must be physically or/and logically separated from any other network both internally and externally. All network traffic between an OT and any other part of the network must go through a secure gateway solution like a demilitarized zone (DMZ). Interactive sessions to OT must use multi-factor authentication to authenticate at the gateway.
8. Collect logs and implement real-time detection
Appropriate policies or procedures must be in place for automated logging and reviewing of potential and actual security events. These should include clear retention times for the security logs to be retained and protection against tampering or unwanted modification.
9. Implement a secure configuration process
Secure configurations must be developed, standardized and deployed for all applicable systems like endpoints, servers, network devices and field devices. Endpoint security software like anti-malware must be installed and enabled on all components in the OT environment that support it.
10. Formal patching process
Implement a process to have patches qualified by the equipment manufacturers before deploying. Once qualified, the patches can only be deployed on appropriate systems with a pre-specified frequency.
Gartner clients can read more in the report “Reduce Risk to Human Life by Implementing this OT Security Control Framework.”
About Gartner Security & Risk Management Summits
Gartner analysts will provide the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summits 2021, taking place September 20-22 in Orlando, FL, October 6-8 in Tokyo and November 29-December 1 in London. Follow news and updates about the conferences on Twitter using #GartnerSEC.
About the Gartner Information Technology Practice
The Gartner IT practice provides CIOs and IT leaders with the insights and tools to drive the organization through digital transformation to lead business growth. Additional information is available at https://www.gartner.com/en/information-technology. Follow news and updates from the Gartner IT practice on Twitter and LinkedIn using #GartnerIT.