What are the best practices for securing OT systems?

We have a small lab with probably three or four PCs. They're all Windows; some of them were running Windows 7. I think we got rid of those and they're now Windows 10. We do not have them connected to the internet. Now they're all local. However, when they do need to download software, they go on Wi-Fi, get the software and then get off, so they are connected.

We have Sentinel One antivirus running and that's about it. And we do have it segmented. The network that's in the lab is in its own segment, but I'm always looking for ways to make sure that we keep it safer. And we do have Cyberhawk running on all our on-prem equipment, which is an intrusion and malware detector. We have a fractional CISO who's monitoring that for us. So far, the alarms for that have come from the intercom and a camera that were all running firmware that wasn't patched.

In our case, the micro-segmentation is all manual, not automatic. When I started I asked the lab manager how many machines they have and he said, "You can't have more than 20 in one lab." When the risk management scanner lit up, we saw that we had IP addresses for four times that amount in just one lab. It was like, "Where are these coming from? What are they doing?" And we monitor everything, including air quality. Those devices are all taking up IP address space. So we looked at the different types of devices and put them into their specific VLAN. Traffic can flow between but it’s all manual. We had to create slightly coarse rule sets; they’re not fine-grained by any means. So that's how we handled that situation.

Microsegmentation can be done, it’s just not easy. Once you validate that whole network, it is a fancy one to upkeep after that, because when vendors come in and want to make changes, of course we have to deal with the paperwork. So our policy says that if there are minor ports that have to go between the micro-segments inside, that's okay. We don't need to really go to quality assurance (QA) and scramble, but we really need the change control. So that's how we overcame that. And we did not introduce many new devices afterward, unless something broke. That's when we made any changes.

I would actually approach this from a backward standpoint as these machines aren't internet-facing. They're connected to each other and need to talk to each other, but they have to run really old assets. I would put them in an isolated network so that they couldn't spread anything outside that network and I would actually mandate that they don't run decryption. 

I would probably put host-based and possibly even network-based intrusion detection with antivirus signature capabilities in between the machines, because that's probably where your machines got infected. And where it got lost is that they probably required encrypted connectivity, which allows the virus to go in. If it had been unencrypted, your antivirus might have had a greater chance of detecting and stopping it.

I've hit Operational Technology (OT) security from a couple of different companies so I’ve seen how they protect their environments and how they approach security in the first place. A lot of these places still have the 30-year-old Rockwell machines or devices run by Windows CE. And there are a lot of 3.11 machines out there that are running these things because they can't change them. So a lot of the solutions I saw for security were to create a whole bunch of ethernet local-area networks (ELANs) and access control lists (ACLs) and manage what those machines do. 

But when I was at Armis, we got a different perspective on how to really look at what these machines were doing. We looked at whether they were out of date, what kind of network traffic they're putting out, and if there's any misaligned traffic—if they're doing anything mischievous that you should know about. Their approach was from a visibility angle and that seemed to work well with a lot of the huge manufacturing companies they had as customers.