What are the best practices for securing OT systems?
CISO in Software, 201 - 500 employees
I would actually approach this from a backward standpoint as these machines aren't internet-facing. They're connected to each other and need to talk to each other, but they have to run really old assets. I would put them in an isolated network so that they couldn't spread anything outside that network and I would actually mandate that they don't run decryption. I would probably put host-based and possibly even network-based intrusion detection with antivirus signature capabilities in between the machines, because that's probably where your machines got infected. And where it got lost is that they probably required encrypted connectivity, which allows the virus to go in. If it had been unencrypted, your antivirus might have had a greater chance of detecting and stopping it.
CISO in Software, 51 - 200 employees
That sounds like a lot of work and maintenance. Just saying.
CISO in Software, 201 - 500 employees
It is, but so is running machines that are running on C.
CISO, 201 - 500 employees
In our case, the micro-segmentation is all manual, not automatic. When I started I asked the lab manager how many machines they have and he said, "You can't have more than 20 in one lab." When the risk management scanner lit up, we saw that we had IP addresses for four times that amount in just one lab. It was like, "Where are these coming from? What are they doing?" And we monitor everything, including air quality. Those devices are all taking up IP address space. So we looked at the different types of devices and put them into their specific VLAN. Traffic can flow between but it’s all manual. We had to create slightly coarse rule sets; they’re not fine-grained by any means. So that's how we handled that situation.Microsegmentation can be done, it’s just not easy. Once you validate that whole network, it is a fancy one to upkeep after that, because when vendors come in and want to make changes, of course we have to deal with the paperwork. So our policy says that if there are minor ports that have to go between the micro-segments inside, that's okay. We don't need to really go to quality assurance (QA) and scramble, but we really need the change control. So that's how we overcame that. And we did not introduce many new devices afterward, unless something broke. That's when we made any changes.
CISO in Software, 51 - 200 employees
Crazy. I really don't miss SOPs. We still have change control but that's for the developers. Even in IT infrastructure, we had to change control for every single thing.
SVP, Business Technology & Digital Health, 11 - 50 employees
We have a small lab with probably three or four PCs. They're all Windows; some of them were running Windows 7. I think we got rid of those and they're now Windows 10. We do not have them connected to the internet. Now they're all local. However, when they do need to download software, they go on Wi-Fi, get the software and then get off, so they are connected.We have Sentinel One antivirus running and that's about it. And we do have it segmented. The network that's in the lab is in its own segment, but I'm always looking for ways to make sure that we keep it safer. And we do have Cyberhawk running on all our on-prem equipment, which is an intrusion and malware detector. We have a fractional CISO who's monitoring that for us. So far, the alarms for that have come from the intercom and a camera that were all running firmware that wasn't patched.
Content you might like
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.Insider threats – rogue admins19%
Encrypting my data51%
Deleting my backup copies11%
Resident malware8%
Data theft – data exfiltration11%
Other1%
140 PARTICIPANTS
We are not doing regression testing10%
25% manual, 75% automated50%
50% manual, 50% automated27%
100% manual, 0% automated8%
Don't know2%
695 PARTICIPANTS
ISSO and Director of the IRU in Healthcare and Biotech, 10,001+ employees
I would definitely suggest this based of how you categorize your types of data/systems and information being stored in certain parts of your data center. I think it’s really dependent on the size of your organization and ...read more
But when I was at Armis, we got a different perspective on how to really look at what these machines were doing. We looked at whether they were out of date, what kind of network traffic they're putting out, and if there's any misaligned traffic—if they're doing anything mischievous that you should know about. Their approach was from a visibility angle and that seemed to work well with a lot of the huge manufacturing companies they had as customers.