New Requirements Create Resource Challenges, Especially for Small and Medium Organizations
The cyber threat environment in industrial infrastructure has escalated substantially in recent years, due to widespread ransomware attacks impacting industrial operations as well as increased activity by state actors.
On March 2, 2023, the White House released the National Cybersecurity Strategy which “will give the American people confidence in the availability and resilience of our critical infrastructure and the essential services it provides…” One of the ways it will do that is by “Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance.”
The next day, the U.S. Environmental Protection Agency (EPA) released a memorandum “stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water… EPA is taking action to protect our public water systems by issuing this memorandum requiring states to audit the cybersecurity practices of local water systems.”
It is good to see the U.S. federal government recognize these threats and take action to address them. The problem is that many of the organizations impacted by these mandates are small and medium businesses (SMBs) that do not have the resources – people or financial – to be able to address cybersecurity, especially in their industrial control systems / operational technology (ICS/OT) environments. Yet that is where the true impact of the risk lies – in the ICS/OT environment.
Implementing Change Introduces Unique Challenges
Implementing measures like the EPA mandate undoubtedly shines a light on the importance of addressing cybersecurity of public water system owners and operators. This also creates new opportunities for consulting engineers and systems integrators who design and build control systems for industrial automation to consider how these new requirements affect system design, as they are uniquely equipped as boots-on-the-ground to implement the changes necessary to protect ICS/OT infrastructure.
Designing and building these systems takes a specialized set of skills. The hardware and software that is deployed to automate industrial operations are unique, and traditional IT services firms typically are not equipped or trained on such specialized tools. It’s not hard to imagine the complexity that comes into play when retrofitting cybersecurity controls onto ICS/OT systems in operation. ICS/OT systems often rely on technology features that are deemed insecure, so it takes planning and skill to customize cybersecurity recommendations and maintain operational functionality without causing significant downtime. ICS/OT devices and applications vary greatly, and the engineer(s) securing the environment needs to understand the technical dependencies of each component. If changes are not implemented carefully, there can be impacts to stable operation of those industrial processes.
Larger Organizations, Take Note
If you have been increasing your security posture and reduced risk of a significant cyber-attack in your enterprise, including your OT environment, that’s excellent news! However, does your risk assessment include the possibility of a cyber-attack on one of your critical suppliers, and the impact that would have on your company’s operations? Could you still produce your product or provide services to your customers? Read on to ensure that you are quantifying the likelihood and impact of that risk correctly in light of the current threat environment. And strengthen your supply chain security risk posture by promoting OT-CERT to your suppliers!
Addressing the Resource Gap in ICS/OT Infrastructure
There are some resources available to SMBs for securing their IT infrastructure, and recently some resources have been published addressing securing the OT environment. But in reviewing those resources we found that unfortunately they address what needs to be done, not how to do it. SMBs with little to no cybersecurity expertise, especially in OT, are presented with lists of things to do but no tools that can be used to do them.
Fortunately, in June 2022 Dragos launched OT-CERT (Operational Technology Cyber Emergency Readiness Team). OT-CERT is dedicated to addressing the resource gap that exists in industrial infrastructure by providing free resources to help SMBs create or enhance their OT cybersecurity program. We provide the how – with toolkits, templates, video demonstrations, and guides that can be put into practice by people with no cybersecurity expertise. In fact, all of our resources are designed specifically for a non-security audience.
OT-CERT has almost 900 members in over 50 countries. We have provided the free resources listed below on a monthly basis, publish a monthly best practice blog for small and medium businesses, have held three tabletop exercises / workshops, and we hold monthly interactive working group sessions with our members. Every month we gather tips and tricks from our members regarding how they are using our resources and send them to all of our members.
Cybersecurity Oversight Across Sectors is Growing
The national strategy and EPA memorandum are but two centralized around cybersecurity-related oversight released by current administration. Additional oversight includes the National Security Strategy, Executive Order 14028 (Improving the Nation’s Cybersecurity), National Security Memorandum 5 (Improving Cybersecurity for Critical Infrastructure Control Systems), M-22-09 (Moving the U.S. Government Toward Zero-Trust Cybersecurity Principles), and National Security Memorandum 10 (Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems). So if you are not in the water sector, please do not disregard more oversight that is likely to be coming to other industries. Supply chain has been a focus for the past few years so our advice is to get started now – join OT-CERT and start building your OT security program!
OT-CERT Resources Available Now
The resources below are available to you NOW. Simply apply for OT-CERT, and as long as your organization owns or operates an OT environment your membership will be approved and you can get started. We look forward to working with you to safeguard civilization.
| Year | Month | Resource Type | Resource |
| 2023 | February | Toolkit | Guidance for host-based logging (guide and video demonstration) |
| Blog | How should vendors access and transfer files to our OT network when they come onsite? | ||
| January | Toolkit | Guidance for backing up critical ICS/OT data (guide and video demonstration) | |
| Blog | How do I know if my devices are connected to the Internet? Blog and video demonstration | ||
| 2022 | December | Toolkit | OT Cyber Incident Response Plan (guide and worksheet) |
| Blog | Should we pay the ransom? | ||
| November | Dragos Academy | ICS Crash Course | |
| Blog | What should we do if a ransomware message is displayed on an asset in the OT environment? | ||
| October | Toolkit | Collection Management Framework (Blog, Template, High level overview video, deep dive video) | |
| September | Toolkit | OT Ransomware Self-Directed TTX (ppt and Facilitator’s Guide ppt) | |
| Blog | Small / Medium Organizations’ Cyber Risk | ||
| July/August | Toolkit | OT Cybersecurity Fundamentals Self-Assessment (survey and guide) | |
| Toolkit | Asset Management Toolkit (guide, template, video) |
Ready to put your insights into action?
Take the next steps and contact our team today.