One of the highest rising priorities for U.S. federal agencies is operational technology (OT) cybersecurity. As federal cyber-physical systems (CPS) are highly targeted by advanced adversaries who are increasingly honed in on the OT environment, the complexity of these OT devices over their IT counterparts takes on even greater concern.
In order to gain a better understanding of the current standards and priorities of federal OT leaders, MeriTalk, in partnership with Claroty, surveyed 100 Federal security administrators and managers overseeing OT in Federal civilian and Department of Defense (DoD) organizations. Our report, Guardians of Government: The State of Federal OT Security, highlights the significant data points and trends from the survey.
We’ve taken a deep dive into some of the most important insights from the survey to highlight the current state of Federal OT security, critical strategy gaps, and recommendations to strengthen federal cybersecurity.
How Federal OT Leaders Are Thinking About Cybersecurity
Understanding how other federal OT leaders are thinking about their OT cybersecurity strategies, including priorities, deficiencies, and steps to take for overall improvements, can bring a greater understanding of how your agency stacks up. Find key takeaways below and see how your federal agency’s strategies align.
Challenges to Advancing OT Security Efforts
An overwhelming majority - 90% - of Federal OT leaders reported that their agency has increased the priority of OT cybersecurity in the past two years. The two most commonly cited areas of OT in each agency’s operational environment were IoT devices (69%) and building automation/management or facility-related control systems (62%).
Although OT security is increasingly being prioritized and invested in, it also poses some unique challenges. The two most pressing are the complexity of OT environments, including geographic distribution, and the lack of standardization across OT systems. These challenges were reported as the most significant obstacles to OT security efforts outside of budget constraints.
Investing in OT Security
With a greater emphasis on OT environments, federal leaders are increasing their investment in OT security, with network protection and asset management being the two leading implemented capabilities. And now OT and IT security teams increasingly share reporting structure, allowing opportunities for improved cooperation, sharing of insights, more comprehensive visibility across the whole of the network and its security gaps, and thus a more strategic, end-to-end security approach.
Most Important Steps to Enhance OT Cybersecurity
With Federal agencies placing such a strong emphasis on OT cybersecurity, it is important to note, however, that only 20% of agencies grade themselves an ‘A’ in IT cyber preparedness. In fact, only 55% of respondents reported that they feel very confident they could detect and mitigate the threat.
When leaders were asked to identify the most important steps their agencies could take to enhance OT security, the top two answers were:
Best practices adoption/process improvements, including network segmentation/isolation, and
Upleveling of skills, including increased cyber awareness and training
In addition to these proactive steps to educate members of each agency and adopt best practices, survey respondents identified the top three deficiencies that must be addressed in order to effectively secure OT assets.
Top Three Cyber Deficiencies in Federal OT Security
To better understand why nearly half of respondents did not feel confident they could detect and mitigate a threat to the OT environment, we need to take a look at the top deficiencies in federal OT programs. Survey respondents pointed to a number of gaps currently impacting their OT cybersecurity, with the top three identified as:
Let’s explore each of these deficiencies and what can be done to improve each one.
Network Visibility
Network visibility can be particularly challenging in the federal OT cyber space because of the breadth of devices across numerous environments. The diversity of devices means Federal OT leaders are rightfully concerned about not only keeping track of all of them, but also the devices’ protocols, communications patterns, and risk profiles. This means visibility is only the first step in keeping them secure.
Comprehensive network visibility is a cornerstone of Claroty’s offering, providing unrivaled visibility with five different collection methods for doing so. Claroty uses multiple discovery techniques to not only profile all CPS assets, but can also map network communications among assets, the protocols used, and the patterns of their communications. This insight forms the foundation for threat detection and mitigation.
The Claroty security platform, provisioned for either on-premises or cloud, monitors the network to establish the baseline for normal asset behavior on the network. Comprehensive network visibility provides insights on:
Once this baseline is well understood, it can then actively monitor and analyze OT network traffic to detect abnormal behavior and, by extension, potential risks, including from misconfigurations, operational aspects that may affect security, and system related practices that are currently affecting security status. Consider the example of multiple server message block (SMB) login attempts. This sort of traffic analysis would identify whether it is the effect of an SMB misconfiguration or if it’s happening in a random manner between several different assets matched to a threat signature for a Trojan and verified by the signature of an actual latent threat.
Secure Access and Remote Monitoring
Secure access and remote monitoring is key in environments where many people - such as your employees, your contractors and your vendors - need legitimate access to your OT network and the many assets that must be maintained. In the MeriTalk survey, Federal OT leaders rightfully expressed concern about this remote access.
Claroty provides a means to securely manage remote access by anyone you deem necessary and maintain ongoing visibility to their active sessions. This means any anomalous behavior is detected and allows Federal OT operators and managers to take action in real-time to stop active sessions if and when necessary to minimize risk.
Exposure Management
In order to maintain an active, successful security program, it’s imperative to stay on top of exploitable and actively exploited vulnerabilities and other forms of risk. Exposure management is particularly important for Federal organizations because of the highly targeted nature of Federal networks and the complexity noted in the report. New vulnerabilities and threats emerge daily in these highly targeted networks, making it even more important to have an exposure management strategy that can immediately identify and prioritize vulnerabilities before adversaries have the opportunity to capitalize on them.
Claroty’s unique risk framework, data feeds from CISA’s KEV and the EPSS, and multiple exposure considerations highlight specific attack vectors, assess exploitability and impact, and provide quantified remediation recommendations.
With the specific recommendations, users can prioritize remediation efforts based on their desired outcomes and timing.
Taking Survey Insights and Implementing Best Practices
With so many areas of potential improvement and adoption of best practices identified in the survey, it can be difficult to know where to begin to strengthen OT security within your agency. Luckily, Claroty’s expertise in CPS protection - across thousands of deployments, over twenty million assets protected, and over four hundred protocols supported - and proven strategies to address each deficiency named in the survey is the ideal place to start.
Learn how to improve significant areas of visibility through exposure management or implement key best practices like network segmentation. To discover the specific OT security platforms Claroty offers and determine the best fit for your agency’s cybersecurity program, get in touch with a member of our team today.
