Navigating an OT Cybersecurity Transformation

The gap between IT and OT systems has been steadily closing in recent years, making systems more operationally efficient and “smarter.” That’s the good news. The bad news is that this shift can open OT assets – which control critical infrastructure – to increased risk of cyber-attacks. These attacks can result in significant damage to your equipment, to your team, and to your bottom line.

Until recently, OT assets were not designed or deployed with cybersecurity in mind. Over the past decade of working with clients across multiple industries, ACE has seen a significant shift in awareness around OT cybersecurity risks and the priority level these companies put on proactively identifying and addressing OT cybersecurity gaps.  

As an example, let’s walk through a multi-year journey we had with a global nutritional supplement manufacturer as their organization has shifted from no cybersecurity policy or awareness, to loose policies that not everyone in the company was aware of, to a fully scalable cybersecurity program implemented across their sites worldwide.

Cybersecurity Readiness Level 1: Partial Awareness

I personally started working with this customer in 2017 on a traditional control system modification for a single system at the company’s largest site. Cybersecurity was not on their minds at the time and was not part of the conversation. Cybersecurity risk management had not been formalized or documented at the company, putting them at the lowest level of readiness on the NIST scale of cybersecurity framework maturity.

Cybersecurity Readiness Level 2: Risk Informed

The following year, the company’s corporate office established cybersecurity standards and audited each of their sites against the new guidelines. While it wasn’t surprising to our customer that their site did not fully meet the new corporate guidelines, the team was surprised by how far off they were and by the magnitude of changes needed to become fully compliant.

They reached out to ACE and requested a quote for remediating the cybersecurity issues, including projects such as implementing new policies and SOPs, modifying networks to support a zone-and-conduit philosophy, performing upgrades, and installing new infrastructure to deploy cybersecurity services.

Upon reviewing the audit findings, we quickly realized that bringing them into cybersecurity compliance would be a significant undertaking. But not only would the implementation be significant, multiple discussions that would affect design decisions needed to occur before implementation could even be budgeted. Therefore, we worked with the customer to create a comprehensive plan for creating a security program, including policies, procedures, design, and implementation. This plan outlined design and implementation phases for each of seven process areas, all reflecting the company’s specific structure and goals, to bring them into compliance. It became clear that larger decisions needed to be made at the corporate level.

Cybersecurity Readiness Level 3: Repeatable Processes

At this point, the corporate team recognized that most sites were deficient and engaged two large consultancies to advise on developing an enterprise-wide plan to ensure that each site could implement a consistent program to protect against threats across each of their sites. This was a board-level initiative that took nearly two years of work including pilot projects before they were ready to implement compliance at each of their sites. Once they were ready, our customer once again reached out to ACE to request our help at their largest facility.

Our work included upgrades to six of their eight control systems as well as an overarching owner/agent role that bridged OT concerns and managed projects across five different constituencies, including other system integrators involved in the project, the IT support team, the site engineering staff, site management, and the central project management team.

Cybersecurity Readiness Level 4: Adaptable Processes

The team followed a phased approach to implementing this cybersecurity transformation. Phase one involved implementing strict firewall rules, especially around portions of their control systems that were exposed to the Internet. Locking those down and implementing new firewall rules ensured the control systems were strictly segregated from the other plant office networks.

The next step was implementing a new cybersecurity policy that covered the entire site. Together with the customer and the corporate consultants, we establish roles and responsibilities, and defined site SOPs such as backup and restore procedures.

Thirdly, the team redesigned the underlying network architectures to follow the zone-and conduit approach and added security networks to support required tasks including automatic backup and recovery, remote access, automated patching services, and Active Directory. In parallel, ACE implemented end-point hardening including IDS/anti-virus, patching, removal of default passwords, and removal of unnecessary applications.

The final step was to select and activate third-party network monitoring tools to ensure the updated network would continue to operate securely well into the future, and that any future issues will be quickly identified and addressed. Moving forward, the company plans to regularly conduct risk assessments and adjust security policies and procedures to take advantage of new solutions and remediate vulnerabilities to new threats.

By working creatively, responsively, and with great attention to detail, we were able to help the customer close the gaps and bring its OT cybersecurity transformation to a successful conclusion.

Partnering with ACE on Your Cybersecurity Journey

Regardless of where your organization is in terms of cybersecurity readiness, ACE can help reduce risk and increase security of your OT assets – from initial evaluation of your cyber posture to system upgrades to mitigation planning. Because ACE brings cross-domain skills in control systems, networking, IT systems, and integration, we can make your cybersecurity upgrades as efficient and seamless as possible.

Contact us to get started today.