Stronger IT-OT Strategies & Proactive Security Measures Essential to Protect National Infrastructure from Cyber Threats: Nantha Ram Ramalingam

Nantha Ram Ramalingam is the Global Head of Cybersecurity for Manufacturing, Supply Chain, and Retail at Dyson Technology India Pvt Ltd.  

With over 15 years of experience in cybersecurity leadership, he is an expert in driving organizations to adopt robust security frameworks through strategic planning, secure system design, and effective risk management. His diverse expertise encompasses Information and Cyber Security, OT Security, Supply chain and Retail Security, Governance, Risk & Compliance.

Securitydive.in spoke to Nantha Ram who elaborated us on Operational Technology (OT). Organizations across all critical sectors must prioritize cybersecurity in their OT systems to ensure operational continuity and prevent large-scale disruptions.

Securitydive.in: How do you define OT organizational structure, reporting lines, roles, and responsibilities?

Operational Technology (OT) organizational structure typically revolves around the operational and technical management of industrial systems such as SCADA, DCS, HMI, and PLCs. It is crucial to define clear roles and responsibilities within the OT team, ensuring collaboration with IT and cyber security teams. A recommended structure includes:

• OT Manager: Oversees operational systems and ensures alignment with production goals.
• Project Manager: Oversees OT projects and initiatives.
• Network Architect/Engineer: Designs, implements, and maintains communication networks for OT systems.
• Control System Engineers: Responsible for maintaining and operating control systems.
• Maintenance Team: Ensures equipment and systems are running smoothly.
• OT Security Lead: Focuses on securing OT environments by working closely with IT security teams.
• CISO and IT Security Teams: Have oversight over cyber threats, reporting directly to senior management and maintaining cross-functional collaboration between IT and OT teams. Clear reporting lines foster faster incident response and decision-making while ensuring both operational safety and cybersecurity measures are prioritized.

Securitydive.in: What kind of drive is required to collaborate and establish common ground with the CISO, IT SecOps, and OT teams?

To establish collaboration between CISO, IT SecOps, and OT teams, the following drives are essential:

• Unified Risk Management Approach: Create a common language for risk and security goals across IT and OT teams. Shared objectives for business continuity and safety build trust and alignment.
• Cross-Training Programs: Promote mutual understanding by conducting regular training programs where OT teams understand cybersecurity requirements and IT/OT security professionals grasp the operational implications of cybersecurity measures.
• Executive Support: Strong leadership and executive sponsorship are needed to drive collaboration. A top-down approach to security ensures both teams are incentivized to work toward the same goals.
• Dedicated Cybersecurity Liaison: Appoint someone to bridge gaps between IT and OT, ensuring smooth communication and synergy between both disciplines.

Securitydive.in: A secure, safe, and trusted OT environment is required to build a strong awareness culture where people play a major role to enable cyber resilience. What are your suggestions?

People are the weakest link but also the strongest defense in cybersecurity. My suggestions for building a strong awareness culture include:

• Continuous Training and Awareness Programs: Implement frequent, role-based training that includes phishing simulations, best practices for OT security, and incident response exercises.
• Culture of Security Ownership: Encourage employees to take ownership of security by providing feedback channels and empowering them to report suspicious activity.
• Gamification and Rewards: Make learning interactive and incentivize employees to participate in security drills and exercises.
• Regular Communication: Ensure frequent security updates and information sharing through newsletters, workshops, and town halls. Communication should come from leadership to reinforce the importance of cyber resilience.

Securitydive.in: Any case you would take to reflect as a case study on OT as an example?

A recent and notable case study in Operational Technology (OT) security is the ransomware attack on Colonial Pipeline in May 2021. This incident revealed significant vulnerabilities in OT environments and underscored the need for robust cybersecurity practices in critical infrastructure.

Case Study: Colonial Pipeline Ransomware Attack

Background:

Colonial Pipeline, one of the largest fuel pipeline operators in the United States, experienced a ransomware attack that primarily targeted its IT systems.

In response, Colonial Pipeline proactively shut down its OT systems to prevent potential spillover into its critical infrastructure. The attack led to widespread fuel shortages and economic disruption across the U.S. East Coast, affecting millions of people and businesses.

Incident Overview:

The ransomware group DarkSide exploited vulnerabilities in the IT environment, reportedly through a compromised password. Once inside the IT network, the attackers had access to critical systems. Though the OT systems were not directly targeted, the company shut down its entire pipeline operations as a precautionary measure to prevent further damage. This highlighted the deep interconnection between IT and OT environments, where an attack on one system can lead to cascading impacts across both.

Key Lessons Learned :

1. IT-OT Convergence Risks: This incident highlighted the increasing convergence of IT and OT environments, which broadens the attack surface. As IT and OT systems become more interconnected, vulnerabilities in one domain can have severe consequences in the other, making critical infrastructure more susceptible to cyberattacks.
2. Segmentation & Access Control: One of the primary issues in the attack was the need for robust network segmentation. Segmentation and stringent access controls between IT and OT environments would have limited the scope of the attack and minimized the risk to critical operational systems.
3. Incident Response & Disaster Recovery: The decision to shut down OT operations demonstrated the need for well-defined incident response and disaster recovery plans that include both IT and OT systems. Comprehensive plans can reduce operational impacts and ensure a quicker recovery following a cyberattack.
4. Supply Chain and Economic Impact: The attack’s impact on the fuel supply chain demonstrated the broader economic risks associated with OT vulnerabilities. The disruption affected millions of consumers and businesses, illustrating the national and even global implications of OT security failures.
5. Need for Proactive OT Security: The Colonial Pipeline attack reinforced the need for proactive security measures, such as network segmentation, multi-factor authentication, regular system patching, and advanced threat monitoring. These measures are crucial for preventing, detecting, and responding to cyber threats in OT environments.

Solutions Implemented Post-Attack:

• Enhanced Network Segmentation: Colonial Pipeline invested heavily in improving network segmentation to separate IT and OT systems, reducing the likelihood of future spillover attacks.
• Zero Trust Architecture: The company adopted a zero-trust model, ensuring that every device, user, and system is continuously authenticated and verified.
• Improved Incident Response: Colonial Pipeline strengthened its incident response capabilities by implementing more robust disaster recovery procedures and increasing collaboration with federal agencies to ensure rapid response to future threats.
• OT Monitoring and Threat Detection: Post-attack, the company enhanced its monitoring of OT systems to detect any unusual activity early, ensuring rapid mitigation.

The Colonial Pipeline ransomware attack is a critical reminder of the importance of cybersecurity in OT environments. It not only disrupted operations but also had widespread economic and societal consequences.

Securitydive.in: There are many benefits of using an inside-out approach for OT security. Can you suggest a few?

An inside-out approach to OT security focuses on securing critical assets from the core of the operational environment outward rather than starting with perimeter defenses. This method provides several benefits for securing OT environments:

1. Protection of Critical Assets First:

• The inside-out approach prioritizes securing the most critical OT systems and assets, ensuring that key operational components, such as industrial controllers and machinery, are protected against attacks. This ensures that the core of your operations remains resilient even in the event of a breach.

2. Improved Visibility and Monitoring:

• By focusing on internal assets, organizations gain better visibility into their OT networks. This allows for more accurate detection of anomalous behavior, unauthorized access, or potential threats originating from within the network, leading to faster response times.

3. Reduced Attack Surface:

• Inside-out security minimizes the overall attack surface by hardening internal systems, implementing strict access controls, and limiting network exposure. This makes it more difficult for attackers to move laterally or reach critical OT systems after breaching the perimeter.

4. Stronger Segmentation and Access Control:

• By segmenting internal OT networks and enforcing strict access control policies, this approach ensures that only authorized personnel and devices have access to sensitive areas of the network, reducing the likelihood of insider threats or accidental misconfigurations that could lead to vulnerabilities.

5. Resilience Against Insider Threats:

• Since the inside-out approach heavily emphasizes monitoring internal behavior, it helps mitigate insider threats, such as disgruntled employees or contractors with access to OT systems. The internal focus ensures that any malicious activity originating from within the organization is more likely to be detected.

6. Alignment with Zero Trust Principles:

• The inside-out approach is naturally aligned with Zero Trust security, which emphasizes verifying every user and device, regardless of its position inside or outside the network. This approach strengthens OT security by enforcing strict authentication and authorization throughout the operational environment.

7. Focus on Business Continuity:

• By concentrating on the internal components that directly impact operations, the inside-out approach enhances business continuity. It ensures that essential systems are shielded from threats, allowing for continued operation, even in the face of attacks on less critical or peripheral network parts.

This method is highly effective in environments like OT, where safeguarding the integrity and availability of core systems is essential to operational success.

Securitydive.in: Keeping up with the evolving nature of cyberattacks, what steps should industrial (OT/ICS) sectors take?

To keep up with the evolving nature of cyberattacks, industrial sectors, particularly those with OT (Operational Technology) and ICS (Industrial Control Systems), must adopt a proactive and multi-layered approach to cybersecurity. Here are some essential steps:

1. Adopt a Zero Trust Architecture:

• Implement a zero-trust security model, which assumes that no device, user, or system is trusted by default. This requires continuous verification, strict access controls, and segmentation to minimize the risk of unauthorized access, both from internal and external threats.

2. Segment IT and OT Networks:

• Ensure clear network segmentation between IT and OT environments. This limits the risk of lateral movement by attackers from the IT side into OT systems, reducing the potential damage from malware, ransomware, or targeted attacks.

3. Continuous Monitoring and Threat Detection:

• Utilize advanced monitoring tools such as SIEM (Security Information and Event Management) and OT-specific threat detection systems to continuously monitor for anomalous behavior or suspicious activity across OT networks. Implement real-time alerting for early detection of cyberattacks.

4. Regular Patching and Vulnerability Management:

• Keep OT systems updated with regular patching and security updates. While many OT devices may be difficult to update due to operational constraints, a robust vulnerability management program is essential to identify and mitigate vulnerabilities as they emerge.

5. Implement Multi-Factor Authentication (MFA):

• Enforce multi-factor authentication for all access points, especially for critical OT systems and remote access connections. This adds an additional layer of security by requiring multiple forms of verification before access is granted.

6. Develop and Test Incident Response Plans:

• Create and regularly test incident response plans tailored to OT environments. This should include specific actions for responding to cyberattacks, minimizing downtime, and restoring operations. Periodic tabletop exercises can help improve preparedness and identify weaknesses in the response strategy.

7. Collaborate with Industry and Government:

• Collaborate with industry peers, government agencies, and cybersecurity organizations to stay informed of the latest threats, vulnerabilities, and best practices. Shared intelligence and threat-sharing programs can help industries prepare for and mitigate attacks before they occur.

8. Employee Training and Awareness Programs:

• Conduct regular cybersecurity training and awareness programs for all employees, including engineers, operators, and contractors. OT staff should be aware of phishing, social engineering, and the importance of following security policies and protocols.

9. Use Advanced Threat Intelligence:

• Leverage OT-specific threat intelligence to gain insights into the latest attack methods targeting industrial sectors. This intelligence can help organizations identify emerging threats and take preventive measures before they reach critical systems.

10. Secure Remote Access:

• With the increasing need for remote access to OT systems, ensure it is secure and well-managed. Use technologies like ZTNA with solid encryption and enforce multi-factor authentication for remote access. Regularly audit remote connections to ensure compliance with security policies.

11. Backup Critical OT Data and Systems:

• Regularly backup OT data and configurations, ensuring that backups are stored securely and are not susceptible to cyberattacks. In case of a ransomware attack or system compromise, backups enable faster recovery of essential systems.

12. Risk Assessments and Audits:

• Conduct regular risk assessments and audits of OT systems to identify potential vulnerabilities, non-compliance with security standards, and areas for improvement. Audits can help ensure security policies are followed and highlight areas where additional safeguards are needed.

13. Adopt with Global Industry Standards:

• Ensure alignment with recognized cybersecurity frameworks and standards specific to OT environments, such as ISA/IEC 62443, NIST 800-82, and other regulatory guidelines. Compliance with these standards helps ensure that security measures are comprehensive and up-to-date.

By taking these steps, industrial sectors can significantly enhance their cybersecurity posture, making it more difficult for attackers to exploit vulnerabilities and ensuring greater resilience in the face of evolving threats.

Securitydive.in: Protecting OT systems from cyber threats is paramount to maintaining the reliability, safety, and integrity of critical industrial processes. How to limit potential impact?

Protecting OT systems from cyber threats is essential for ensuring the reliability, safety, and integrity of critical industrial processes. To limit the potential impact of cyberattacks on OT environments, organizations should implement a combination of best practices and advanced security measures. Here are several key strategies:

1. Network Segmentation

• Segregate OT systems from IT networks by creating separate zones or layers for each environment. This reduces the risk of a cyberattack spreading from IT to OT or vice versa. Proper segmentation ensures that if one network is compromised, the other remains secure.

2. Implement Strong Access Controls

• Use role-based access control (RBAC) and least privilege principles to limit access to critical OT systems. Only authorized personnel should be allowed access, and their permissions should be restricted to the specific functions necessary for their roles. Multi-factor authentication (MFA) adds an extra layer of protection.

3. Continuous Monitoring and Detection

• Deploy OT-specific monitoring and threat detection tools to identify anomalies, unauthorized access, or malicious activity in real-time. Solutions like intrusion detection systems (IDS) for OT environments provide early warnings of potential threats, allowing for a faster response.

4. Patch and Update Regularly

• Keep OT systems updated with the latest security patches and firmware. Although OT environments often require strict uptime, maintaining up-to-date software is crucial for addressing known vulnerabilities that cyber attackers could exploit.

5. Apply Zero Trust Security

• Implement Zero Trust principles across OT systems. This approach assumes that every device or user, inside or outside the network, could be compromised. It requires continuous verification of identities and strict access control to limit unauthorized access to sensitive areas.

6. Use Secure Remote Access

• If remote access to OT systems is required, ensure it is secure and well-managed. Using the ZTNA principle for Secure Remote access with solid encryption and enforcing multi-factor authentication for remote access. Regularly audit remote connections to ensure compliance with security policies.

7. Backup Critical Systems and Data

• Regularly back up OT system configurations and data to secure locations. In case of a ransomware attack or system failure, having these backups can ensure faster recovery and prevent significant downtime or data loss.

8. Conduct Regular Security Audits

• Perform regular security assessments and audits of OT systems to identify vulnerabilities and ensure compliance with security policies. These audits help detect weak points in the system and allow organizations to address them proactively.

9. Develop and Test Incident Response Plans

• Having a well-defined incident response plan for OT environments is essential for minimizing the impact of a cyberattack. Ensure the plan includes clear roles and responsibilities, communication protocols, and recovery steps. Regularly test the plan with tabletop exercises to improve preparedness.

10. Limit Third-Party Risk

• Third-party vendors often have access to OT systems for maintenance or monitoring purposes. Ensure that third-party access is tightly controlled and vendors adhere to strict security protocols. Regularly assess and audit third-party access to limit supply chain risks.

11. Educate and Train Staff

• Ensure all employees, especially those involved in OT operations, receive regular training on cybersecurity best practices, including how to recognize phishing attempts and social engineering attacks. Awareness and vigilance are key to preventing human errors leading to security breaches.

12. Implement Redundancy and Failover Systems

• Ensure that critical OT systems have redundancy and failover mechanisms in place. If a cyberattack affects one system, backups or secondary systems can take over, minimizing operational downtime and reducing the impact on industrial processes.