Network segmentation. The convergence of OT and IT doesn’t have to mean that every device within an organization lives on one open network where, for instance, every smartphone or laptop can communicate directly with every oil pump or factory sensor. Instead, organizations should break up their networks into logical segments based on function and sensitivity.
Effective segmentation results in a more secure network architecture that helps limit the spread of malicious behavior. “Too often, SCADA system components are essentially left out in the open,” Serrano says. A properly segmented environment might have separate networks for host servers and switches, SCADA systems, operator workstations and controllers.
Patching and updating. “Many SCADA networks are legacy systems that were designed to run for years on end, doing the same thing over and over again without being updated,” Serrano says. “But now that these assets are networked, it’s important for organizations to keep up with their patching.” Automated patching solutions can be especially effective, as they do not rely on (often overburdened) human workers to remember to set aside time to perform what is usually a routine, mundane task.
Employee training and awareness. González calls people the “biggest question mark” when it comes to IT security. Even if an organization never has to deal with a threat from a malicious insider, he says, untrained employees can make mistakes that open up significant security gaps.
“There’s still a lot of human involvement when it comes to cybersecurity in OT,” he says. “Let’s say that a person with access to an industrial control system clicks on a phishing email. All of a sudden, you have malware in your OT environment.” Rigorous training programs can teach employees to sniff out and report suspicious activity.