Maintaining operations technology (OT) cybersecurity requires a multi-layered approach. Three important aspects are: 

• Protect the assets – implement a suite of cybersecurity controls within the OT system to protect from unauthorised access and activities
• Manage the asset lifecycle – use procedural controls to maintain security as the OT system is operated and upgraded
• Respond to cybersecurity incidents – maintain technical and operational plans to effectively respond if there is a cybersecurity breach in an organisation 

This document covers secure asset lifecycle management. There are many aspects to this, which organisations should be familiar with and, based on the risk profile of their OT, may consider including as part of their safety management system. 

Development Security Operations (DevSecOps) 

DevSecOps is analogous to inherently safe process design. It is the integration of cyber security into the initial design of software, networks, and OT systems to reduce the risk of security incidents occurring in production environment. This approach promotes security as a shared responsibility and is becoming increasingly important as organisations seek to secure their industrial control systems and other OT assets. Continuous security testing is integrated into the development and deployment process to ensure that security vulnerabilities are detected and addressed early in the development process. 

Asset monitoring 

It is important to continually monitor OT systems for indication of compromise. First, audit trails on system and user activities must be collated from across the OT assets. The diverse range of technologies and protocols in OT means this not straightforward. A Security Information and Event Management system (SIEM) is typically used. This collects and analyses data from various sources, including network devices, servers, and security tools to identify suspicious activities. It uses real-time monitoring and advanced analytics to identify anomalous activity, prioritise security events, and provide a centralized view of the asset network. The SIEM may be focussed solely on OT assets, or looking for threats spanning both IT and OT layers. 

The Security Operations Centre (SOC) sits above and utilises the SIEM and other cyber system outputs to monitor the security position of an organisation, detecting and responding to security incidents. It is staffed by IT security professionals and analysts who review and investigate security alerts generated by SIEM and other security tools. SOC analysts use their expertise to triage, investigate, and respond to security incidents in real-time. The SOC is a key part of an organisation’s cyber incident response plan. Large organisation may have in house SOCs, whereas smaller companies may leverage the advanced expertise, scalability and low cost of entry of external SOC service providers. 

SOAR (Security Orchestration, Automation, and Response) is a platform that helps automate and orchestrate security operations tasks, such as incident response. It integrates with SIEM and other security tools to help automate the process of triaging, investigating, and responding to security incidents. SOAR can help reduce the time to respond to incidents and improve the accuracy of incident response by automating routine tasks and providing a centralised platform for collaboration. The use of automated responses needs to be carefully managed in OT systems. The list of allowed activities should be carefully managed to ensure production stability and safety is not accidentally compromised. 

Managing legacy assets 

Plant automation systems may have an operational lifespan of more than 30 years.  Over this period, it is likely that security vulnerabilities may be identified, especially for older systems that did not benefit from DevSecOps and inherently secure design. The number of known vulnerabilities in legacy assets is growing rapidly, as security researchers increasingly focus on examining OT systems. It is important that organisations work with their technology vendors so they are informed of newly discovered vulnerabilities in their installed asset base, and understand potential mitigation options. Sometimes patches or upgrades may be available, however deploying these can be challenging as it may require shutting down critical systems or interrupting production processes. Patching should be carefully planned and executed to minimise disruption to operations, with contingencies and rollbacks available in case of unexpected asset behaviour during or after during deployment. Compensatory measures should be considered if there are known vulnerabilities that cannot be immediately rectified within an acceptable time frame.  

For some older systems or types of vulnerabilities there may never be a fix issued. In these cases, the organisation must determine a permanent set of security control measures to manage these ongoing vulnerabilities. This may include limiting connectivity to these devices or installing additional physical or procedural controls around their perimeter. Legacy assets are arguably one of the most challenging aspects of OT asset management. Over time, organisations will likely accumulate a long list of critical vulnerabilities that must be managed to ensure overall system security and reliability. Having ongoing business processes in place to effectively manage this situation is crucial.