Many OT security professionals have busted the airgap myth by asking questions on how software or firmware updates, schedules, recipes, anti-virus signatures, or applications are brought into the OT environment. They often are brought in through the approved OT electronic security perimeter or through Shadow OT.
Many asset owners also walk these files into OT on USB drives, DVDs, and laptop computers. Removable media and portable computing can bypass and defeat even a robust OT electronic security perimeter.
There are multiple approaches to achieve this week’s task. Remember you are not trying to solve the problem, and this is not the time for judgment. Most removable media and portable computing use in OT is not nefarious, even if it’s not secure. This week identify the current state.
Ask and answer the following questions:
- Are there policies or procedures covering removable media and portable computing use in OT? If yes:
- Gather these documents.
- Evaluate through interview and inspection if they are being followed.
- Interview the appropriate team members how the following scenarios are handled:
- A security patch for a computer in OT is needed. How is it brought in? Ask about both Microsoft patches and ICS application patches.
- A firmware update for a PLC or controller is needed. How is it brought into OT? A firmware update for a switch is needed. How is it brought in?
- Are USB drives used in OT only connected to OT?
- Do your technicians or engineers have laptops or tablets that connect to an OT network or device? If yes, are they used on other networks such as IT or the Internet? How are these portable computers updated? How do they get the application tools and information they need to do the job?
- Are vendors allowed to bring in and connect their laptops to an OT network or device for authorized projects and services?