In a perfect world, all removable media and portable computers connected to OT would be dedicated to OT. They would only be connected and used on OT. Never on IT or any other network.
One way to achieve this is to deploy data transfer servers in an OT DMZ that can pass files that would otherwise be brought into OT with removable media. With this in place, any use of USB drives from outside of OT is typically for convenience.
Let’s be honest. Most of us have done this or at least been asked to do this. “I need an update to xyz PLC or abc historian. Oh, I have that on my laptop. Can you put it on a USB for me?” It’s so easy. The first step is to be clear in your policies, procedures, and security awareness programs that this is not allowed.
New and reformatted removable media devices are brought into OT. Tested, approved, labeled and registered as your policy requires, and then only used in OT. Are your policies and procedures clear on this? Review and begin to process updates as required.
Note: If you are going to allow non OT-dedicated removable media to connect to the OT environment, then make sure the policy is clear on the testing and approval required prior to connection.
Portable computers are a more difficult issue. Review your policies and procedures around at least the following three cases:
- OT Technician or Engineer Laptops – Like removable media, these should be dedicated to OT and not connected to any other network. Operators in control centers are provided with a computer for email and web access that is on the IT network, so they don’t use the HMI for these purposes. Technicians and Engineers should have another laptop or desktop for all their needs outside of OT. The one exception that is common, but not recommended, is a periodic connection of an OT laptop to the IT network to get security updates and to be scanned.
- IT Support Staff Laptops – Does your IT department manage the OT network infrastructure, such as switches, routers, or virtual infrastructure? How do they get access to do this? Do they come in remotely with administrative access or do they bring their IT laptop full of tools into the OT environment? Both introduce risks. How does your policy address this access? Is the associated risk acceptable or does it need to change?
- Support Vendor Laptops – This is the hardest scenario. Your system is down. You call the vendor to come in and fix it. They bring their laptop loaded with open-source, public, and proprietary tools. Do you let them connect to OT? What testing do you put the laptop through prior to allowing them to connect? Unlike USB drives, there is not an easy solution to this. In the US, many electric utilities will have laptops loaded with a mutually agreed upon set of tools that the support vendor must use, rather than their own. This is not easy to maintain nor get vendor concurrence. Review what your policy and procedures require. Are they achievable? Are they properly addressing the risk?
At the end of this week, you should have a new or revised draft removable media and portable computing policy. Enter your notes below.