July: OT Cyber Maintenance

The term cyber hygiene has become popular in cyber security, both IT and OT cyber security. I’m not a fan of this term and have a podcast episode on why it’s not helpful. For OT, I prefer the term cyber maintenance.

The roles responsible for designing and maintaining physical systems and processes understand maintenance. There are different maintenance philosophies such as predictive maintenance, preventive maintenance, and condition based maintenance. 

For decades the most common OT cyber maintenance philosophy has been run to fail maintenance. Install the OT and ICS environment and don’t maintain it; don’t touch it, until it fails. Run to fail is an actual maintenance philosophy, and it’s something that makes most Technicians and Engineers cringe. They wouldn’t accept it for their physical systems, and they won’t knowingly accept it for their OT cyber systems.

“What is our cyber maintenance approach?” is a great question for OT Security to ask Operations to begin to establish common ground. The month includes tasks to begin your journey to create and implement an OT cyber maintenance program.

Week 27: Create Prioritized Security Patching Categories

Security patching can be a high resource task if you try to apply security patches to all your OT cyber assets on a frequent basis, such as monthly or quarterly. The risk reduction achieved through this large effort is typically minimal given the insecure by design...

read more

Week 29: Review OT User Accounts

Week 35 addressed user accounts for cyber assets at unmanned sites. This week you will perform a user account review on all OT systems as part of your OT cyber maintenance. Identify all OT applications, systems, and devices that have user accounts. These could be...

read more

Week 30: Review ICS Access Control

Access control is one area where ICS have had robust security controls for decades. These access controls can be customized down to the point or tag level, although this is rarely required. Remember our goal is to enforce least privilege. A user should only be able to...

read more