NIST Updates Network Security Obligations

The last two decades have emphasized information security to protect data. This priority remains important.

But the change in administration and the Continental Pipeline incident have shifted the focus to operational technology and functional resilience. Data protection is important, but ensuring that the business continues to operate is vital.

What is Operational Technology? While information technology covers your email, relational databases, documents, and other data applications, operational technology performs the non-data related functions. Some companies don’t have a lot of non-data related functions. Banks and insurance companies, for example, are almost entirely data-driven – their products and services are all easily expressed in ones and zeros. But heavy industry is different. Manufacturing facilities, railroads, pipelines, oil fields, chemical processors are all operations that can be improved through the application of technology. But this technology makes the use of machines and physical tools more effective and efficient.

According to the NIST glossary, operational technology describes “programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause direct change through the monitoring and/or control of devices, processes and events. Examples include industrial control systems, building management systems, fire fighting systems, and physical access control mechanisms. Most businesses operate these systems, but for some, the systems are core to their business.

The government is emphasizing the protection of these systems with new sets of requirements and standards. In these discussions, data is not the central element. The watchword of operational technology is resilience. A business must be able to protect these systems from attack, isolate them from the most exposed information networks, and be prepared to replace or reactivate them if something goes wrong.

The watchword of operational technology is resilience.

Recent government actions relate to the protection of critical infrastructure, which can be data-based, such as the health and financial sectors, or operational technologies, such as the energy, transport and technology industries. manufacturing. The Department of Homeland Security released new pipeline security requirements this summer. The National Institute of Technology Standards has updated its extensive set of standards and recommendations for operational security, addressing manufacturing, energy and transportation protections. The Executive Order on Cybersecurity pushes federal agencies to demand operational protection and resiliency, and to come up with standards to help that cause.

One of the most obvious ways to protect operational systems is to “isolate” them from the rest of the business systems. In other words, we know that hackers and ransomware actors can use the complexities and vulnerabilities of data networks to gain access to corporate systems. When these information systems are directly connected to operational systems, then an attack on the former can lead to an infiltration of the latter. It is important to build firewalls between systems.

But, in today’s data-driven enterprises, firewalls can be porous as enterprise-wide management systems and newly connected IoT devices send back an ever-increasing amount of operational data. to management for analysis and assistance. Every company that harnesses the power of its own operational data runs the risk of giving hackers access to those same channels. If you can access the machine, then a bad guy may be able to access the machine just by impersonating you. For this reason, every connectivity and sharing decision regarding operational systems must also consider whether an intruder into the data systems can access the operational systems.

Every company that harnesses the power of its own operational data runs the risk of giving hackers access to those same channels.

Even if supporting technology is properly isolated and hackers cannot access other business systems, simple security procedures should be in place. There is no network security without physical security – physical access to any machine creates opportunities for hacking. So while network security can keep hackers from being halfway around the world, physical security can thwart local saboteurs and hackers.

But your own operators need access to the data on those machines and the operational management technology that controls it, and your business needs to minimize the risks in this process. For example, most companies with strong security systems keep machines available on-site to perform checks on USB drives that operators use to interact with company systems. Insert the USB key, run diagnostics to confirm that it does not contain malware or open unwanted communication channels, and save the results before the key can be inserted into the company’s operational systems . For minimal cost in time and money, a major risk is mitigated.

When it comes to risk management, nothing beats personal responsibility. A single person in your organization should be responsible for protecting operational systems and should report to at least senior management, and probably the board, at least annually on progress in securing this critical asset. of the company.

And nothing supports personal accountability like a budget. The assigned operational security owner must also propose a budget and receive corporate funds to achieve corporate security goals. Assigning someone to manage the issue without funding priorities can be used by litigation adversaries or regulators to show that a company isn’t taking the issue seriously. Additional security is always difficult to defend with the company’s CFO, but a company’s budget is an indicator of its priorities. Adequate funding for resilient operations will always be important.

Many other operational safeguards are specific to the types of machines and the risks they address. Protecting a factory will always be different from fighting a fire in an office complex or protecting pipelines. Complexity cannot be an obstacle to the prioritization of protections. We’ve been talking about the importance of data security for two decades. It’s time to shine a spotlight on the equally important task of maintaining resilient operations supported by technology.

Copyright © 2022 Womble Bond Dickinson (US) LLP All rights reserved.National Law Review, Volume XI, Number 264

Kevin M. Risinger