Ask These 5 Critical Questions

Securing operational technology (OT) environments is a multifaceted challenge that requires careful vendor selection. At RMC, we combine expertise in risk management and cybersecurity to help organizations navigate this crucial decision-making process. Here, we outline key considerations and practical advice for assessing OT vendors to ensure your critical infrastructure’s security and resilience.

1. Initiating Cybersecurity with Executive Leadership Involvement – Can your CISO join the call?

The first step in evaluating an OT vendor is to understand their commitment to cybersecurity at the executive level. Asking if their Chief Information Security Officer (CISO) can join the discussions highlights the importance you place on security and provides insights into the vendor’s organizational maturity. Even if the CISO can’t join the call, this question signals to the vendor that cybersecurity is a top priority for your organization.

Having a CISO or a high-level security expert in these discussions indicates that security considerations are embedded in the vendor’s operations and products. This executive-level involvement can reveal whether the vendor treats security as an integral part of their business strategy.

2. Ensuring Compliance with Industry Standards – When was your SAS 70 or SOC 2 completed?

A vendor’s adherence to recognized standards such as SAS 70 or SOC 2 is a strong indicator of their commitment to robust security practices as an organization. Meeting these standards affirms that the vendor has implemented necessary controls to manage and mitigate risks effectively. Compliance with such standards reflects a deeper commitment to maintaining security across all aspects of their operations.

By verifying these standards are met, you can ensure that the vendor has the governance, oversight, and budgetary commitments necessary to uphold cybersecurity best practices. This is particularly important for new or smaller vendors that may not have the same level of maturity in their processes.

3. Evaluating and Scrutinizing the QA Process – What kind of vulnerability scanner do you use in QA?

Understanding the vendor’s quality assurance (QA) process is crucial for ensuring that security is baked into their products from the ground up. Ask about the types of vulnerability scanners used during QA. This will give you a clear picture of how the vendor identifies and mitigates potential vulnerabilities before the product is deployed.

Vulnerability scanning in QA ensures that the product can withstand real-world threats and that any security flaws are addressed early in the development cycle. This proactive approach to security can save significant time and resources in the long run by preventing issues from reaching production environments.

4. Ensuring Comprehensive Support with Security Patches – Are security patches included with support and how long can we expect them to come out after a disclosure?

Verify that security patches are part of the vendor’s standard support package. Clarify the expected timelines for patch releases following a vulnerability disclosure. This ensures continuous protection and prevents scenarios where security becomes an optional add-on at an additional cost.

Regular and timely patching is key to maintaining a secure OT environment. Knowing that your vendor supports this process as part of their regular service can provide peace of mind and help maintain the integrity of your infrastructure.

5. Understanding and Assessing Patch management Procedures – How are we contacted if there is a security patch to apply?

Effective patch management is critical for maintaining security in OT environments. Inquire about the vendor’s process for handling security patches, including how and when they notify clients about available updates. A mature and transparent patch management process ensures that vulnerabilities are addressed promptly, reducing the risk of exploitation and downtime for your operations.

Understanding the patch management lifecycle can help you plan for maintenance windows and ensure that your systems remain secure without significant downtime. Additionally, a well-defined patch notification process can help avert unexpected interruptions and costs.

Integrating OT Management Tools and Addressing Security Challenges

Selecting the right vendors is just the beginning. It’s equally crucial to implement robust OT management tools and address ongoing security challenges to maintain a secure and resilient infrastructure, deploying strategic practices as part of this effort. Key activities to implement a robust OT management console include:

• Monitoring: Provides real-time visibility into system status, helping detect anomalies early.
• Asset Management: Tracks software versions and configurations accurately, aiding in effective vulnerability management.
• Patch Management: Automates the deployment of patches to keep systems secure and up-to-date.
• Remote Log Access: Centralizes log collection for thorough investigation and rapid incident response.

Strong OT management with these foundational activities in place builds a solid baseline security posture, making your OT systems resilient and responsive to potential threats. Pushing OT security to even higher levels requires additional considerations:

• Open the Risk Box: Regularly conceptualize, assess, and address potential risks to prevent unforeseen issues. Avoid the “Schrodinger’s cyber risk box” mentality, where unassessed risks are assumed to be nonexistent.
• Assume You Are a Target: Operate as if you are a target to ensure preparedness against collateral damage from broader or opportunistic attacks. Adopting this mindset helps build a security culture that reduces the likelihood of simple oversights due to a false sense of safety.
• Avoid POC Pitfalls: Clearly distinguish between proof-of-concept (POC) installations and full-scale deployments. Codify proper security measures to prevent temporary setups from becoming permanent vulnerabilities.

By combining a proactive approach to vendor selection with effective OT management practices, you can strengthen your organization’s cybersecurity posture and ensure the resilience of your critical infrastructure.

At RMC, we are dedicated to helping you navigate these complexities and secure your critical infrastructure effectively. By asking the right questions and leveraging effective management practices, you can significantly enhance your organization’s resilience against cyber threats.