NIST Updates Network Security Obligations – The National Law Review

  • 133

The past two decades have produced intense focus on information security to protect data. This priority remains important.
But the change in administrations and the Continental Pipeline incident have redirected attention to operational technology and functional resiliency. Protecting data is important, but making sure the company continues operating is vital.
What is operational technology? If information technology covers your email, relational databases, documents and other data applications, operational tech runs the non-data functions.  Some companies don’t have many non-data functions.  Banks and insurance companies, for example, are nearly entirely data driven – their products and services are all easily expressed in ones and zeros. But heavy industry is different. Manufacturing facilities, railroads, pipelines, oilfields, chemical processors are all operations that can be improved through application of technology. But this tech makes operating physical machines and tools more efficient and effective.
According to the NIST glossary operational technology describes “programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms.” Most businesses run these systems, but for some the systems are the core of their business.
The government is emphasizing protection of these systems with new sets of requirements and standards. In these discussions, data is not the central feature. The watchword for operational technology is resiliency. A company needs to be able to protect these systems from attack, to isolate them from the more-exposed information networks, and to be prepared to replace or revive them when trouble arises.
The watchword for operational technology is resiliency.
Recent government actions address protection of critical infrastructure, which could be data based, like the health care and financial industries, or operational tech based, like the energy, transportation and manufacturing industries. The Department of Homeland Security this summer issued new pipeline security requirements. The National Institute of Standards in Technology updated its extensive set of standards and recommendations for operational security, addressing manufacturing, energy and transportation protections. The President’s executive order on cybersecurity pushes federal agencies to require operational protection and resiliency, and to propose standards to help this cause.
One of the most obvious ways to protect operational systems is to “air-gap” them from the rest of the company systems.  In other words, we know that hackers and ransomware actors can use the complexities and vulnerabilities of data networks to access company systems. When these information systems are connected directly to the operational systems, then an attack on the former can lead to infiltration of the later. Building firebreaks between the systems is important.
But, in today’s data-driven enterprises, firewalls can be porous because enterprise-wide management systems and newly-connected IoT devices spill an ever-increasing supply of operational data back to management for analytics and support. Every business harnessing the power of its own operational data is running the risk of allowing hackers into those very channels. If you can access the machine, then a bad guy may be able to access the machine just by impersonating you.  For this reason, every connectivity and sharing decision concerning operational systems must also consider whether an intruder into the data systems can access the operational systems.
Every business harnessing the power of its own operational data is running the risk of allowing hackers into those very channels.
Even if the functional technology is correctly air-gapped, and hackers can’t reach in through the other company systems, simple security procedures need to be in place.  There is no network security without physical security – physical access to any machine creates opportunities for hijacking. So while network security can keep out the hackers from half-way around the world, physical security can foil saboteurs and local hackers.
But your own operators need to access the data from these machines and the operational management technology that controls them, and your company should minimize the risks involved with this process. For example, most companies with strong security systems keep machines available onsite to run checks on thumb drives that operators use to interact with company systems. Insert the thumb drive, run diagnostics to confirm that it does not contain malware or open unwanted communications channels, and log the results before the drive may be inserted into the company’s operational systems. For minimal cost in time and money, a major risk is mitigated.
For risk management, nothing beats personal accountability. A single person within your organization should be assigned responsibility for protecting the operational systems and should report at least to senior management, and probably to the board of directors, no less than each year, on the progress of securing this critical company asset.
And nothing supports personal accountability like a budget. The assigned operational security owner should also propose a budget and receive company funds to meet the company’s security goals. Assigning a person to manage the problem without funding the priorities can be used by adversaries in litigation or by regulators to show a company is not taking the problem seriously.  Additional security is always difficult to advocate for with the company CFO, but a company’s budget is a proxy for its priorities. Adequately funding resilient operations will always be important.
Many more operational protections are specific to the kinds of machines and risks they address. Protecting a factory will always be different from fire-control in an office complex or protection pipelines. The complexity cannot be an impediment to prioritizing protections. We have talked for two decades about the importance of data security. It is time to shine the spotlight on the equally important task of maintaining resilient technology-supported operations.
About this Author
Chris has more than 20 years of experience guiding Silicon Valley and global tech and life sciences clients in high-stakes patent and intellectual property litigation. He has substantial lead counsel experience and has led both large and small trial teams. He has also served as lead counsel on appeals before the Ninth and Federal Circuits. Chris is an accomplished scholar, with significant teaching and academic experience.
His clients include companies in the software, telecom, microelectronics and pharmaceutical/biotech/life sciences sectors.
Chris holds a doctorate in law…
 
As a woman owned company, The National Law Review is a certified member of the Women's Business Enterprise National Council
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

source

The past two decades have produced intense focus on information security to protect data. This priority remains important.But the change in administrations and the Continental Pipeline incident have redirected attention to operational technology and functional resiliency. Protecting data is important, but making sure the company continues operating is vital.What is operational technology? If information technology…

The past two decades have produced intense focus on information security to protect data. This priority remains important.But the change in administrations and the Continental Pipeline incident have redirected attention to operational technology and functional resiliency. Protecting data is important, but making sure the company continues operating is vital.What is operational technology? If information technology…

Leave a Reply

Your email address will not be published. Required fields are marked *