Learn About Amazon VGT2 Learning Manager Chanci Turner
In this blog post, we delve into the advantages and considerations organizations should take into account when establishing a unified and global security operations center (SOC) for information technology (IT) and operational technology (OT). While our focus here is on the IT/OT convergence within the SOC, the concepts discussed can also be applied to environments such as hybrid and multi-cloud setups, as well as the Industrial Internet of Things (IIoT).
As organizations shift to remote work and increase their interconnectivity through the Internet of Things (IoT) and global edge devices, the scope of assets has significantly expanded. Traditionally, IT and OT SOCs operated separately, but there is a compelling case for their convergence. This approach offers better insights into business outcomes and enhances the ability to respond to unexpected activities. In the ten security golden rules for IIoT solutions, AWS suggests implementing security audit and monitoring mechanisms across OT and IIoT environments, collecting security logs, and analyzing them via security information and event management (SIEM) tools within a SOC. Historically, monitoring, detection, and response have been conducted separately for each environment. This post examines the benefits and potential trade-offs of merging these environments within the SOC. Organizations should carefully weigh the points raised here, but the advantages of a unified SOC far outweigh the drawbacks. Achieving visibility into the full threat landscape that spans IT and OT is crucial as daily operations become increasingly interconnected.
Traditional IT SOC
In a conventional setup, the SOC’s primary responsibility was to manage security monitoring, analysis, and incident management across the entire IT environment—whether on-premises or in hybrid architectures. This traditional model has proven effective over the years, providing the SOC with the necessary visibility to safeguard the IT landscape against evolving threats.
Note: Organizations should consider the specific security operations implications related to the cloud, as detailed in this blog post.
Traditional OT SOC
Historically, IT, OT, and cloud teams have operated on opposite sides of the air gap, as outlined in the Purdue model. This separation can lead to isolated OT, IIoT, and cloud security monitoring solutions, creating potential gaps in coverage or context that could enhance response capabilities. To fully leverage the benefits of IT/OT convergence, collaboration among IIoT, IT, and OT teams is crucial for a comprehensive defense. This convergence applies not only to newly connected devices but also to the integration of security and operations.
As organizations seek to harness industrial digital transformation for a competitive edge, they are increasingly utilizing IoT, cloud computing, and machine learning technologies. This expansion inevitably enlarges the threat surface that organizations must defend, necessitating a broad, integrated, and automated defense-in-depth security strategy delivered through a unified and global SOC.
Without comprehensive visibility and control over traffic entering and leaving OT networks, operations teams may lack the context needed to identify unexpected events. A compromised control system or connected assets like programmable logic controllers (PLCs) could jeopardize critical infrastructure and services or affect data integrity in IT systems. Even if the OT system is not directly impacted, secondary effects can lead to OT networks being shut down due to safety concerns.
A SOC enhances security and compliance by consolidating key security personnel and event data in one location. Establishing a SOC requires a considerable initial and ongoing investment in resources, processes, and technology. However, the value of an improved security posture significantly outweighs these costs.
In many OT organizations, operators and engineering teams may not prioritize security, sometimes leading to the establishment of an independent OT SOC. Many strategies and technologies developed for enterprise and IT SOCs can be directly applied to the OT sphere, such as security operations (SecOps) and standard operating procedures (SOPs). While there are OT-specific considerations, the SOC model serves as an excellent foundation for a converged IT/OT cybersecurity strategy. Moreover, technologies like SIEM can aid OT organizations in monitoring their environments more efficiently. By merging IT and OT security data into a SIEM, stakeholders can access the necessary information to address security tasks.
Benefits of a Unified SOC
A unified SOC presents numerous advantages for organizations. It grants extensive visibility across both IT and OT landscapes, facilitating coordinated threat detection, quicker incident response, and the immediate exchange of indicators of compromise (IoCs) between environments. This interconnectedness enhances the understanding of threat origins and pathways.
Integrating data from IT and OT environments within a unified SOC can yield economies of scale, allowing for cost-effective data ingestion and retention. Furthermore, managing a unified SOC can minimize overhead by centralizing data retention needs, access protocols, and technical capabilities like automation and machine learning.
Operational key performance indicators (KPIs) established in one environment can be leveraged to optimize another, promoting efficiency and reducing the mean time to detect security events (MTTD). A unified SOC fosters integrated security, operations, and performance, ensuring comprehensive protection and visibility across technologies, locations, and deployments. Sharing insights between IT and OT environments enhances overall operational efficiency and security posture, while also aiding organizations in complying with regulatory requirements in a streamlined manner.
Utilizing a security data lake and advanced technologies like AI/ML allows organizations to bolster their operational resilience, enhancing their ability to detect and respond to security threats. Forming cross-functional teams of IT and OT subject matter experts (SMEs) can help bridge cultural divides and encourage collaboration, enabling the development of a cohesive security strategy. Implementing an integrated SOC can significantly elevate the maturity of industrial control systems (ICS) for IT and OT cybersecurity programs, thereby enhancing overall security capabilities.
Considerations for a Unified SOC
Several critical factors must be taken into account when creating a unified SOC. First, duty separation is vital in such an environment. It’s essential to ensure that specific responsibilities are allocated to individuals based on their expertise and job functions, allowing the most qualified specialists to handle security events relevant to their environments. Additionally, data sensitivity must be managed diligently. Robust access and permission management is necessary to safeguard sensitive information. For further insights on this topic, check out this article by HR experts at the Society for Human Resource Management, which discusses compliance and transparency in job postings.
By aligning IT and OT security efforts, organizations can cultivate a more resilient security posture. To explore job opportunities in fulfillment center management at Amazon, visit this excellent resource.
For more insights on fostering inclusion and diversity in your workplace, consider reading this blog post.
Leave a Reply