The three elements of a secure OT environment
ServiceNow offers a dedicated OT product portfolio to mitigate risks and unlock the benefits of digitalisation. It’s focused on three areas.
Gaining visibility of industrial networks and environments with passive, non-disruptive technology that won’t introduce extra load or capacity risk.
This means not just adding technology but understanding the context in which it is operating: how are programmable logic controllers connected to human-machine interfaces? What is your SCADA capability, and what does it connect to? What does all of this mean for an electricity substation or water pump station on the network? In this way, it’s possible to see how network resilience is affected.
“We can map all of that information and deliver it in a very secure way so that it can be used to support other workflows and capabilities that add value to the organisation,” says Barker. ServiceNow works to standards including ISA 95, an International Society of Automation standard for developing an automated interface between enterprise and control systems, and the Purdue model for industrial control security. These standards provide the foundation for end-to-end OT management.
Remediating industrial vulnerabilities.
It’s important your OT company partners with all major equipment vendors to mitigate new threats. “When they have a known CVE [common vulnerability and exposure], we pull that into ServiceNow and can match it against the manufacturer, the model number and the type of device, and we can show you where your vulnerabilities are on the network.”
It can be very challenging to know when and where to patch or when to remediate. “Because we understand the industrial context, we can help with which vulnerabilities to focus on,” Barker says. “Typically, we identify the 1% chance that will have the majority of the impact on the utility. We pull in the maintenance schedule to exploit scheduled downtime, rather than introducing extra downtime. Extra downtime is a non-starter for most organisations.”
Automating the approach to OT risk within the environment.
ServiceNow uses industry frameworks like IEC 62443, a series of standards defining requirements and processes for implementing and maintaining electronically secure industrial automation and control systems. Barker says: “That mandates organisations to fully understand and discover OT devices; when we discover a device, we can as an example automatically register a risk.” If the system combats a security threat, it automatically registers a near miss, so ServiceNow can see where risks are highest.
“Because we understand the industrial context, we can help with which vulnerabilities to focus on. Typically, we identify the 1% chance that will have the majority of the impact on the utility.”
in association with
