OT, or operational technology, security professionals often find themselves dealing with problems from the IT world. Conversely, OT has always been a specialist area that IT people do not have the skills to deal with, writes Andy Norton, cyber risk officer at the cyber firm Armis.
Generally speaking, OT networks and IT operations have traditionally been kept separate, with OT systems running on unique and slightly obscure operating systems. However, a more recent trend is for organisations to connect OT functions to IT networks as networking, remote management and wireless connectivity grew in popularity and necessity – this is paving the way for the Industrial Internet of Things (IIoT) and Industry 4.0. Consequently, organisations and regulators find themselves struggling with the implications of this new change. We have already seen several large-scale attacks on critical national infrastructure, such as the attack on the Colonial Pipeline and the water treatment plant in Florida to name some high-profile examples.
As these systems increasingly connect to mainstream IT networks to bring the new industrial era of Industry 4.0, organisations have to figure out how to ramp up security to fill in any gaps that may lead to unauthorised access or control of OT. Therefore, the question becomes – how can organisations move forward and break down the ‘OT security problem’ and make it easier for OT and IT teams to understand each other better?
Understanding IT and OT convergence
At the core of Industry 4.0 is the convergence between information technology (IT) and operational technology (OT). That’s a paradigm shift in which two separate organisational silos – IT and operations – come together and pave the way for the Industrial Internet of Things (IIoT). OT/IT integration enables industrial infrastructure from machinery in a factory to irrigation systems to exchange data with other devices and systems over the internet. The operational efficiencies are unquestionably high – however, so are the cybersecurity risks.
Weaknesses within OT have rapidly grown over the last decade. For instance, in July of this year, a new vulnerability was discovered in the Schneider Electric Modicon PLCs, which would allow attackers to execute remote code on unpatched equipment. Consequently, the interconnectedness of IT and OT is creating dangerous gaps that threat actors can make use of. IT/OT convergence dissolves the air gap that has protected operational technology in the past. When old school machinery is connected to new technologies for more effective tracking and monitoring, they become more vulnerable to modern-day attacks, continually growing in sophistication. This means that there are several routes to infection from IT to OT, which can cause serious damage if exploited.
Seeing OT environments more clearly
The lack of visibility into unmanaged devices is one of the challenges of securing Industry 4.0. Traditional IT security is based on agents to be installed in the endpoints. It’s good for monitoring and protecting managed devices, such as desktops, but it doesn’t work for OT and IoT devices. In addition, network traffic control tools lack a contextual understanding of how unmanaged devices are used. An obvious challenge within OT is that the devices can’t run a conventional security client due to their design and history. Therefore, gathering visibility on OT devices is more challenging and can only be achieved through an agentless approach, by monitoring network traffic passively without affecting the production.
Fortunately, there is technology available that can listen to all the traffic on a network and build an inventory accordingly. Though, if malware is detected on OT devices, the OT teams may not let IT departments deal with it, as this could lead to a service outage, causing more delays and internal conflict. Therefore, it is important that context is given to any issues that may arise so both IT and OT understand the risks in order to make a clear path forward to resolving issues.
Create a playbook
The consequences of cybersecurity incidents with OT can be drastic, which is why it is vital for it to be taken seriously. While the OT team are not a typical part of the overall IT governance, communication between both IT and OT is key to a strong security posture. Communication between both IT and OT teams would be a massive step toward bridging the gap and not letting OT get consumed by IT while also securing both in conjunction with one another.
A manufacturer’s IT/OT implementation playbook should consider the following steps:
Investment in comprehensive asset visibility
Knowing what is on the network is the first step to succeed in this Industry 4.0 era. Organisations need a security platform that works for both managed IT devices and unmanaged OT and IoT devices. All communication pathways that could be explored, such as Bluetooth, Ethernet and Wi-Fi, need to be continuously monitored.
Establish an Industry 4.0 strategy
With increased visibility into the environment, it’s time to start mapping the opportunities and challenges that IT/OT convergence brings to the organisation. The goal of a cybersecurity framework for IT/OT alignment is to ensure the interoperability and security of all digital assets. Leaders should consider questions, such as: Why does the organisation need IT/OT integration? How does technology impact key performance indicators (KPIs)? Is there alignment across organisational silos? What could happen if systems are hacked?
Build a cross-domain team to foster collaboration
Plant managers are the ones who tend to take the initiative to push forward cybersecurity investments because they have a more holistic view of the organisation. But IT/OT convergence is also contributing to the creation of new leadership roles.
Gartner predicts that, by 2025, half of manufacturers and utilities will have converged cybersecurity and operations security teams under the role of a chief information security officer (CISO), reporting directly to the CEO. Unified management of OT and IT resources is fundamental to secure all digital assets in IIoT environments.
Create awareness and secure funding
Investments in technology are both a technical and strategic decision. Industrial modernisation involves significant funding and, for this reason, requires alignment between technical staff and the leadership team. It’s crucial to create awareness of the limitations of traditional IT solutions in protecting OT devices, and the impact that cybersecurity breaches could have on production.
Yes, OT people generally have a better understanding of how to keep their networks along with the operational risks involved, while IT teams deal with the technical risks. Nonetheless, once they manage to work together, organisations will be better protected and less likely to face business and operational shut-downs.
