Is the IT-OT bridge the Achilles’ heel of industrial cyber security?
Operational technology (OT) is the beating heart of the critical infrastructures supporting our life standards. As infrastructures become increasingly elaborate, interconnected, and co-dependent, their disruption can afflict entire populations. This isn’t new. In fact, the importance of protecting OT systems has been recognised for decades. What is surprising, however, is that many businesses still lack adequate strategies to protect their OT environments.
An Indegy study* from April 2018 confirmed that organisations have significant investments in place to secure their IT infrastructures, but not so much for OT. Nearly 60% of critical infrastructure executives admit that they “lack appropriate controls to protect their environments from security threats”.
Meanwhile, some approaches to OT risk management are quickly being discarded as incompatible with our increasingly interconnected world. “The network perimeter is a thing of the past”, exemplifies Michael Rothschild, from Indegy, in a recent interview with SeQure World Magazine. So we need “a new approach to security that relies on access control, device integrity, and network security”. OT protection also needs to “work hand-on-hand with existing IT security to create an ecosystem of trust that spans both environments”, he concludes.
OT Security & Compliance Officer at Orsted, Ingolfur Gudmundsson, illustrates what could be part of the reason for Operational Technologies to be lagging behind: “OT systems are not as heavily assessed for risks of data breach; they are in general more assessed against risks of failure including safety of personal. The reason is that they generally don’t hold as much ‘juicy information’, such as social security numbers, names, emails, phone numbers, etc”.
Michael further elaborates: “In the past, OT systems were largely segregated from anything else in the network and were self-contained. As a result, there was little concern for security. Today, with the increased connectivity and the move to IIoT, OT networks are fully connected and are thus experiencing incursions and breaches like never before”.
Sordyl Jaroslaw, Deputy Director of Cyber Security and Head of CERT at PSE, also worries: “[now] we have IIoT, smart metering, and smart cities, all connected directly or indirectly to the Internet, [so] we have remote access to them. If we have access, we can take control over equipment and potentially affect the whole environment. (…) In OT and ICS, we must be very careful with the implementation of new solutions because we could do more bad than good”. If increased connectivity means exposing ‘juicy information’ through multiple new doors, could the integration between IT & OT systems be seen as the Achilles’ heel of this technological advancement?
Challenges aside, IT-OT integration brings promising advantages to industrial operations when it comes to cost, performance, productivity, and agility*. A tight IT-OT integration seems to be both the answer and a problem, when not secure. So to ensure its success, Michael suggests, start by getting C-Level support.
Some organisations successfully bridging IT-OT departments “begin by creating a C-level role to facilitate the convergence. For example, it’s quite common to find a Chief Digital Transformation Officer whose role is to bridge the gap between IT and OT, merge the culture divide, and establish incident response processes that span both groups”, he adds.
Other elements that compose a robust industrial cyber security policy, adds Michael, include: “asset tracking that includes dormant devices and goes as deep as PLC backplane configurations, vulnerability management that tracks and scores patch & risk levels of ICS devices, and enterprise visibility to ensure that all data collected integrates to a single pane of glass”.
IT staff usually has access to the latest security software, and spend time patching, upgrading, and replacing systems. Meanwhile, OT teams are used to working with older technologies, some from pre-internet times, that lack basic security controls such as authentication, encryption, event logs, or audit trails. As a result, incident detection and response are very different between these environments, explains Michael. Bringing these systems closer together doesn’t mean that we should start treating them as one and the same.
Uniting IT and OT staff requires “training, training, training”, says Ingolfur. The way to go about establishing a successful collaboration, he suggests, is by bridging IT and OT knowledge, backgrounds, and challenges, while appreciating their different roles in the functionality of the organisation. The closer their communication, not necessarily the more similar they will end up, but the more efficient the security strategies will become, which is in everybody’s benefit.
It’s true that raising OT connectivity has facilitated the intrusion of attackers, as companies who suffered from WannaCry and NotPetya can testify. But the resulting OT-IT interconnectedness also creates the call-to-action for businesses to develop in supportive alliance among departments and systems. As Ingolfur says, “The main point of IT-OT integration is to get all the knowledge into one team/department, and in that way utilise lessons learnt from both, faster”. Collaboration has become a necessity for strengthening protection strategies and efficiently assessing risks in an OT environment. So optimize your bridges to do what they are meant for: Uniting people by crossing over [departmental] barriers.
Thank you Michael, Ingolfur, and Jaroslaw, for your crucial participation in this article.
This conversation will continue. Ingolfur Gudmundsson, Sordyl Jaroslaw, and Barak Perelman, founder and CEO of Indegy, will be speaking at CS4CA Europe this October 2-3 in London. Find out more at www.cs4ca.com/europe
To encourage and facilitate cross-departmental collaboration, we are also offering a special deal on delegate passes for the #CS4CA summit: Buy 1 IT pass and get 1 OT pass free – Use code: ITOTPASS at checkout online here.