Jesse Pike, Global Lead for OT Cybersecurity Consulting at NTT Ltd. discusses, Operational Technology (OT) is becoming progressively intertwined with Information Technology (IT) which means threats are crossing over from one environment to the other. The question is: can finding common ground help these two groups work towards their shared objectives?
The OT (Operational Technology) environment – otherwise known as the Industrial Control Systems (ICS) environment – has been supporting industrial businesses for decades. But its pace of technology innovation has, for multiple reasons, not been at the same pace of change and innovation as IT. That’s all changing rapidly thanks to the renewed focus on new digitization of business and Industry 4.0 models.
Like most change, however, this impending convergence between IT and OT is bringing both good and bad elements to the surface. The good is around business scale, agility and speed, and the bad is around increased risks to production, human safety, and business resiliency. Like all good business decisions though, at the center is a balancing act between these opportunities and the risks. And the risks with OT can be as or even more significant than those taken on by IT.
The all serving, anywhere, any device, anytime access model for IT that has become a reality in recent years has eroded some of the traditional security barriers that had been in place for decades. That fortress and moat mentality has given way to new models where security is introduced more granularly and closer to the asset – be it people, devices, applications or data. These trust-based models make sense in a hyper-connected and evolving workforce and society, but they also bring increased exposure to cyber threats and need to be addressed proportionately to the risks exposed.
As someone who has spent just shy of 25 years in the IT profession and exposed to companies of all shapes and sizes, I can attest to the need to understand the risks to the business (or society) and build out a cybersecurity program accordingly. We have plenty of examples of how a cyber incident crosses from a traditional IT environment over to an OT one.
The Ukraine power plant attack in 2015 and the more recent attack on a US Maritime Transportation Security Act (MTSA)-regulated facility in late 2019 are just two examples. Both attacks originated from within the traditional IT environment and crossed over to the industrial OT side.
We can expect more sinister attacks to come too. In 2019, for example, our Global Threat Intelligence Report (GTIR)Opens a new window indicated that 47% of hostile activity directed at manufacturing clients was related to reconnaissance. Reconnaissance is the initial stage used by attackers to understand the security of a system. It should not be surprising, then, that as knowledge of OT environments improves, as attacks develop and as implementations spread, we will see more attacks attempted in the future.
What’s concerning, then, is that many companies haven’t done a very good job at managing the risks that come with IT and OT convergence. This may have been OK in some sense historically as the risks have been largely centered on privacy and confidentiality in IT. However, in the new model shaping the future of industry, the risks and their impact are getting more severe. When lighting and traffic control systems are internet-connected and when critical systems can be destroyed remotely with ineffective attribution back to the attacker, the impact of these risks can be realized in a much more tangible and frightening manner.
Learn More: How Companies Can Manage IT Tool SprawlOpens a new window
Recommendations to improve OT (Operational Technology) security
The first step to securing the OT environment is recognizing the increasingly blurred line between OT and IT security. The publicized cases, along with guidance from the National Institute of Standards and Technology (NIST) and the US’ Industrial Control Systems Cyber Emergency Response ICS-CERT organization are helping bring awareness to these increasing threats.
Organizations then need to assess the risks, figure out where to begin, and how to grasp and communicate the totality of the situation in meaningful terms which, as I know can be difficult.
Here are three recommendations for improving OT security:
1. Gain visibility into OT networks
As with all risks, clarity and visibility is key to understanding and effectively addressing the rising OT risks. Organizations should determine their cybersecurity risk profile, which takes into account vulnerabilities, threats and the likelihood those threats could materialize, and the negative impact that could result. This can be done by validating that design documentation and asset inventories are up to date which enables key objectives like performing cybersecurity risk assessments which supports additional strengthening measures such as implementing risk based asset segmentation and understanding potential attack vectors such as uncontrolled remote access.
2. Secure OT architecture from the ground up
Organizations should use the knowledge gained from visibility and risk assessments to develop options for implementing controls and prioritize the implementation of those which are most effective in reducing identified risk. Among other controls, this includes patch management, access control, whitelisting, Endpoint Detection and Response (EDR), device hardening and anomaly detection. However, a word of warning: common IT cybersecurity tools have historically been implemented to operate within an IT environment and may not function correctly in an OT environment. These same IT cybersecurity tools can be intrusive and have a high probability of disrupting ICS systems. Organizations therefore need to implement solutions that are designed to effectively secure the OT network.
Learn More: Why IT Security Teams Are Gravitating Towards No-Code Opens a new window
3. Test, test, and test again
And lastly, another often overlooked but fundamental need is to regularly perform incident response exercises to test organizational effectiveness in managing an incident. This is not optional and should involve creating or reinforcing the correct roles within teams, testing the ability to restart processes by using system and configuration backups, and ensuring any third-party support contracts are adequate in terms of response time and assistance provisions. They can also perform a structured assessment of systems, such as the MITRE ICS ATT&CK framework, to simulate the types of techniques which are known to be used by adversaries.
While there’s no magic bullet, there are good practices and industry standardsOpens a new window that can help companies sleep at night. Ultimately, the challenges always seem to be focused and supported. Focus on addressing this in a methodical and sustainable way and require support from the highest levels of leadership.
It would behoove us all to not repeat the same mistakes we did with IT by throwing security products at the problem without first ensuring that the problem and its impact is understood. Take the responsible approach and do the real work of understanding and managing the cybersecurity risks as the risks in OT and ICS can have a far greater impact on our society and the businesses and people within.
Let us know your thoughts about this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!