6 minute read
BEST OF BOTH WORLDS
THE CONVERGING WORLDS OF INFORMATION TECHNOLOGY AND OPERATIONAL TECHNOLOGY CAN BE A SECURITY NIGHTMARE IF YOU DON’T IDENTIFY AND CLOSE THE GAPS EARLY ON.
Digital transformation requires the convergence of IT and OT networks. With the advent of the IoT, edge computing, and seamlessly expanding networks,
Advertisement
CIOs are today faced with the daunting challenge of bridging the divide between OT and IT environments.
Historically, these two have occupied separate domains with very little in common. Now, the need to streamline business processes, glean insights and deliver exponential business transformation is driving IT/OT convergence, especially in verticals such as manufacturing, healthcare and transportation.
Though connecting IT and OT worlds is a business imperative to achieve operational efficiencies, it has also resulted in potential risks that can disrupt risks. Security in the IT domain is relatively mature with wellestablished stacks and policies, and most OT systems were never designed with cybersecurity in mind. This calls for a complete rethink of cybersecurity strategies.
“The main challenge is that the convergence of IT and OT has been driven by the need for automation, simplicity, and convenience. Security was rarely if ever, prioritised. So industrial organisations now find themselves burdened by networks that are comprehensively and complexly connected – full of insecure entry points and vulnerabilities to exploit,” says Mark De Simone, Regional Director - MEA at ThycoticCentrify.
Additionally, while IT systems typically have a short refresh cycle of a few years or, in some cases, just months, OT systems are traditionally designed to remain in operation for decades. So, we’re seeing systems that were never intended to be connected to the internet now being integrated into modern IT networks, he says.
Gregory Cardiet, senior director – security engineering, International,
Vectra AI, says two major risks are associated with this convergence. The first is the overall structure and the design of OT solutions that usually cannot be patched the same way that you would in the IT world. As a result, some systems, worth millions, are still running with Windows XP operating systems. Furthermore, due to the competitive landscape, many OT vendors producing large machines, fail and go bankrupt. In this scenario, it is impossible to update and upgrade these systems. And as a consequence, these systems are never touched by the OT administrators to avoid failures.
The operational criteria for IT and OT tend to be different, says Brian Chappell, chief security strategist, EMEA & APAC, BeyondTrust. OT is focused on 100% uptime and simple but robust operation. IT is more tolerant of downtime and operates more complex processes with a high degree of integration between different systems. That said, IT is increasingly relied upon to facilitate business and the demands on uptime, robustness and performance are growing. This is good news for IT-OT convergence, which is also growing. OT cannot hide behind obscurity and difficulty to access security measures.
“Access to OT systems should be tightly controlled, never direct and always recorded. Access to the systems providing that access should also be tightly controlled and secured with multifactor authentication to ensure that authorisation is only given to the appropriate people. Over the past few years, we’ve seen the security risks that are part of linking IT and OT without due consideration and thoughtful planning,” he adds.
Vijay Jaswal – Chief Technology Officer – Middle East and Turkey, Software AG, offers another perspective on this: “The need to analyse and manage systems is where the security risk stems from. The fact that extensive OT solutions are now connected to the internet for companies to analyse performance poses a potential major risk if systems are not secured. Where there is connectivity, there is a risk of cyberattack.”
He says, for example, all devices used to run a modern-day pipeline are controlled by computers vs. historically controlled physically by people who were also known as engineers. Suppose these modern pipelines connected to an organisation’s internal network get hit with a cyber-attack. In that case, the entire pipeline becomes vulnerable to these malicious attacks risking a shutdown of the entire system, running into losses in millions.
Mark De Simone Gregory Cardiet
ADDITIONALLY, WHILE IT SYSTEMS TYPICALLY HAVE A SHORT REFRESH CYCLE OF A FEW YEARS OR, IN SOME CASES, JUST MONTHS, OT SYSTEMS ARE TRADITIONALLY DESIGNED TO REMAIN IN OPERATION FOR DECADES. SO, WE’RE SEEING SYSTEMS THAT WERE NEVER INTENDED TO BE CONNECTED TO THE INTERNET NOW BEING INTEGRATED INTO MODERN IT NETWORKS.
Brian Chappell Vijay Jaswal Alain Penel
Is there a lack of technology to manage and quantify OT cyber risks? There is indeed a lack of security expertise with OT environments and most firms rely on third parties to protect their critical physical assets.
“The nature of the challenge is unique at each organisation,” says Alain Penel, Regional Vice President – Middle East, Fortinet. “Some are challenged by staffing—either a lack of people or inadequately trained team members. Some are challenged by inadequate tools to handle threats and vulnerabilities. The cost of providing these things challenges some. Many are challenged by the frequency and number of threats and by the time required to maintain adequate security to manage them.”
He recommends at least to apply the basic practices of security hygiene—taking a proactive approach to security, working toward centralised visibility and control, and tracking and reporting cybersecurity metrics. As OT systems lose their air gaps and become integrated with IT systems and with the internet, OT leaders will need to reinforce security awareness on their teams and bolster their systems with adequate security protection.
Simone from ThycoticCentrify says the challenge with securing OT systems is more a matter of mindset and culture than of technology. With the convergence of IT and OT, the onus AS OT SYSTEMS LOSE THEIR AIR GAPS AND BECOME INTEGRATED WITH IT SYSTEMS AND WITH THE INTERNET, OT LEADERS WILL NEED TO REINFORCE SECURITY AWARENESS ON THEIR TEAMS AND BOLSTER THEIR SYSTEMS WITH ADEQUATE SECURITY PROTECTION.
of protecting OT systems is shared between IT and OT teams – each of whom has different priorities, standards, and understanding of risks. In the IT realm, confidentiality and integrity are king whereas in OT, availability is of utmost importance. Finding a balance between these viewpoints is the first step to correctly quantifying and addressing OT cyber risks.
How can enterprises minimise the potential for disruption from cyberattacks targeted at OT networks?
Good planning with plenty of testing, including table-top exercises, will lead to the best result, says Chappell from BeyondTrust. This isn’t a process to be rushed into, but equally, don’t start by just connecting the OT and IT networks and then looking at the next steps. The moment the environments are connected, the OT environment will be at a much greater risk, so make sure that initial connection is very tightly controlled and monitored.
He adds this will come naturally from a clear plan moving from the separated architecture to the joinedup architecture where security is in the fabric, not an afterthought. The objective should be a secure, single environment comprising IT and OT components. That will drive the necessary behaviour to deliver the integration with minimum disruption.
Segment the network, says Penel from Fortinet. “Segmentation is a fundamental best practice for securing OT. Segments restrict an attacker’s ability to move in an “east-west” or lateral direction. Because network configurations and trust levels change, segmentation should be dynamic rather than static. Organisations should look for a segmentation approach that continuously monitors the trust levels of users, devices, and applications. It also needs to dynamically control access based on business intent, behavior, and risk, which can dramatically shrink the attack surface.”