What lies beneath
Managing security of operational technology and IoT alongside of information technology is a challenge for many industrial firms. Here is how to deal with different lines of attack.
The security aspects of IT and OT have traditionally been managed separately. It is primarily due to the high mission-critical nature of the OT infrastructure, and also the very different skill sets required to manage the IT and OT systems. Historically, OT systems have been designed to run offline on independent networks. But, now more and more OT systems are getting connected online to take advantage of Internet of Things, analytics, robotics and other emerging technologies.
In many enterprises, there is a clear demarcation between IT and OT environments, and different teams tackle security concerns. While IT security is more mature with standard applications, what makes OT security particularly challenging is the fact that many of these systems were designed without secure access control in mind. Does this mean IT and OT security are entirely different? Gartner believes that 80 percent of the security issues faced by OT are almost identical to IT, while 20 percent are unique.
Also, the degree to which enterprises are equipped to tackle OT security threats varies as much as it does for IT security threats. Organisations in similar verticals and of similar size are all at different points of the journey, even in the same geographies.
According to the Saurabh Verma, Head of ICT & Digital Transformation – MENA at Frost & Sullivan, large and mature organisations in oil and gas, utilities, transportation, financial services are better prepared, but this in no way means that they are not vulnerable.
“It is important to realise that no security solution can guarantee 100% protection; attacks and breaches are inevitable, and as much as it is about protecting the systems, it is also about how quickly enterprises can recover from an event,” he adds.
Brian Chappell, Senior Director, Enterprise and Solution Architecture at BeyondTrust, says that, in general, organisations of all sizes are behind the curve in securing their systems. “With cybercriminals spending up to 10x on offense compared with what organisations are spending on defence, there needs to be a focus on cybersecurity as a whole and not in isolation.”
A Fortinet study states that nearly 90% of organizations have now experienced a security breach within their Supervisory Control and Data Acquisition and Industrial Control Systems (SCADA/ICS) architectures, with more than half of those breaches occurring in just the last 12 months.
Kalle Bjorn, Director, Systems Engineering at Fortinet, adds that the more alarming issue here is that most of those breaches have resulted in a high or critical impact on their business, from compromising their ability to meet compliance requirements, to decreased functionality and financial stability, and even affecting employee safety.
The increased OT-IT convergence has brought in a variety of unique challenges in different industries, resulting in the need to create a single and unified view to monitor the security status of this diversified set of industrial and IT systems. As the two systems intertwine to enable new agile business models, it is also introducing significant new risks, many of which are catching organizations entirely unprepared.
“The logical place to start securing OT systems should already be in place and that’s limiting access whether physical or network. Adopting and adapting IT cybersecurity practices for network access (firewalls), configuration management, vulnerability management, privileged access management and identity management is vital,” adds Chappell.
“There exists a lot of experience in the industry when it comes to IT security. A lot of underlying technology has already been developed over the years which can be utilized in the OT environment. As traditional IT security vendors start focussing in this area, the need of the hour is to take care that the solutions deployed in the OT environment are designed according to OT protocols and are relevant to this specialized field,” says Nicolai Solling, Chief Technology Officer at Help AG Middle East.
Securing an intermingled IT-OT environment is not so much a requirement of a separate set of skills but the awareness that crucial elements in an OT environment are different than in IT. IT security professionals moving into or extending their remit to include OT must learn to speak the language of OT.
One of the main challenges, according to Sean McGurk, Vice President for Cyber Advisory Services at DarkMatter, is addressing the skills issue with formal training in ICS security. He says that there is a need for a structured approach at the secondary and post-secondary levels.
“Engineering programs often focus on design principles and operational capability but do not normally address cybersecurity. A partnership between academia and industry, working with government, can help to address the skills gap at the national level. Focused training at the corporate level on expanding the understanding of both IT and OT security will close the gaps,” adds McGurk.
Fortinet’s Bjorn agrees and says the first action any organization should take is to carefully conduct an audit on the state of their staff’s skill sets. Until the skills gaps are identified, any effort to upgrade individual skill sets would be futile. “Once the shortcomings are understood, the organization should develop a training/skill development plan first to address the most immediate needs followed by developing a systematic plan to fill in the remainder of the gaps.”
Some of the existing OT infrastructure is still physically separated from the IT networks, making them easier to defend. This, however, does not mean that these air-gapped OT networks are impenetrable if the attackers have enough resources and time available.
Industry experts say any efforts to apply security to an environment that was previously insecure will always involve some degree of disruption. However, with a proper planning process the level of disruption can be minimized and subsequently managed efficiently.
According to Chappell, it is important to accept that the transition may temporarily affect operation. It may be impossible to implement a more secure environment without some impact to production, but that must be weighed against the risks of not securing the environment, especially if it involves a threat to human life when a system is breached.
IT/OT convergence has become a business imperative in industrial organisations, and it is necessary to stop thinking of these environments as being separate. For that to happen, enterprises will have to bridge the gap between these siloed departments and bring them under an integrated security strategy to mitigate risks.