Hyperconnectivity of OT, ICS and SCADA environments has created an overlap between IT and OT environments, exposing formerly segmented systems to much wider attack surfaces. CISOs operating in newly or soon-to-be converged IT/OT environments, therefore, have a new charge — to integrate OT security into their existing security programs.
It’s critical, however, that security leaders think of this as one, holistic security program. Attackers have already begun to exploit the overlap between IT and OT systems , leveraging vulnerabilities in IT systems to reach critical OT systems and OT vulnerabilities to reach IT systems. The impact of such an attack has significant ramifications beyond exposure of sensitive information and customer data. It could result in financial losses due to production stopping and, even more damaging, could put the public at risk if, for example, water or energy supplies are compromised.
This post, which summarizes the session “Overcoming Industrial Security Challenges” from the 2021 European Cyber Summit , will provide CISOs with a roadmap for developing a holistic IT/OT security strategy that addresses the needs of each environment without negatively impacting processes and productivity.
The Impact of IT/OT Convergence on the Security Strategy
In the IT world, we’re already very familiar with the idea of hyperconnectivity and the protections required to enable business processes without compromising security. Because of this, it may be tempting to simply port these IT security practices into OT environments . This would be misguided, however, because OT environments are fundamentally different than IT environments and therefore require a much different approach to security.
OT environments are complex and specific. In other words, no two power plants, manufacturing plants, water treatment facilities, etc. are going to be the same. These environments will use proprietary hardware and software that is designed to enable very specific functions. This is somewhat of a double-edged sword when it comes to security. The more complex and specific the environment, the harder it is to attack. But it also makes it more difficult to secure. There will not be a one-size-fits all approach to OT security.
OT environments prioritize productivity and availability. Everything in the OT environment has been done in a way to enable process and assure productivity. Plants will run 24×7, which results in small and infrequent maintenance windows and limits the ability to apply updates or patch vulnerabilities. The security strategy will therefore have to account for the change-averse nature of the OT environment.
Devices in the OT environment have weak intrinsic protection levels. Until recently, devices in the OT environment were completely isolated and segmented from the outside world. Therefore, they had no need to be designed with network security in mind, and in many cases they cannot be updated without re-validating the entire system. Replacing OT infrastructure with IT systems or implementing IIoT connectivity and remote vendor access have broadened the attack surface, and because the platforms are not well protected, an attacker could take advantage of those intrinsic vulnerabilities.
How to Start the IT/OT Security Journey
Define the strategy.
During this initial step, the goal is to define how to run this joint effort between IT and OT. You will want to work with your OT stakeholders to establish what assets the security program will need to protect and who will be responsible for each aspect of the program.
It’s important to note that there is no one single strategy that will work for every IT/OT environment. It will depend on the business you are in, the current level of security maturity for processes and personnel, your risk appetite, your governance model, and your available resources (e.g. budget, staffing, 3rd party vendors).
Some of the ways we have seen customers implement their OT security strategies include:
- Delegate – Centrally define the OT security policy and goals and then delegate to the plants, including resource delegation.
- Improve Onwards – Define the OT security policy and choose a site for a proof of concept to test out security controls. Then apply that standard to every new site rather than retrofitting existing sites right away. That could perhaps be a second step.
- Big Plan – Define the OT security policy and develop a migration program for all sites. This is a huge undertaking, and the plan may need to be adapted for each site depending on the current maturity of the site.
The next step is performing an assessment of OT security risks. Run through scenarios to understand what the impact of certain risks to the OT environment might be. What would happen if your systems were hit by a ransomware attack? If an attacker steals data from your OT systems or if they were able to modify your OT processes in some way?
Identifying the real threats to your business will help you narrow in on what you need to protect against as well as inform your threat monitoring, detection, and hunting activities.
Establish communication channels between OT/IT.
Traditionally IT and OT teams have not worked together because they have different objectives, reporting structures, and operational models. OT prioritizes productivity and availability where IT prioritizes the secure transmission of data. OT will report into the CTO where IT will typically report into the CIO. IT often operates using a service desk model with frequent hardware and software updates. OT is resistant to system changes because of the potential impacts to validated processes.
All of this can make it difficult to translate the importance of managing IT security risks, but there are ways to establish a common language between the two teams. Host a joint workshop or offsite for stakeholders to share their experiences and get to know each other. Facilitate knowledge sharing around the OT terminology and priorities, and find ways to connect risks such as malware — which may not inherently mean much to an OT leader — to their operational impact (e.g. interruption of a process).
Turn it into a win-win.
Finally, express the IT/OT security strategy in a way that demonstrates how OT will benefit. This is not dissimilar to early conversations security leaders had to have (and still have) with their C-suite. Better security often results in higher reliability and availability of systems. It can improve control and visibility for the environment, and it can enable OT processes.
For CISOs impacted by Industry 4.0 and the digitization of OT environments, the time to embark on the OT security journey is now. OT environments are actively targeted by direct and indirect attacks, but the good news is there are many OT security solution providers out there, including Kudelski Security, who can help you protect your converged IT/OT environment.