Modern day industrial operations often span complex IT (information technology) and OT (operational technology) infrastructures. In a very standard environment, thousands of devices exist and are increasingly being connected via the Industrial Internet of Things (IIoT). This creates new challenges in securing industrial environments specifically by making cyber-security threats even more difficult to detect, investigate and remediate.
What has made this an even more challenging endeavor is that IT and OT have typically inhabited different parts of the organization; and with good reason. Up until only recently the IT infrastructure played front and center in terms of ensuring complete visibility, security and compliance mostly because this was where organizations were being attacked. For the better part of two decades these were the things that kept the CISO up at night; but the reality has changed. With our increasingly interconnected world, OT has quickly caught up as a lightning rod for new attacks and increased security concerns.
The focal point for attacks on industrial operations and critical infrastructure has centered on Industrial Controllers. When industrial controllers were first deployed, they were not connected and interconnected. Today’s advances in technology have put these devices online and thus they have become the target of the hacker. Furthermore, controllers were not built to address the security threats or the quite innocent human errors we now experience. Outsiders, insiders, and outsider masquerading as insiders are all possible actors that launch sophisticated attacks to take over machines for nefarious purposes. More recently hackers are no longer rogue individuals but are often a carefully curated and systematic program by well-funded and highly motivated organizations and countries. A carefully executed attack can accomplish as much if not more than modern day warfare.
Few argue that the attack surface has changed to encompass both IT and OT. Because these two different worlds are now connected, an attack that starts on an IT environment can quickly move to an OT environment and vice versa. Lateral movement is almost the preferred attack methodology amongst hackers because of the relative ease of finding a weak link in the system, leveraging it as the point of entry, and then quickly owning the entire network.
Convergence of IT and OT
Few organizations currently manage IT and OT with the same staff and tools. After all, these networks evolved with a different set of priorities and they operate in inherently different environments. Nevertheless, in order to address this new complex threat and to protect this broader attack surface, many industrial organizations have begun to converge their IT and OT groups. The ‘convergence initiative’ is anything but simple. The growing pains associated with bringing together these two substantially different worlds can prove to be a challenge.
The IT/OT convergence trend is not only driving integration of IT tools with OT solutions, it also requires alignment of the strategic goals, collaboration and training; and bridging between two departments with people that have different backgrounds, different mindsets and concerns for their departments. In general, IT people are used to working with the latest and greatest hardware and software, including the best security available out there to protect their networks. They tend to spend time patching, upgrading and replacing systems.
Meanwhile, OT staff are used to working with legacy technologies, many of which pre-date the internet era. These often use proprietary network protocols, and lack basic security controls like authentication or encryption. They also don’t have event logs or audit trails. As a result, incident detection and response in an OT environment is very different than in an IT environment.
While there are significant differences between the worlds of IT and OT, one thing that can be agreed on are the key elements in establishing a robust security posture when it comes to industrial security. They include:
- Threat detection & mitigation that combine behavioral anomalies with policy-based rules.
- Asset tracking that includes dormant devices and goes as deep as PLC backplane configurations.
- Vulnerability management that tracks and scores patch & risk levels of ICS devices.
- Configuration control that tracks all changes to code, OS & firmware regardless whether done through the network or locally.
- Enterprise visibility to ensure that all data collected integrates to a single pane of glass
Regulations require it
Because security threats occur regularly, regulatory compliance is also driving the IT/OT convergence. For example, North American Electricity Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC) require IT and operations staff in critical infrastructure to collaborate and manage risks cooperatively and share relevant documentation to ensure security and reliability. In fact, regulations specifically call for an environment in which there is the ability to conduct forensics across both networks in order to identify, thwart and report on incidents that can disable significant industrial deployments and critical infrastructure.
Bringing together IT and OT hastens compliance with regulatory statutes, and the ability to proactively report on and demonstrate compliance makes any potential audit significantly easier.
C-level support can make it happen
The successful deployment of industrial cybersecurity initiative must leverage resources from both IT and OT. To bring IT and OT staff together and unify security thinking and practices, organizations need to create a culture of collaboration between both camps for the common good of the business.
The key to success is getting C-level support. Some organizations begin by creating a C-Level role to facilitate the convergence. For example, it’s quite common to find a Chief Digital Transformation Officer whose role is to bridge the gap between IT and OT, merge the culture divide, and establish incident response processes that span both groups.
Business-level oversight and C suite leadership helps ensure that the two sides will collaborate effectively with each other. To make this happen, more and more organizations are taking senior, experienced engineers from OT business units, and assigning them to support incident response within the Security Operations Center (SOC). This creates an environment where people, processes and technologies straddle and unify both sides of the IT/OT fence.
A successful collaboration between IT and OT can reap significant benefits, including:
- Improved security automation, sensing and visibility
- Increased control over distributed operations
- Better compliance with regulatory requirements and tracking
- Higher responsiveness when incidents occur and improved organizational performance
- Better decision making based on more detailed information
- Proactive maintenance and reduced response times to unforeseen disruptions
- Improved flow of information to stakeholders
Many pundits and experts in the field say that it is not an issue of “IF” but rather a matter of “WHEN” a security incident occurs. Bringing the IT and OT worlds into the same orbit will help ensure that when an incident occurs, that the organization can weather the storm and in fact thrive amid the chaos.