How IT-OT convergence is accelerating cyber resilience and digital transformation
Although the term operational technology (OT) has been around for decades, there is still some confusion about how OT differs from IT. According to Gartner, operational technology (OT) is the hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.
The OT landscape includes industry automation and control systems (IACS) — defined as the personnel, hardware, software and policies that can affect or influence the safe, secure and reliable operations of an industrial process. Together, OT and IACS encompass people, processes, and plants/technology — the “3 P’s” that must be addressed for both digital transformation and cybersecurity resilience.
However, OT environments and IACS protocols have been under attack in recent years as they become exposed to threat actor groups. Intelligence gathering and attacks targeting OT environments have increased significantly, with organized threat groups positioning themselves to attack critical national infrastructures (CNI) to gain a dangerous geopolitical advantage.
In this article, we will try to clearly explain the cyberthreats facing the OT landscape, examine how exposed OT environments truly are, and explore how organizations can overcome these risks and threats.
Security comes first, but with a hint of caution
Confidentiality, integrity and availability are three key objectives of any OT or IT security strategy. Confidentiality of data is of utmost priority for IT security; for OT, it is about maintaining the availability of OT assets deployed. Integrity is the second priority for both functions, but for different reasons, like commercial vs. industry safety. This difference in security strategy priorities inevitably demands different tactics to ensure that the people, processes, and technologies deployed will achieve the desired security levels.
Absolute security does not exist, but it may be pursued. However, it can come at an unreasonable cost and limit the digital functionalities needed to enhance business outcomes.
A centralized and standardized cybersecurity management system will reduce OT security risks.
The benefits go far beyond building cyber resilience paving the way for digital transformation.
If OT asset owners move towards optimum security, they should consider the cost of technical and non-technical countermeasures. Not all OT systems within the environment need remote control via cloud; perhaps they can be supported by an edge computer or may just need to broadcast information. Business leaders should weigh the business and financial advantages and disadvantages of different security measures before investing in any solution.
Understanding the exposure in OT environments
The convergence of OT and IT has resulted in traditional OT environments becoming more open or exposed. Traditionally, OT has depended on air gaps (disconnected networks) to ensure security. The introduction of the industrial internet of things (IIoT) and smart devices makes it difficult to monitor every single connection with the outside world, increasing the attack surface and making network separation more difficult.
Today, there is a substantial amount of technical information available on the internet about OT environments, giving hackers a better understanding of OT and its vulnerabilities. Armed with this information, hackers are now adapting advanced practices and managed services to disrupt IT systems and orchestrate cyberattacks in the OT environment. It would be naive to assume that as-a-service models are not offered to threat actor groups to influence OT environments. The rise in the number of threats and cyberattacks are a growing concern for organizations, industries and customers.
As far back as December 2021, Gartner predicted that by 2025, 30% of critical infrastructure organizations will experience a security breach that will take down a critical cyber-physical system.
One very common mistake is the tendency for organizations to address OT cybersecurity by looking at OT assets individually. Rather, the most efficient approach is to implement a single, scalable cybersecurity management system for all or most OT systems, complete with policies, procedures, tools and resources — including skilled personnel. Without a holistic view, you may find gaps in risk assessment and miss opportunities to find common solutions or take advantage of economies of scale.
Containing the risk
The cyberthreat landscape will continue to evolve and expand over time, but organizations can familiarize themselves with these threats and protect themselves by understanding and defining risk tolerance and actions to improve asset and business resilience.
Below, we have outlined three critical steps you can take to be better prepared and effectively tackle such threats:
1. Risk management is a comprehensive process that includes assessing and treating the risk. An effective business case should consider their risk management strategy with technical, managerial, and procedural countermeasures, backed by threat intelligence and OT landscape vulnerability. These countermeasures should be device-specific and based on an in-depth survey of the system architecture’s weaknesses.
2. Standards and guidance issued by industry specialists are important to heed. OT engineers know their environment extremely well, and the safety industry has been successful in addressing security concerns from very early phases of the OT asset safety lifecycle activities. Widely adopted standards like IEC 61508 take security into account, and the industry is embracing cybersecurity standards like IEC 62443, as established by national and international standards organizations like ENISA and NIST.
3. Retaining skilled resources is important for organizations to maintain a secure OT environment and ensure timely execution of risk management actions. The business rationale should define and ring-fence these key resources, because risk management programs require active participation from internal and external cross-functional stakeholders including those from the intelligence community. A lack of cybersecurity experience and knowledge across supply chain interactions is a major risk for CNI asset owners.
A brave new world
An IT/OT integration is inevitable, heralding significant benefits to all stakeholders. This integration is a key enabler for digital transformation programs, where topics like remote access and distributed intelligence are incorporated into legacy systems. Frequent topics of discussion are the use of wireless technologies powered by cloud solutions, and how to use edge computing to provide much-needed computing power and enhance security.
Adopting IIoT and intelligent electronic devices is an integral part of digitalizing OT assets, bringing benefits like reduced maintenance cost and enhanced visibility. However, vendors of such technologies rarely address security vulnerabilities of technologies used within the devices and deploy appropriate development practices (like operating system vulnerability management) required for security and safety-conscious applications in CNI. Similarly, OT asset owners will need a resource-intensive asset risk management program, covering intelligence gathering, risk assessments and patch/update rollout programs to address vulnerabilities. In CNI, security-driven modifications may also prompt recertification and substantiation of safety functions performed by the assets.
In my experience, defining what is normal — the baseline — so that anomalies are recognized, will help improve confidence in the OT network environment. Design reviews and substantiating security claims by validating and verifying network architecture, will help select optimal security tools and services. OT security tools are now equipped to detect and dissect widely used OT communication protocols and standards like Modbus, DNP3, POC, IEC61850 and IEC 104. Since OT assets increasingly use technologies like operating systems and communication protocols, we can repurpose our experience and tools built for IT systems and apply them to the OT landscape.
Similarly, while air gaps, segregation from the internet, and “behind the firewall” arguments are being challenged, it is still safer to have an isolated system when there is no immediate and compelling future business benefit. Physical access security, supported by smart building management, video analysis and forensics should aid in security investigations and decision-making.
A two-pronged approach to cyber resilience
Cyber resilience is critical for business continuity, scalability, data security and overall integrity. Businesses looking to build and boost OT cyber resilience must focus on preventing, detecting and responding to both known and unknown threats.
They should use risk-based fit-for-purpose technology solutions, managed services and cyber resilience governance across their asset base.
An effective way to manage OT security risks is to centralize and standardize cybersecurity management.
Here are two simple ways to do this:
- Implement an IT–OT security operations center (SOC) with effective security information and event management tools to monitor and detect intrusions/anomalies.
- Ensure OT asset visibility and automate responses by defining prevention actions, supported by qualified people and processes.
In the end, you will find that the benefits go far beyond building cyber resilience, but also help pave the way for your digital transformation.