In 1998 a group of scientists, engineers and hackers from “L0pht Heavy Industries”, a hacker collective based out of Boston, Massachusetts, testified before the U.S. Senate Committee on Governmental Affairs attempting to create public computer security awareness and claimed they could “shut down the whole internet.” Topics included vulnerabilities in computing systems, partnerships with software and hardware companies actively mitigating vulnerabilities, exposing companies deliberately hiding vulnerabilities, and creating awareness of the risk and grave consequences of potential attacks.
A particularly interesting topic was one spoken of by Stefan Von Neumann, an engineer and self-described “user support specialist” who discussed critical infrastructure including energy, water and telecommunications. He outlined the unsecured remote command and control of these essential systems and in almost all cases, the lack of awareness by end clients of the potential to have their critical services compromised, manipulated, denied service, and even have private information spied upon or stolen. Mr. Von Neumann closed by saying he, “…would personally like to see that the same type of independent review process that should exist for software companies extended to utility companies and internet service providers.”
Getting to the root of the OT security issue
Our public awareness of the threat to critical infrastructure systems and the dire consequences that come with an attack or even a mistake has been almost 25 years in the making. So why is the standardization and availability of security technologies for Operational Technology (OT) and Internet of Things (IoT) devices so far behind traditional Information Technology (IT)? Mr. Von Neumann described what the solution was: a standardized framework and review process of security controls in utilities and telecommunications; however, he did not directly identify the root cause of the issue. These security controls and procedures didn’t exist and are largely struggling to be equitable to IT even today because OT/IoT technologies are deployed, operated and maintained by a separate and diverse cadre of personnel with their own “culture” and technical skill sets.
These OT/IoT specialists have enjoyed luxuries that traditional IT once had in security: segregated networks, physical/wired only transmission, autonomous operation from other business functions, and security through obscurity. These luxuries have faded away as the threat landscape has grown with the consolidation of employees and facilities, wireless technologies, ready access to information about vulnerabilities, and benefits of system exploitation.
Bridging the gaps
Active and devastating attacks on critical infrastructure, supply chains, and telecommunications have been carried out by nation-states, malicious groups and individuals which has brought organizational management attention to vulnerabilities and threats lurking in their infrastructure. In a hasty attempt to bandage these vulnerabilities, OT/IoT has been flung into the fires of traditional IT management and security operations and therefore has inherited the complications that come with them. I recognize the need for this consolidation of visibility into security incidents and response, however, there is an additional and unaddressed requirement for “middleware” in technology, process and people to create true IT/OT/IoT convergence.
At Atos, I am working with our OT/IoT teams around the globe to bring true, blended security operations management to complex and multifunctional enterprises. Our PSOC for IT/OT offering focuses on a single point of contact to protect critical infrastructure and supply chains by aligning IT, OT, and IoT security activities to provide near real-time security intelligence and incident response. The Atos Resource and Services group and I are attempting to conceptually prove out our IDnomic for Objects offering as a solution for managing authorization and authentication through certificates issued to safety and preventative maintenance monitoring systems, securing against the unauthorized attack and providing security incident intelligence. I am focusing my efforts on identifying the gaps between technologies, process, and people and how to bridge these gaps with this missing “middleware” while being inclusive of a range of skill sets, work cultures, and requirements.
As OT and IoT interconnect our lives with critical infrastructure and is technologically intertwined with our activities, business, homes and transportation, we have a responsibility to ensure privacy and security are carried over to these emerging technologies and respond to the widening threat landscape. My goal is to develop a secure global infrastructure that includes all technologies. IT security management and organizational management need to embrace the reality of IT/OT/IoT convergence with agility and speed to protect our most valuable and powerful command and control assets.
You can join the conversation with Atos and professional security organizations, research something new, train others on OT/IoT technologies, and create tailored awareness around threats, vulnerabilities and potential solutions for IT/OT/IoT Convergence. Together we can build genuinely secure IT/OT/IoT convergence through the first steps of awareness and evangelism.
Interested in next publications?
Register to our newsletter and receive a notification when there are new articles.