Recently, OT (operational technology) and IT have started to converge, as more organisations began connecting their devices and OT environments to IT networks.
While this move makes sense as remote management and wireless connectivity have been growing in popularity due to the switch to more remote working, it has brought into focus the fact that IT and OT have typically been kept separate.
Consequently, organisations and regulators have been finding themselves struggling to adapt to the implications of merged environments especially at a time when critical national infrastructure has been the target of several cyber-attacks.
Last year saw a number of high-profile attacks launched against the financial, gas, food and transportation sectors in the US, for example, while in October 2021 the US Cybersecurity and Infrastructure Security Agency released Alert AA21-287 which focused attention on the country’s water and wastewater facilities and warned of “ongoing malicious cyberactivity”, such as attacks on internet-connected services and outdated operating systems and software, as well as spear phishing and ransomware attacks.
Disruptions to these kinds of systems, especially those caused by cyberattacks, can have devastating consequences.
“As a consequence, organisations have to navigate an evolving threat landscape while pushing for higher security to avoid any security gaps that could allow for unauthorised access or control,” explains Andy Norton, the European Cyber Risk Officer at Armis, which specialises in helping organisations secure managed, unmanaged, and IoT devices. “The problem therefore is, how can organisations effectively protect OT without compromising existing IT security?”
Vulnerabilities found in IT
Over the past 10 years alone the number of weaknesses in OT have rapidly increased. Recently, to name one example, a new vulnerability was disclosed in Schneider Electric’s Modicon PLCs (programmable logic controllers). If left unpatched, threat actors would have been able to take remote control of the equipment and cause maximum damage, demonstrating that OT vulnerabilities can, in fact, lead to large-scale attacks.
“We’re seeing OT and IT converge and there’s a need to balance good governance and regulatory compliance, on one side, with transformation and opportunity on the other,” explains Norton. He continues, “OT brings an added level of complexity to the traditional mix of confidentiality, availability and integrity that have been associated with IT. With OT we’re talking about production and directors are now calling for similar levels of assurance and certainty here as they’re seeing in their IT systems.
“But to be clear, while breaches are inevitable it doesn’t mean that they can’t be addressed and managed effectively.”
That said, exploitation of an OT weakness tends to be more complicated and therefore less likely to be used as an attack vector, according to Norton. “This is because OT equipment can only be exploited in specific circumstances.”
The risks of problems surfacing in IT, however, are more common. For instance, the attack on the US Colonial pipeline underlined how IT network weaknesses can lead to drastic consequences, in this case the launch of ransomware which ultimately affected the billing capability in the OT network, although it was an IT vulnerability that was used to gain access.
“As such, the interconnectedness between IT and OT is generating new cybersecurity gaps and pathways that threat actors can take advantage of. This also creates several routes of infection from IT to OT, providing attackers with the perfect opportunity to take down two birds with one stone,” says Norton.
The goal has to be improved security and resilience of these systems and the better management of the complexities of critical infrastructure that can lead to unexpected or unplanned interactions among system components.
The Challenges with OT security
Gathering visibility on OT devices is a lot more complicated because these devices can’t always run a conventional security client.
“Cyber-attacks on the OT are usually via IT and there’s a lack of clarity and certainty in these cases which often leads to OT systems being shut for purely safety reasons, without any evidence that an attack on an IT system is affecting other environments,” says Norton.
He makes the point that IT and OT are very different operations. While IT can identify and close an infected device within minutes, the very nature of OT will mean that alternatives will need to be considered. Specific devices might not be looked at for six months, the ramifications of closing down production will need to be considered, and how long would it take to re-imagine the system?
“When it comes to OT, production won’t be shut down if a temporary solution can be put in place,” explains Norton.
OT visibility can only be achieved by using an agentless approach, which can passively monitor network traffic without affecting production.
“There is technology available that does exactly this while also building an appropriate inventory on the devices connected to the system,” explains Norton. “Nonetheless, IT teams are not always informed of OT issues, as their involvement could lead to more internal conflict or a service outage due to their lack of speciality knowledge about OT networks,” he adds.
“By using an agentless approach, OT teams can detect malware on the OT devices, identify suspicious behaviours or surplus devices and mitigate accordingly. While this process is complicated, it is a crucial part of sufficiently protecting OT and IT environments.”
According to Norton there is another, larger issue with OT security, namely the lack thereof.
“IT typically has a one tier security team made up of specialist SoC analysts who can review and process specific alerts around the clock. When it comes to OT, this type of security falls short, leaving IT people to deal with OT problems,” he says.
According to Norton not only is this a complication because IT people don’t have the same type of expertise around OT issues, but it also goes against the NIST Cybersecurity Framework, which outlines the governance requirements surrounding the need for general OT security.
“IT teams are having to stretch their resources to manage both IT and OT security. Not being familiar with the specific issues, this creates a skills and cybersecurity gap, leaving OT networks exposed to outside threats,” warns Norton. “It’s both a cultural and a budget issue for most organisations.”
The approach taken by IT to solving security issues is also very different.
“When it comes to the ‘IT mindset’ automated responses are seen as the panacea, and that is a definite ‘no-no’ when you talk about OT. With IT security is intelligence driven while with OT it’s awareness driven.
“IT needs to better understand OT and OT needs to be able to explain their management processes and few organisations are actually doing this.”
Operational technology is vital for the monitoring and control of industrial equipment and assets, meaning its protection is of the utmost importance. “The consequences of any form of compromise can be drastic, especially if threat actors continue to target vulnerable critical national infrastructure,” says Norton.
Despite OT teams not typically being involved in overall IT governance, communication between both IT and OT are vital for a strong cybersecurity posture.
“There needs to be better communication, transparency and engagement – these are all barriers to better levels of security. Divisions need to simply talk to one another,” adds Norton.
However, he warns that there has to be a balance, so as not to allow OT to be consumed by IT while securing both entities separately.
Once the two teams manage to communicate efficiently and work together, organisations will be better equipped to protect themselves and face any potential operational shut-downs or loss of reputation.