OT Cyber Security

Cybers Security of IT/OT Convergence

IT and OT systems have very different security requirements, and face unique cyberthreats, causing IT and OT operations within an organization to be soiled. There is a need for specialized security controls and collaboration between IT and OT security teams to ensure their systems are protected against cyberthreats. To do this, organizations require security professionals who have expertise in both IT and OT security to ensure the safety and security of critical infrastructure and processes. Following these steps for a converged IT/OT security operations center (SOC) will allow your organization to present a unified front against attacks, and protect your environment in a holistic manner. These steps are also a great place to start when addressing the other implications the siloed nature of IT/OT convergence has led to including:

  1. IT and OT were never intended to be connected: IT devices and systems were developed to manage and process information using computers and software. These devices were designed to be connected to the internet and have been secured to protect the confidentiality, integrity, and availability of information. OT on the other hand was initially designed to manage and control physical devices and processes, and never intended to be connected to the internet — hence why security protection was never built-in to the devices. As digital transformation continues to flourish and more IT systems converge with OT devices, their interconnectivity has expanded the attack surface for cyber criminals, giving them new pathways into these inherently insecure OT environments.

  2. Legacy devices are common place: Amplifying the inherent insecurity of OT, many OT devices were built decades ago and typically communicate with one another via proprietary protocols that are largely incompatible with traditional IT security solutions. Meaning, due to the fragility and complexity of OT assets, it is difficult for them to handle the volume and type of traffic generated by traditional IT solutions. If a traditional IT security solution is used on an OT asset it can result in disaster as OT systems operate in real-time and cannot tolerate the latency associated with IT systems. Their incompatibility due to the differences in hardware, software, and communication protocols can cause disruptions to an OT system which can have immediate and severe impact on safety, productivity, and revenue. 

  3. Lack of device visibility and granular data: As noted above, the prevalence of legacy systems and proprietary communication protocols in OT environments make them largely incompatible with traditional IT solutions — including those used to support asset inventory. Therefore, IT security teams typically have difficulty gaining a complete inventory of OT assets, making it impossible to identify and assess threats and vulnerabilities. Without granular device attributes such as the exact model, firmware version, and configuration security personnel will also find it difficult to match assets to common vulnerabilities and exposures (CVEs).

Why are IT Systems Protected Differently Than OT?

Cybersecurity poses critical concerns for both IT and OT, but there are fundamental differences in how to protect the two that require different approaches. One of the main differences is the types of assets that need to be protected in IT environments vs those in OT. As previously mentioned, IT systems are primarily used for the storage and processing of data, while OT systems control physical processes and systems. This means that IT cybersecurity is mainly focused on protecting sensitive information such as social security numbers, protected health information (PHI), or education records. The impact of a cyberattack on sensitive data for example can result in reputational damage, theft, financial losses, or fines.

OT on the other hand focuses on ensuring the safety and reliability of critical infrastructure in industries such as oil and gas, chemical, electric, transportation, and manufacturing. To reiterate, unlike IT, the OT devices that provide these critical functions can have a lifespan of several decades and can be widely distributed across physical sites or plants. They also commonly use proprietary protocols which cannot be deciphered using traditional security tools, making it impossible to gain full visibility in the OT network. Since OT networks are so fragile, the use of traditional vulnerability scanning can cause OT device failure, and in some cases, entire plants can go offline. Additionally, remote access connections are commonly used by in-house support staff or third-party vendors to service OT assets. Visibility into these remote sessions is necessary for auditing, change management, and risk assessments but traditional IT remote access solutions are not suitable for industrial environments.

Repercussions of cyberattacks on OT in critical infrastructure organizations can result in much more dire consequences including facility shutdowns, equipment malfunctions, and even could cause power plant explosions. These consequences affect way more than data, and can potentially have detrimental impact on health and human safety. As we know, connectivity is increasing rapidly, and the unintended consequences to this connectivity will only become more severe as cybercriminals become more advanced in the sophistication of their attacks. Now is the time to establish a strong cybersecurity strategy that differentiates between the risks of IT and OT and successfully defends your organizations from attacks.