Control systems are no longer isolated from corporate or other networks. In an interconnected operational technology (OT) and IT environment, intelligent devices in OT networks are connected to IT infrastructures to enable industrial companies to make smarter, data-driven business decisions fast. With many variations in control systems and devices, many organizations rely on network segmentation policies to maintain separation between IT and OT networks.
However, without full visibility and control of what’s leaving and entering OT networks, there's no way to protect what you can’t see. An attack that starts in an IT environment can quickly move to an OT environment and vice versa. If an ICS, SCADA system or connected devices such as valves, gauges, or switches are compromised, malicious actors could spawn destructive physical consequences to critical infrastructure and services, the environment and even human life.
According to SANS Institute’s insights on ICS security, threats are shifting. But identifying attacks remains challenging and basic security practices are not being implemented. Part of the challenge stems from the fact that OT networks are traditionally non-secure in nature. This can’t be the norm anymore and, as business leaders work to integrate their OT and IT environments, there are three key barriers for security to consider.
Non-stop Operations Running on Legacy Technologies
Despite the high-profile attacks on unpatched systems, many organizations don’t regularly apply patches or have patching policies and procedures in place for ICS. In many cases, these systems were developed years ago and are tied to older versions of Microsoft Windows. In the case of ransomware WannaCry, Microsoft issued a patch for Windows XP and other unsupported operating systems to limit the number of machines at risk from the attack. However, patching vulnerabilities is not an option in many industrial environments as these systems need to operate non-stop.
To overcome this barrier, make your OT networks visible to your security team. Start monitoring your network devices such as routers, switches and firewalls, as well as control systems servicing your environment. By having situational awareness of what's attempting to connect to the OT systems as well as what is going on within the system, your security pros can help protect the enterprise holistically. In short, even if you can’t patch Windows machines, be aware of them.
The Difference in Security Focus Between IT and OT Teams
One of the main differences between IT and OT lies in what they do. IT professionals operate in dynamic environments and are generally concerned with securing systems that house data such as financial and customer information, intellectual property, and corporate information. Much of their time is spent keeping up with the latest software and hardware technologies, patching, upgrading and replacing systems. For the OT staff, information security is less of priority; they manage the plant floor, process automation and production systems. Concerns are with safety and availability of their physical and digital assets because disruption could cause production losses. In some cases, failure of equipment could be a matter of life and death.
Ironically, the latter’s approach to security and choice to normally not implement security controls could harm system availability and performance—the very things OT staff care about most. This will have to change. With the growth of Industrial IoT (IIoT), the convergence of OT and IT teams is unavoidable. Improving an organization’s security posture depends on how effectively both sides can collaborate with each other to improve mutual understanding and increase reliability and security of critical infrastructure. The size of the IoT market and the consequences of these devices failing will require considerable attention.
Lack of Security Expertise in OT Environments
The inability to properly identify or act on risks that impact business operations is one of the primary hurdles in securing ICS. This challenge is compounded by the lack of security expertise with OT environments and increasing reliance on third-party vendors to provide SCADA/ICS infrastructure security, which grants vendors with high-level access to those systems.
Strategies focusing only on IT systems and excluding industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and IIoT assets will only perpetuate an environment of risk that outsider and insider threats will eventually exploit. The attack surface will increase along with the level of digitization so business leaders must act now. Only then will they be prepared. If an organization suffers a breach, it must be able to quickly determine when it happened, what damages were caused and whether it has been remediated.
To learn more about how you can set new strategies to align IT and OT security goals, and proactively report on compliance, read our "Cyber Security for Industrial OT, IT and IoT" white paper for insights into securing your critical infrastructures.