Tell any IT professional that the computer running the electrical grid has not been updated in 20 years, or that the machine that controls operations in the bottling plant was last tuned up when Y2K was still being planned, and they will look at you like you are crazy. They simply will not believe you. Why? Because information technology (IT) and operational technology (OT) approaches to operations are polar opposites. While IT is predicated on innovation and security, OT is more about letting systems run reliably, with as little change as possible. The chasm between IT and OT is wide and deep, but not for much longer.
Where It All Began
IT and OT have typically never had to intersect. IT environments have been connected to a network of some kind (LAN, the internet, intranet and beyond) for nearly 50 years. As a result, security risks have been a concern for arguably more than three decades. In IT, there is an overarching business and technological need for complete visibility, security and compliance mostly because just one attack could shake customer faith, shareholder confidence and ultimately put the organization at risk.
OT environments are a different beast. Whether it’s industrial controllers running the cooling tower, blast furnace, electrical grid or other processes, these “old reliable” systems were completely disconnected from anything else by an ‘Air Gap’. Security and compliance were never an issue because industrial networks were separated from the rest of the world.
Times Have Changed
‘Air Gapping’ is no longer an operationally feasible solution in today’s connected world. Many pundits claim that the chasm between IT and OT started disappearing when the emergence of the Internet of Things (IoT) or more appropriately the Industrial Internet of Things (IIoT). Today, we are more connected than ever before. Even refrigerators are now available with an network connection.
This global connectivity makes our lives easier. For example, Tesla pushes new software directly to the cars it manufactures. In fact, during Hurricane Irma in 2017, Tesla sent a temporary code change to cars in affected areas that boosted battery life so drivers could safely evacuate. Everything from pacemakers, to vehicles, fitness trackers, cameras and more, are now connected.
This connectivity has reached industrial environments. A concrete manufacturer found it took them two days to fire up the blast furnace to the right temperature. What better way of monitoring the progress than over a webGUI…from anywhere in the world. Interconnecting different suppliers to the electrical grid would have helped eliminate the great blackout of 2003 which plunged nearly the entire northeast into darkness due to a cascading failure that was partly caused by the inability of systems to talk to each other.
Industrial organizations have found practical applications for connecting devices to the Internet, including cost savings, visibility and efficiency. One problem that was not fully addressed in this quantum shift is that industrial controllers being opened up to the outside world have no defense mechanisms against cyber attacks.
The Lateral Threat
The increase in cyber incidents on ICS networks has become a reality we can no longer ignore. Few would argue that the attack surface remains unchanged, and does not encompass both IT and OT. Since these two worlds are now connected, an attack that starts in an IT environment can quickly move to an OT environment and vice versa. Lateral movement is a preferred attack technique among hackers since it makes easy to find a weak link in the system, use it as a point of entry and compromise the entire network.
Harmonizing OT-IT Security
To protect this broader attack surface, many industrial organizations have started to converge their IT and OT groups. This ‘initiative’ is anything but simple. Bringing together two functionally different worlds is a challenge. Collaboration however, can help mitigate the risks and vulnerabilities that span these two infrastructures. Let’s consider what’s needed to address the OT-IT security gap.
1. Monitoring. By actively monitoring network traffic and parsing proprietary as well as standardized ICS protocols, it is possible to detect early Indicators of Compromise (IOC). This can be accomplished using both policy-based and anomaly detection to guard against both known and unknown or zero-day attacks. Being able to mitigate the threat, before damage is done, enables recovery earlier in the cyber kill-chain.
2. Asset Inventory & Management. To protect ICS networks against cyber attacks and ensure that unwanted software doesn’t infiltrate Windows machines, organizations require real-time visibility into their asset inventory, across both IT and OT environments. An outdated view that may reside in a Visio diagram is simply no longer sufficient. It is essential to know the manufacturer, model, firmware version, patch levels and current configuration for each and every asset in the network. This includes automation controllers (PLCs, RTUs, or DCS controllers) responsible for managing physical processes, as well as Windows servers used by operators.
3. Vulnerability Checks. A comprehensive inventory based on automatic asset discovery is crucial for identifying the vulnerabilities that might put an asset at risk and for installing the required security updates. This automated capability allows for a quick and efficient status update as to which assets in the network require attention first, thus greatly reducing the vulnerability window in an environment.
4. Alerts. Alerts can expose when change takes place in the asset inventory, or when unusual and unauthorized communication between devices takes place. Detecting anomalies can help identify the early stages of a compromise and enable a proactive response to incidents before they can spread within the environment.
The new connectivity between IT and OT has created a clear and present cyber threat to previously isolated ICS environments. Combining a strong security posture that spans IT and OT is the only way to protect ICS networks from external and internal threats that are now on the doorstep.