Security Teams Need to Able to Identify and Track Threats That Cross the IT/OT Boundary
The COVID crisis accelerated the convergence of IT and operational technology (OT) networks. Even enterprises in industries that depend on physical processes – such as manufacturing, food and beverage, pharmaceuticals, oil and gas, and electric utilities – enabled at least part of their OT staff to work from home. Nearly overnight, employees who previously worked on the shop floor could make changes to production lines and manufacturing processes from their home offices. Organizations that were able to pivot faster to address a new, distributed model succeeded in continuing operations and gained competitive advantage. Some have even stated company performance has improved. Mindsets have shifted at many companies and now there is no turning back.
However, this accelerated convergence has also exposed security gaps. A few months ago, the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), issued an alert stating, “We are in a state of heightened tensions and additional risk and exposure.” The broad warnings of an imminent and serious threat across all 16 critical infrastructure sectors included lengthy, detailed sets of recommendations for how to protect OT environments that, together, encourage a holistic approach that aims for risk reduction across the entire enterprise.
Industrial enterprises and critical infrastructure companies need core security controls that span the whole enterprise, as exposure and attack vectors can come from any attack surface.
Until recently, OT and IT networks were managed differently because of their different characteristics. IT teams typically prioritize confidentiality of data over integrity and availability, whereas the teams that run OT networks prioritize availability (or uptime) over integrity and confidentiality. What’s more, organizations tend to think of these as separate networks, but it has become abundantly clear that adversaries don’t see things this way. To them, a network is a network, so attacks are intertwined. Threats, such as ransomware, have clear pathways across the IT/OT boundary.
So, while it’s true these networks are different and require different security approaches, the goal is the same – risk reduction. Defenders must be able to monitor for threats and detect the different steps in the attack kill chain – along these pathways across the IT/OT boundary, and anywhere on these networks. Solutions that provide this cross-domain visibility, while respecting differences, are what’s needed for truly effective risk reduction.
Proactively managing risk comes down to being able to examine risk from different, complementary perspectives and determine how to address the risk. Combining those perspectives provides valuable context and a more comprehensive picture of security posture of the modern OT environment. A couple of those key perspectives are asset risk posture and network traffic information. Understanding asset risk posture begins with visibility into industrial control system (ICS) networks and endpoints, with complete IT and OT asset information in one centralized system for both IT and OT teams to access, without the need for added connectivity. IT-oriented ICS assets, such as human-machine interfaces (HMIs), historians, and engineering workstations (EWs) can be enriched with information about IT threats and vulnerabilities to strengthen security posture proactively, without risk to productivity or downtime.
The perspective of network traffic information is also vital to helping effectively defend the enterprise. Security teams need to able to identify and track threats that cross the IT/OT boundary, which means having access to IT/OT threat signatures for the ICS networks as well. Attacks very commonly start in IT networks and find their way to OT networks, so having the ability to track and identify those steps is critical. Especially in manufacturing, a sector where ransomware has been deployed widely in the last year and can become the most expensive type of malware attack to mitigate. Having a technology solution that secures the converged IT/OT enterprise, without the need for signature reconfiguration or manual updates, accelerates detection and response.
A converged IT/OT environment requires a converged approach to IT/OT security, whereby IT and OT teams can work together for more effective and efficient security governance and strengthened security posture spanning all connected sites. This has always been the ultimate goal, now brought forward due to world circumstances. And with growing appreciation among organizations for what is possible when IT and OT networks converge and the positive impact on the bottom line, the timing to realize this goal couldn’t be better.
Related: FireEye Proposes Converged Enterprise and ICS ATT&CK Matrix