Malware attacks like WannaCry, NotPetya and Industroyer have exposed the weaknesses of OT systems in recent years. What’s especially worrying is just how quickly and easily the infections spread across systems, devices, and borders without the right measures in place. Even if you weren’t specifically affected by the malware, the rise in cyberattacks targeted at OT environments should be cause for concern.
You might think that you’re already spending a small fortune on IT security, so you’re protected from attacks like these. Unfortunately, if your IT and OT system teams aren’t aligned, then you’re very much on the Titanic.
And there’s an iceberg on the horizon.
The Differences Between IT vs OT Systems Security (and Why Convergence is Important)
IT
Anyone who’s worked as part of an information technology security team will know how relentless their work can be. It’s their responsibility to identify new threats, determine a solution and then implement it before the network can be accessed maliciously.
It’s a non-stop Tom and Jerry-esque battle between themselves and hackers.
Attackers find new exploits in operation systems to seize valuable information while the IT team's rollout patches and update malware signatures. This task is a whole lot easier with next generation detection programs like Cylance or via deep packet network inspection tools.
These patches are managed and released regularly on an often hourly, weekly, and monthly basis. It’s up to the IT team to have their ears to the ground so they’re aware of the vulnerabilities that may be exploited (while simultaneously providing end user training to reduce the risk of insider threat).
They share information with the wider IT security community, act upon threat intelligence feeds and do their best to implement fixes to the vulnerabilities that hackers uncover.
A poorly designed IT network can make their task even more difficult because of the vast number of access points that hackers could exploit.
The more the organisation’s network grows, the more entry points they must worry about alongside the other daily worries of remote access software, users connecting unknown devices and more.
There are a lot of moving parts for the IT team to think about - IT is dynamic whereas OT is deterministic - which is why a robust network and effective resources are essential.
OT
One of the key differences between the OT environments and IT systems is the number of gateways to deal with. Because OT systems are designed to act in a particular way, they’re more rigid and predictable than their IT counterparts.
This means there are fewer points of entry for cyberattacks or anyone with malicious intent. It’s a little easier to keep track of everything because we’re more certain of where an attack might try to gain access.
It may be widespread practice that OT systems haven’t been updated because of a business decision. This might be because the maintenance window is too short, or downtime isn’t available, or the business wants to keep hold of a good configuration. Consideration is also needed before the introduction of IIoT (Industry Internet of Things) to establish both exposure and risk appetite.
The systems that fall under the OT umbrella control critical infrastructure. They’re expected to always run perfectly - no delays or unplanned downtime, only limited maintenance windows.
This means that in some instances, security measures aren’t introduced because it would mean halting production or could mean the loss of real-time data.
As a result, an increasing number of the HMIs that are currently in use operate outdated and unpatched software which may have limited security controls in place.
Any one of them could introduce well-known vulnerabilities to your OT network. Crucially, the IT side of things isn’t aware that these legacy machines are part of the wider network.
This is usually because they’re working independently of team OT and they don’t often venture out onto the plant floor, or don't have visibility of assets from the Security Operations Centre.
Why IT and OT Convergence is Important for Security
It’s thought that around half of UK businesses have vulnerable OT cybersecurity systems. Meanwhile, OT threats are on the rise and are more common than ever before.
The rise of connected IOT devices has left many organisations with more devices to manage on their networks. It’s difficult to manage these growing environments and this makes a hacker’s life a whole lot easier.
To combat these threats and protect your business, it’s crucial that IT is kept in the loop with all thing's security, allowing them to effectively monitor and control all devices.
Any OT device or system connected to networks that have a lower trust level need to be effectively protected with similar robust measures to the IT side.
Security should be a priority for all aspects of the business, a higher focus should be around critical assets, network gateways and especially safety systems.
Working within an established framework allows you to identify what good working practice looks like. If the IT team isn't working within these frameworks, then the OT side shouldn’t follow suit. These frameworks are well established and regularly updated to match industry changes in thought and approach.
Consider anything that OT has been issued with to improve productivity and reduce downtime. Are they secure? Are those operating the systems as aware as their IT counterparts about the IT risks that may affect OT systems?
Over 70% of respondents to our recent survey stated that a lack of cybersecurity skills is the main inhibitor when it comes to deploying Industrial IoT and cloud technologies within the OT sphere.
For your business to be protected, it’s vital that everyone receives the training necessary to implement modern technologies while still ensuring they meet strict security criteria. Staff need to understand what they’re protecting and what their exposure is.
Plus, using security frameworks allows them to identify how to achieve a satisfactory level of cyber hygiene.
Today’s OT cybersecurity solutions rely heavily on IT infrastructure, increasing the overlap of skills needed for managing the two and further showing just how important it is that IT is involved, or the skills gap is closed within OT.
Aligning IT and OT
Convergence is a crucial yet complicated process.
It can’t happen overnight and for it to be a success, there must be transparency and collaboration. For everything you need to know about IT and OT convergence, download our free handbook today. It’s filled with some of the challenges you might encounter and some best practices to follow.