The past decade has seen an increase in the number of operational technology (OT) attacks and their impact on organizations. As OT processes become more digitized and are no longer air-gapped from IT networks, chief information security officers need to rethink security in an age of OT/IT convergence.
These OT devices are sometimes just hardware, such as a thermostat or pressure gauge, and sometimes hardware and software, such as a building management system, physical access control system, or fire control system.
These devices are ubiquitous in industrial control (e.g., as a SCADA device) but are found throughout out the world of critical infrastructure components (e.g., chemical, dams, energy, agriculture, wastewater, transportation).
Sammy Migues, principal scientist at Synopsys Software Integrity Group, a provider of integrated software solutions, explains that the important point is that many OT devices not only monitor but also have control over big, important, often flammable, explosive, or otherwise life-affecting systems.
“Not only can they detect the temperature in a pipeline, but they also control it, and perhaps through a simple physical malfunction even damage it,” he says.
He notes the world of OT was built as — and meant to remain as — a separate network and system within something larger.
That means the OT devices at a refinery, for example, were a bunch of physical things that had wiring running back to a control room monitored by a human.
“The threat model used to be that an angry employee with specialized knowledge had to break into a large fenced-in area, then specialized production areas, then find devices, and then know what to do with them to accomplish any damage other than vandalism,” he says. “Now, any attacker anywhere with no specialized knowledge whatsoever has an attack path from their laptop anywhere in the world to some OT devices.”
That’s a problem, because the devices were never built to handle that threat model; expedience and cost has completely undermined a security model built on physical access.
Network Complexity Poses Security Challenges
Joseph Carson, chief security scientist and Advisory CISO at Delinea, a provider of privileged access management (PAM) solutions, adds that gaining centralized visibility and management of such a complex environment can be extremely challenging. “This limited view creates gaps that can be exploited by threat actors, enabling them to infiltrate the network and move between systems without being detected,” he says.
The conflicting network architecture also means that standard security measures such as role-based access control (RBAC) and multi-factor authentication (MFA) are close to impossible to implement without purpose-built tools. “These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,” Carson says.
From Carson’s perspective, one of the most vital areas for CISOs to focus on is regaining visibility and control of the network, including the disparate IT and OT systems.
“In particular, this means having a firm command of how systems are accessed,” he says. “As with more traditional IT networks, threat actors will almost always seek to acquire user credentials that will grant them privileged access rights to the system.”
Creating an IT-OT Convergence Task Force
Pan Kamal, head of products at BluBracket, a provider of code security solutions, says one of the first steps an organization can take is to create an IT-OT convergence task force that maps out the asset inventory and then determine where IT security policy needs to be applied within the OT domain.
“Review industry-specific cybersecurity regulations and prioritize implementation of mandatory security controls where called for,” Kamal adds. “I also recommend investing in a converged dashboard — either off the shelf or create a custom dashboard that can identify vulnerabilities and threats and prioritize risk by criticality.”
Then, organizations must examine the network architecture to see if secure connections with one-way communications — via data diodes for example — can eliminate the possibility of an intruder coming in from the corporate network and pivoting to the OT network
Another key element is conducting a review of security policies related to both the equipment and the software supply chain, which can help identify secrets in code present in git repositories and help remediate them prior to the software ever being deployed.
Kamal says the good news is that thanks to almost a decade of effort in understanding and mitigating risks to OT networks, many information security standards have evolved that include facets of OT security as well.
He explains that CISOs can now rely on information from industry-specific groups that have come together to propose voluntary measures, or mandated frameworks (depending on the industry), that provide guidance on securing their systems.
He points to the NERC CIP compliance for Utilities, CFATS (Chemical Facility Anti-Terrorism Standards), PHMSA (Pipeline and Hazardous Materials Safety Administration), as well as industry bodies and standard like the ISA99 (control system security), API (American Petroleum Institute) Cybersecurity Standards, and American Chemistry Council, as examples of industry bodies striving to protect organizations from cyberattacks.
“Many industry CISOs are involved front and center in making these programs successful,” Kamal says.
Finally, the US Department of Homeland Security, through CISA The Cybersecurity and Infrastructure Security Agency (CISA) is responsible to manage and reduce risk to cyber and physical infrastructure.
The CISA plays a role in connecting stakeholders in industry and government to build cyber resilience into their systems and creating playbooks on how to respond to severe attacks.
“IT-OT security convergence requires a complete re-thinking of security from a defensive posture as well as from an approach of identifying and managing threats,” Kamal says. “Now, it isn’t just security incidents perpetrated for financial reasons — the disruptions from OT incidents could be way more disruptive and have huge cost implications in recovery. This fact is not lost on ransomware gangs who seek to exploit this fear.”