Securing Operational Technology requires a different approach from IT security, and cybercriminals are just waiting to pounce on the unwary.
As the world scrambles to adapt to the COVID-19 pandemic, digital transformation has been fast-tracked, including the convergence of information technology (IT) and operational technology (OT) networks.
While most people are familiar with IT security, OT security is a relatively newer field. It is also the latest battleground in the world of cybersecurity.
OT includes the hardware and software for control systems in manufacturing plants, power generators, and distribution networks, and underpins any industrial environment. In the past, OT systems worked in isolation from other systems, but that is no longer the case today, especially with the accelerated push for digitalization.
Based on our recent survey of IT and OT security professionals supporting critical infrastructure in large enterprises, 71% of respondents in Singapore, for example, cited that IT and OT networks had become more interconnected since the pandemic began, higher than the global average of 67%.
A new attack surface
The convergence of IT and OT brings important benefits, from automation and data analytics in power generation plants and factories, to the ability to access and monitor industrial control systems (ICS) remotely—something especially important in a time of social distancing.
On the flip side, OT systems are now more vulnerable to cyberattacks. In the Asia Pacific region, 25% of organizations have already experienced an OT attack, according to a Cisco study. Furthermore, according to Claroty’s own Biannual ICS Risk & Vulnerability Report, more than 70% of ICS vulnerabilities disclosed in the first half of 2020 can be exploited remotely.
While IT attacks can be costly, attacks on OT systems can also mean tangible harm, as they deal with large-scale physical processes. A cyberattack on critical infrastructure has the potential to inflict more damage during the COVID-19 pandemic compared to an enterprise data breach.
In June this year, the Prime Minister of Australia announced that the country’s critical infrastructure had been under attack by a sophisticated state-based actor. In April 2020, the Israeli government had reported an attempted attack on its national water supply. The possibility of a threat actor tampering with the chemical content of a nation’s tap water speaks for itself as to why OT security is paramount.
Fundamental differences between IT and OT
As IT-OT convergence is quite recent, Operational technology security is relatively new and poorly-understood compared to IT security. One common misconception is that the methodologies and technologies that have been developed over the decades to protect IT also apply to OT.
However, OT networks have different priorities than those in IT. OT operators are more concerned about system uptime rather than data confidentiality. Downtime for patching, updating and maintenance is a luxury they cannot afford. Furthermore, unlike the standardized protocols used by IT networks, OT networks usually use proprietary protocols, which are largely unrecognizable by IT security tools and therefore completely incompatible.
While IT and OT security have similar goals in terms of risk reduction, asset and vulnerability identification, and the ability to monitor and detect threats, organizations cannot simply apply their IT security methodology to OT, due to these fundamental differences at play.
The need for purpose-built, integrated OT security
On the other end of the spectrum, cybersecurity professionals may assume that, since OT is different from IT, they need to build their OT security from scratch—with a separate governance program, a different security operations center, and creating new processes and controls for their Operational technology networks.
However, this does not scale or provide maximum risk reduction. Instead, organizations should extend their OT management to become part of their existing IT processes. OT operators will already have a security operations center (SOC) that runs technology to supply metrics and telemetry from their IT network. Therefore, they need a solution that can plug into their OT networks and provide their SOC the same measurements about outcomes, threats, and alerts. This extends the same level of visibility and reach that they have for their IT networks into their OT networks as well.
With such a unified approach, this means that the same team can manage processes and govern security policies across both OT and IT networks. To ensure that teams can effectively manage OT security, the OT network data also needs to be presented in a way that an IT security specialist can understand readily.
Furthermore, with an appropriate Operational technology security solution, it is possible to protect industrial networks without downtime, allowing organizations to safeguard their operations without hurting their business priorities.
OT security is a relatively new field compared to its IT counterpart, but its importance cannot be overstated. By understanding the security needs of OT and implementing measures specific to these requirements, organizations can safeguard their operations on all fronts.