Protecting OT and IT Networks in the Age of Convergence – InformationWeek | Region & Cash

Over the past decade, the number of operational technology (OT) attacks and their impact on organizations has increased. As OT processes become more digitized and no longer disconnected from IT networks, Chief Information Security Officers must rethink security in the age of OT/IT convergence.

These OT devices are sometimes just hardware, such as B. a thermostat or pressure gauge, and sometimes hardware and software, such. B. a building management system, a physical access control system or a fire control system.

These devices are ubiquitous in industrial control (e.g. as a SCADA device) but are found throughout the world of critical infrastructure components (e.g. chemical, dams, power, agriculture, wastewater, transportation).

Sammy Migues, senior scientist at Synopsys Software Integrity Group, a provider of integrated software solutions, explains that the important point is that many OT devices not only monitor, but control, large, critical, often flammable, explosive, or otherwise life-threatening equipment systems.

“Not only can you measure the temperature in a pipeline, you can also control it and maybe even damage it with a simple physical malfunction,” he says.

He notes that the world of OT was built – and intends to remain – as a separate network and system within something larger.

This means that the OT devices in a refinery, for example, were a bunch of physical things wired back to a control room that was monitored by a human.

“Previously the threat model was that a disgruntled employee with expertise needed to break into a large fenced area, then specialized manufacturing areas, then find equipment and then know what to do with it to cause damage other than vandalism. he says. “Now any attacker without any special knowledge has an attack path from their laptop anywhere in the world to some OT devices.”

This is a problem because the devices were never built to deal with this threat model; Convenience and cost have completely undermined a security model based on physical access.

Network complexity poses security challenges

Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM) solutions, adds that achieving centralized visibility and management of such a complex environment can be extremely difficult. “This limited view creates gaps that threat actors can exploit, allowing them to infiltrate the network and move between systems without being detected,” he says.

The conflicting network architecture also means that standard security measures like role-based access control (RBAC) and multi-factor authentication (MFA) are nearly impossible to implement without purpose-built tools. “These issues increase the potential for a nation-state actor to infiltrate the system and cause serious disruption,” says Carson.

From Carson’s perspective, one of the most important areas CISOs should focus on is regaining visibility and control over the network, including the disparate IT and OT systems.

“In particular, this means having precise control over access to the systems,” he says. “As with more traditional IT networks, threat actors will almost always attempt to obtain user credentials that grant them privileged access rights to the system.”

Create an IT-OT Convergence Task Force

Pan Kamal, Head of Products at BluBracket, a provider of code security solutions, says that one of the first steps a company can take is to set up an IT-OT convergence task force that will record asset inventory and then determines where IT security policies are needed to apply in the OT area.

“Review industry-specific cybersecurity regulations and prioritize implementing mandatory security controls where required,” adds Kamal. “I also recommend investing in a converged dashboard – either out of the box or build a custom dashboard that can identify vulnerabilities and threats and prioritize risks by criticality.”

Then organizations need to examine the network architecture to see if secure connections with one-way communication – for example via data diodes – can eliminate the possibility of an intruder breaking in from the corporate network and entering the OT network

Another key element is conducting a security policy review that pertains to both equipment and the software supply chain, which can help identify code secrets in Git repositories and fix them before the software is ever deployed becomes.

According to Kamal, the good news is that thanks to nearly a decade of efforts to understand and mitigate risks to OT networks, many information security standards have evolved that also include facets of OT security.

He explains that CISOs can now rely on information from industry-specific groups, which have come together to propose voluntary actions or mandatory frameworks (depending on the industry) that provide guidance on how to secure their systems.

He references NERC CIP compliance for utilities, CFATS (Chemical Facility Anti-Terrorism Standards), PHMSA (Pipeline and Hazardous Materials Safety Administration), as well as industry bodies and standards such as ISA99 (Control System Security), API (American Petroleum Institute) Cybersecurity Standards and American Chemistry Council as examples of industry bodies striving to protect organizations from cyberattacks.

“Many CISOs in the industry are on the front lines of making these programs successful,” says Kamal.

Finally, through CISA, the Cybersecurity and Infrastructure Security Agency (CISA), the US Department of Homeland Security is responsible for managing and reducing risks to cyber and physical infrastructure.

CISA plays a role in connecting industry and government stakeholders to build cyber resilience into their systems and create playbooks on how to respond to major attacks.

“The convergence of IT-OT security requires a complete rethink of security from a defensive stance and an approach to threat identification and management,” says Kamal. “Now it’s not just security incidents that are committed for financial reasons – the disruptions caused by OT incidents could be much more disruptive and have a huge cost impact to recover from. This fact does not go unnoticed by ransomware gangs trying to exploit this fear.”

What to read next:

The State of ITOps and SecOps: An Insight

4 Steps to Strengthening Cybersecurity Defenses Throughout IT/OT Convergence

Collaboration is the key to protecting operational technology

Leave a Comment