The collision of IT-based cybersecurity and operational technology security presents a number of challenges, least of all integrating a variety of new and unusual systems into an enlarged technology estate and increased risk factors for cybersecurity vulnerability.
The majority of cybersecurity professionals are used to working with IT systems – laptops, tablets, servers, routers, switches, firewalls, Windows, MacOS or Linux operating systems, and so on. As time marches on, though, the need to secure Operational Technology – OT – is growing rapidly, which can be a problem because OT is completely new to many of us. OT refers to devices that are not IT systems in their own right, but which are increasingly being connected into the same networks as our IT kit – fire control systems, heating equipment, factory production lines, conveyors in mines, power generators, the list goes on.
If OT is being connected to the corporate network, we need to secure it – as anyone who has read about a casino being hacked via the thermometer in its fish tank will appreciate. Much has been written on the subject of how to secure OT, but at the same time as doing that we need to consider how OT and IT can be brought closer together? Surely, after all, managing one integrated estate of technology is preferable to having two separate worlds to secure?
OT Security Essentials for IT
Let us start with the easy element: the physical aspects. This is easy because the vast majority of OT these days has either Ethernet or Wi-Fi capabilities, or both. Only a couple of dozen years ago this was often not the case. If you were lucky there was an RS-232 serial connector (bear in mind that even USB wasn’t launched until 1995) so you could at least connect a system to a PC, and if you were unlucky the connector was proprietary and, only if you were very lucky, you could improvise some mechanism for transferring data from the OT device onto the network. Technology has, thankfully, moved on and today there is a good chance that your OT system’s management module can easily connect to the network, obtain an IP address via DHCP and be available to control and interrogate.
Next, we have the software element. Again, back in the day everything was entirely proprietary – an application that ran on a PC and interfaced to the OT system. The internet, and to an even greater extent the World Wide Web, were considered bleeding-edge technology in the 1990s, and it would be many years until people started to think: hey, we could manage this thing via a web browser instead of having to write custom Windows applications to do so. Progress in this respect has not been as huge as the tendency of the physical connectivity toward Ethernet and Wi-Fi, but it has nonetheless been significant and even when there is a proprietary application for managing an OT device there’s often a browser interface on offer alongside it. Even better, APIs are now very much a thing and so you can use your own tools to push and pull commands and data.
This all sounds very promising, but there are two areas where convergence has happened much less – and in which it may well not be possible to make much more progress, at least in the short term.
OT Security Ownership
The first of these is probably best referred to as the “organizational element”. OT is, by name and by definition, not part of the IT world – it is technology that’s used, managed and maintained by other teams which just happens to have a tiny amount of IT (the management module) hooked into the IT infrastructure. Also, many OT systems – conveyors, pumps, plant equipment and the like – have the potential to cause harm if something goes wrong or they are treated incorrectly. It is often not practical, therefore, for the IT team to manage even the small IT element of an OT system – at least not on their own. It is therefore generally necessary either for the OT team to have staff with IT training or, more often, for the two support teams to work together whenever changes need to be made or upgrades run. And there’s a side benefit to this collaboration, incidentally: if the OT and IT teams have a close, strong relationship then the IT teams can advise their OT colleagues and work with them to ensure that any new kit being purchased considers its suitability in an IT sense as part of the requirements gathering exercise.
The second, trickier area that blocks convergence relates back to the software aspects mentioned earlier: although management modules can probably do basic IP networking, there is a large chance that this is just about as integrated as they can get with the IT infrastructure. Even if an OT system’s management unit is based on a generally available operating system such as Windows or Linux, it is common that they cannot (for example) be enrolled into the corporate Active Directory – and even if they can, vendors may well advise against having them configured into the organizational patching application. Worse, it may also not be possible to add some of your other tools such as anti-malware, endpoint detection and response (EDR), or the agent for the vulnerability scanner (and anyhow, even if you could scan for vulnerabilities the vendor may not allow you to make changes to fix them in case it breaks the functionality). Inevitably, then, there may be a need to augment security in other ways (for example additional firewalls or access control lists on routers), or use different tools, on the OT systems – which will have a cost implication and potentially a training need.
OT – A Changing Landscape
The convergence of OT and IT is, then, light years ahead of where we were 20 or 25 years ago. Concepts like IP networking and browser-based management interfaces, which would have been inconceivable back then, are now largely an automatic inclusion and API support is similarly widespread. But be prepared to have to work hard and diligently at the security elements – defending the OT’s connection into the network and keeping patch levels up to date – because there is still a way to go.
Because all things said and done, OT just isn’t IT.
- Read more on OT Security Challenges
- ISC2 Security Operations Skill-Builders include courses on OT, including Cybersecurity in Industrial Control Systems
- ISC2 Zero Trust courses provide learning options for implementing Zero Trust as a way to protect OT and IT systems