In recent years, there has been a great debate between information technology (IT) and operational technology (OT) departments about operational security. Each department has different priorities when it comes to operations and security, and meeting in the middle often doesn’t yield the best results. Sometimes the IT/OT breach impacts manufacturing and other industries where the stakes of system availability are at their highest, contributing to an acceleration in vulnerabilities in industrial control systems (ICS) and significant losses.
Knowing that OT security is too often sacrificed to some degree in order to keep the operation running, further dialogue and organizational changes are needed to construct an adequate and practical security posture in the rise of the industrial Internet of Things (IIoT).
An Evolving Mindset
When system availability is the top concern, there is almost no motivation to upgrade the operating system (OS). In most cases, OT departments are cognizant of the need for cybersecurity; it’s just that they more highly prioritize guarding and utilizing their legacy assets up until the very end of their lifecycles.
However, we’re starting to see an evolution. Endpoint security software on OT equipment is becoming the new norm among top-tier manufacturers, for dramatically reducing the oppressive threat of general malware attacks.
Although the mindset of those in OT is changing, it doesn’t mean IT will follow suit. After all, the major goal is to eliminate any noise during operations. Not only is the malware itself noise, even the process to find malware — if too complex — is often considered noise, too. So, though OT departments want to upgrade their devices to include intelligent and advanced manufacturing features, most devices stay physically disconnected, or “air-gapped,” because of the high cost of cybersecurity in both human resources and dollars. As people advocate for smart manufacturing with Microsoft Azure Cloud, for example, it can be a deterrent that those assets might be equipped with Windows XP or another OS that Microsoft stopped supporting years ago.
Proven Approaches
To ensure that smart manufacturing is secure, OT and IT must share the same vision of a forward-looking methodology for cybersecurity using approaches that can function adequately at both ends with synergy:
- Relying Less on Air-Gapping — Air-gapping is proven in terms of security, but it runs counter to the smart manufacturing vision that most technology giants are proposing because inbound and outbound traffic alike are blocked. Actionable business intelligence is based on constant flows of a great amount of data, and the results rely on dynamic responses. Protection is achieved, but communication is sacrificed, making air-gapping a less appealing option to protect OT assets. Eventually, there will be a paradigm shift after more apps are adopted, and cloud-based implementations for OT cybersecurity will most likely become a major part of the process.
- Covering Every Device — There is also a hierarchy of needs in OT that must be respected and accounted for in any workable approach to cybersecurity — first, the smooth running of the operation, followed by a secured environment and, finally, upgrading to a smart environment. Fundamentally, every asset must be protected from at least one angle at every stage of its entire lifecycle — throughout onboarding, staging, production and maintenance. Multilayered protection is a general guideline. A mixture of agent-based and agentless implementations, plus hardware-based network security protection, should be applied to cover every single device in the OT space. One single vulnerable point becomes the vulnerability of the whole ecosystem. It’s mission critical to protect current assets the way they are. Therefore, for example, finding a Windows XP-compatible solution instead of forcing an OS upgrade is very important.
- Establishing Security Visibility Across OT/IT — There was a time when hackers didn’t care about OT/IT. They simply utilized whatever tool they possessed to maximize their success rate of hacking. However, they care now, after gaining millions of dollars in benefits from collateral IT-to-OT damage. Undoubtedly, they will seek out more OT-specific hacking techniques, such as manipulation of ICS protocols. As of today, most general-purpose security services are basically designed for IT but also work (less so) for OT. That needs to change. For example, endpoint detection and response (EDR) can continually monitor both IT and OT protocols throughout the entire site, with very manageable event logs and few false alerts.
Shared Security Mindset
Given the differing priorities between IT and OT departments when it comes to operational security, the success of OT/IT convergence depends on communication, collaboration and taking action with proven approaches. If it doesn’t happen organically, organizational changes may be necessary to achieve a shared security mindset to prevent financial (and other) losses. Sacrificing OT security was more acceptable in the past for the sake of availability, but as equipment evolves with the Industry 4.0 movement and becomes more connected, it should no longer be considered an option.