Introduction
In the world of computer-controlled operations, there’s a traditional divide between IT and OT. But with the advent of IIoT, these different forms of tech become more and more co-dependent.
If the above makes sense to you, please feel free to skip the next section. If all the acronyms make your head spin, please do continue reading below.
Allow me to explain.
IT, Information Technology, is the use of digital systems to generate, store, retrieve and control data and information. IT includes device you likely use every day, such as your laptop or smartphone.
OT, or Operational Technology, is about automating physical processes. These are the circuit boards and control systems that, for example, direct energy & water supply systems or train track switches.
IIoT stands for Industrial Internet of Things. It is the collective term for all kinds of devices that collect data and connect through the internet to measure and automate processes. Think about all kinds of sensors that we use to measure and control things.
New developments in technology have been blurring the lines between these concepts. This is especially useful in both remote monitoring and process automation. IIoT-sensors in the OT system notify the IT device(s) that it needs to take action and the IT-systems pass that information on to either another automated system, or the supervisor responsible. I hope that sentence made some sense to you now.
A difference in priorities
IT and OT systems have different approaches when it comes to security. Since IT-systems contain and process a lot of data, securing that data is the biggest priority. Suppose you can’t answer your email for an afternoon because your network is down. If this saves your company from a possible data breach scandal, that’s worth it. We’re used to strong data protection and it is for this reason that most account-based services require (and if not strongly suggest) the use of 2-factor authentication.
The priorities are different for OT systems. These are often used in critical processes such as energy distribution and water purification. Processes that have to focus on keeping everything running over keeping it secure. You can’t just shut down an entire region’s power supply for an afternoon, on the mere suspicion of a cyber-attack. You’d have to be one-hundred percent sure it is happening and you’ll need a back-up power supply. This is why OT security requires a different approach than the security for IT devices.
OT systems have been ‘air gapped’ from other networks in a company. ‘Air gapping’ is the security practice of isolating a machine/network. Air gapping prevents any remote connections. It achieves this by not connecting the device to any other network. Especially one with internet access. Because of this, there is little chance of outside tampering with the device. You’d have to be physically in the room to interact with the machine. This also means that many OT environments have physical measures like walls/fences and locks to keep out people that shouldn’t be there.
So what’s the problem?
The problem is what we call “IT/OT Convergence”: the merging of OT’s functionality with IT’s convenience and data processing. This has many advantages, such as predictive maintenance & control and advanced process automation. But it opens up a whole new world of security risks.
If you put sensors on your OT equipment to measure and control, these sensors must process their information somewhere. This usually requires connecting the sensor to the larger company network. So much for air gapping… It means that OT security is moving from physical security to digital security.
Now, a little bit about why OT security is so important. Even a lot more important than IT security.
We can all bring to mind examples of serious IT security breach headlines from the recent past. Imagine those hackers could not only leak data, but take control of energy and water supplies. In fact: this has already happened.
Earlier this year a water treatment facility in Oldsmar, Florida in the United States was breached and the hacker greatly increased the concentration of certain particles to lethal levels. Another example of an attack on OT systems is the Colonial Pipelines hack. Through a compromised password, a malicious actor gained access to the IT systems and launched a ransomware attack. In response, the pipeline had to shut down to prevent any further damage from the attack. This resulted in fuel shortages and a spike in fuel prices.
While data breaches can have far-reaching consequences they rarely cause direct, physical harm. Attacks on OT systems have far more potential to cause damage in the physical world, both short and long-term. The combination of OT with IT and sensors, brings new and unprecedented security concerns.
What measures can we take?
We’re dealing with environments where different priorities are at play. We can’t avoid some form of compromise. But there are a couple of proven strategies that are beneficial to keeping out unwanted guests.
Asset Management
If you want to protect your IT/OT environment well, you’ll first need a comprehensive overview of exactly what it is you’re protecting. That’s where asset management comes in. Asset management is a method for keeping track of your asset lifecycles. Asset management allows you to keep a tight inventory and maintenance schedule. That way, you’ll know exactly what machinery you have, where it is and when you need to update, patch or revise it.
Zero Trust Policy
As the name implies, Zero Trust is a security measure that assumes that nobody is trustworthy. Not even anyone already connected to the network. In the past, once you connected to a network, that network would assume that you had good reason to be there. Since cybercriminals have become more sophisticated in their methods, this is no longer a safe assumption. Protecting the perimeter of your network is no longer enough. You need tools to verify activity within your network.
Network Segmentation
Network Segmentation is the practice of separating parts of a network by function. By walling off smaller chunks of your network, you’ll be able to create sections within your network. This makes it harder for an attacker to move through the network after an initial breach.Combined with Zero Trust Policies, Network Segmentation stops attackers from going wherever they please. Causing damage or extracting information won’t be as easy.
The field of IT/OT convergence security is still in its infancy. The world is becoming more and more dependent on these systems. At the same time cybercrime is on the rise. We will have to invest time and effort into discovering and developing appropriate security measures. We’ve got to stay ahead of malicious actors. Lives depend on it. Literally.
English 
Nederlands