Historically, IT and operational technology (OT) were kept separate as there was no need for overlap. However, more recently the worlds of IT and OT have been increasingly colliding as a result of OT operations connecting to IT networks. The new converged environments have caused a variety of problems for organisations and regulators, who now find themselves struggling with the implications of large-scale attacks targeting critical national infrastructure. The consequences were felt in Florida, for instance, when a hacker attempted to change the PH levels of the water plant as well as during the attack on the Colonial pipeline in 2021.
This new development leaves systems vulnerable, especially as they connect to mainstream IT networks. Consequently, organisations have to boost their existing security and fill any gaps that could pose as an open door for unauthorised access or control. That being said, how will organisations be able to deal with the “OT security problem” without affecting production, business continuity or their pre-existing cybersecurity posture?
IT VULNERABILITIES
Over the course of 2021 there has been a rise in weaknesses within OT environments. One example of this can be seen in the vulnerabilities found in Schneider Electric’s Modicon PLCs. If exploited, these weaknesses would allow an attacker to execute remote code and take control of unpatched equipment.
OT weaknesses aren’t the only security gap that can lead to damaging cyber incidents. The attack on the Colonial pipeline in the US in 2021 also highlighted how gaps in IT can be used by attackers to gain access of systems and launch large-scale attacks such as ransomware. Ultimately, it was the attack on the IT system that affected the billing capability, not the OT network.
This new interconnectedness between OT and IT environments has led to the creation of pathways that threat actors can use to gain entry onto networks. OT can be exploited quite simply but only in specific circumstances, as the equipment is often siloed and protected. IT on the other hand, is vulnerable to security gaps, meaning risks surface more regularly. A compromised credential or remote desktop protocol (RDP), for example, poses no risk to the incident command system (ICS) environment unless there are issues with the layers of segmentation. If an attacker then breaches the IT environment, they would have the potential access to target ICS operations. As a result, there are several routes to infection from IT to OT, which can lead to serious consequences if they are exploited by malicious actors.
WHAT ARE THE CHALLENGES OF OT?
Due to the variety in both the design and history of OT devices, they often can’t run a conventional security client, which impedes visibility. Using an agentless approach, security teams can monitor network traffic passively while making sure not to impact production. This type of technology listens to traffic on a network and can simultaneously build an inventory. That being said, if malware is detected on an OT device, the OT team is often hesitant to allow IT departments to take action to avoid a service outage. Consequently, this leads to delays in patching and internal conflict between teams.
Using an agentless approach allows organisations to have full visibility into the devices that are connected to their networks giving them time to identify and mitigate any suspicious behaviour or devices. While this can be quite complicated, it is a vital part of the process and it takes several types of traffic to identify particular devices, especially those that are less active than others.
Unlike with IT security operations, which have a security operations centre (SOC) to process specific alerts, OT people often find out about incidents through the IT department. As a result, OT is more vulnerable to threats as incident responses can be delayed. What’s more, this gap in security can uncover regulatory weaknesses in the requirements of certain cyber frameworks such as IEC62443, which regards the adequacy of security within OT.
This lack of security within OT means existing IT resources have to be used for both, leaving IT teams with the responsibility of securing OT environments as well as IT networks. IT and OT differ philosophically in many ways and IT people don’t always have the right skills or knowledge to deal with OT security issues. Unfortunately, this creates both a skills and cybersecurity gap.
Any cybersecurity breaches/incidents regarding OT environments can be catastrophic, as seen with the attacks on critical national infrastructure in the US last year. Since the merge between IT and OT, communication between both is key to creating a strong security posture, even though the OT team isn’t a typical part of IT governance. This communication is vital in bridging the gap and ensuring governance, consistency and certainty between both IT and OT environments and preventing gaps in security that can lead to large-scale cyber-attacks.
