Home » Cybersecurity » Malware » ICS Security in the Age of IT-OT Convergence

ICS Security in the Age of IT-OT Convergence

March 15, 2018 was a momentous day for U.S. homeland security officials. On that date, the Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI) for the first time ever attributed digital attacks on American energy infrastructure to actors associated with the Russian government. Their joint technical alert (TA) explained that individuals associated with the Kremlin first went after “staging targets,” companies with network access to the attackers’ “intended targets.” The actors then pivoted off those preliminary victims in what were likely supply chain attacks to compromise the networks of U.S. energy organizations.

The TA along with additional DHS reports of Russian attacks against energy organizations underscore the digital security challenges that confront organizations running industrial control systems (ICS). Of these, perhaps the greatest obstacle is how attackers are exploiting the connections between information technology (IT) and operations technology (OT) to infiltrate industrial organizations.

It wasn’t always this way. Convergence is a relatively new phenomenon, here’s one perspective on the progression. Prior to this union, IT and OT did different things in four distinct silos. There were distinct groupings of responsibilities (in the form of  “Owner/User”); firstIT/IT, which did traditional IT stuff, and OT/OT, which did traditional OT stuff like managing controllers and segmenting the plant network. The other silos involved some but limited collaboration between the two. IT/OT, for instance, sometimes featured OT leveraging IT-owned and operated equipment like technology systems to submit work orders, whereas OT/IT in some cases could include IT leveraging OT-owned meter data management system (MDMS) for billing purposes.

All that changed with the convergence of logical and physical resources. This merger reduced the four silos to two, resulting in shared responsibilities and devices. IT and OT no longer operate in vacuums, though they are still different entities. IT/OT (Read more...)