Increasingly in industrial environments, IT and OT must work together to ensure end-to-end security
If you glance at the minutes of a boardroom meeting for a large energy or manufacturing company, often the issues raised reflect the need for digital transformation. Since the issues are changing, quorum changes with it. New faces of IT are taking seats at the table alongside those of the traditional operational technology (OT). Both are concerned with downtime, whether it’s due to malware or failing equipment. Both are concerned with safety, whether it’s the security of data or control center operations. From the view of the boardroom, IT and OT must inevitably sync up.
However, this notion causes many people in OT and control centers a lot of worry. For them, the world of IT is that of reboots, viruses and potential downtime for critical operations such as water treatment, electrical power and factories. So, when IT people enter the control room, they may find themselves unwelcome. Meetings between IT and OT people can be very short. Control center staff simply will not consider anything that could jeopardize uptime and safety—no matter what anyone else says.
However, IT and OT may not be as separate as the control room likes to think. Industry experts say that even though OT personnel think their ICS network is air-gapped; in fact, it rarely is. Unintentionally or maliciously, there are always ways to infiltrate the OT network, whether it’s by software updates, BYOD or USB drives. Because of this, OT may have no choice but to join forces with IT to understand the risks posed by IT to the industrial control systems (ICS) environment.
So, how can the IT and OT worlds join up to improve the security, safety and reliability of operations?
IT and OT Vulnerability Management
ICS environments are high-risk targets for attacks and exploitation. In fact, the risks posed by attacks on OT systems are generally more consequential than attacks on IT systems. For example, a down website is one thing, but a power system that is down can be catastrophic. A first step toward uptime in ICS is to monitor patches for OT assets constantly by using vulnerability management products.
Vulnerability management has existed within IT for many years. However, vulnerability management scans cannot run in ICS environments. IT generally only speaks TCP/IP rather than MODBUS and other OT network protocols. In addition, OT networks are not built to be scanned and may crash if scans are performed. Accordingly, the control center will need to look for, study and test specialized VM for OT vendors. The good news is that there are several available in the marketplace.
ICS Network Protection
Knowing and visualizing the traffic on an OT network historically has been difficult. For reasons similar to those just mentioned, classic IT network scanning doesn’t understand the variety of OT network protocols and ICS personnel don’t trust that such tools will not crash their network.
However, today there are several vendors who offer very stable ICS network threat detection. They do this by operating completely out of line, using passive taps to listen in on network traffic. They do not in any way interfere with normal operations or communications.
For many OT networks, communications are relatively simple and highly repetitive. OT network visibility and analysis tools are accordingly very good at rapid detection of anomalous behaviors and communications. Whereas in the past, the control center may have acted blind, now they can quite literally see (via dashboards and graphs) what is happening on their OT networks. More advanced tools identify risks with rules to detect known malware and the early stages of advanced persistent threats, while also discovering process risks.
OT Asset Inventory
OT personnel can create and visualize their OT assets, either as a standalone product or as a feature of some product types mentioned above. For some, Microsoft Excel has been the tool of choice to do this, but this can lead to inaccuracies and unshared information. But more modern OT asset inventory tools provide automatic discovery of the identity and configuration of OT assets, devices and networks. When using asset inventory tools for the first time, ICS personnel are often surprised to see what resides on their network finally. Needless to say, not knowing what your network is composed of is a security risk by itself. By consolidating configuration details into a central platform and sharing them, key details are available in real-time to all authorized users. This helps to both avoid and react to anomalous activities.
SOCs: One or Two?
The above three techniques and products can help bring together the worlds of IT and OT in a safe, secure manner. This is especially true when OT and IT security operations centers (SOC) share information. Internet-borne malware targeted for ICS is designed to traverse both networks. Despite what ICS personnel may think (or wish), OT networks are far more connected to the internet than they may realize. It is therefore essential that ICS personnel have visibility of the incidents and malware that their IT counterparts see. Many of the previously discussed products can be fed into a conventional IT SOC, or ICS personnel may wish to keep OT-related information strictly within the control center. Each approach has its advantages.
The main takeaway is that, whether your role is IT or OT, today’s threats can jump from one system to the other and there is an increasing number of tools to help modernize ICS without introducing risk. IT is coming to OT, like it or not, and the best approach is likely to be one that takes the best from IT without jeopardizing uptime or safety in ICS.