OT has always been a specialist network that IT people have not had the remit to monitor or secure. As a matter of fact, generally, OT networks and IT operations were deliberately kept separate because there was little need for overlap since they historically ran on unique and slightly obscure operating systems.
More recently, when OT operations began connecting to IT networks, it made sense for the two to merge as networking, remote management and wireless connectivity were growing in popularity. Consequently, organisations and regulators find themselves struggling with the implications of this new change as there have already been several large-scale attacks on critical national infrastructure – such as the attack on the energy infrastructure and the water plant in Florida, to name a few.
As systems increasingly connect to mainstream IT networks, organisations have to figure out how to ramp up their security and fill in any gaps that may lead to unauthorised access or control. But how can they proceed and break down the ‘OT security problem’ without sacrificing their production or cyber resilience?
Weaknesses within OT have rapidly grown over the last decade. For instance, just in July this year a new vulnerability was discovered in the Schneider Electric Modicon PLCs, which would allow attackers to execute remote code on unpatched equipment. However, the attack on the Colonial Pipeline directly highlighted how weaknesses in IT can also have drastic consequences, as attackers launched a ransomware attack on the IT system, which is what ultimately affected the billing capability rather than the OT network itself; it just exploited an IT vulnerability to gain access.
Consequently, the interconnectedness of IT and OT is creating dangerous paths that threat actors can take advantage of. For instance, vulnerabilities in OT equipment can only be exploited in specific circumstances, while IT is vulnerable to common risks more regularly. For example, a compromised credential or RDP is no risk to the ICS environment unless there are failures in the layers of segmentation. Conversely, attackers that breach the IT environment may not necessarily target ICS operations, though this can be the conduit if they so desire.
This means that there are several routes to infection from IT to OT, which can cause serious damage if exploited.
An obvious challenge within OT is that the devices can’t often run a conventional security client due to their design and history. Therefore, gathering visibility on OT devices is more challenging and can only be achieved through an agentless approach, by monitoring network traffic passively without affecting the production. Fortunately, there is technology available that can listen to all the traffic on a network and build an inventory accordingly. Though, if malware is detected on OT devices, the OT teams may not let IT departments take action, as this could lead to a service outage, causing more delays and internal conflict.
More importantly, though, this approach also gives organisations much needed visibility into the devices on their networks, allowing them to identify suspicious or surplus devices.
This may seem easy; on the contrary, this process is tedious but crucial to the process. It takes multiple types of traffic to identify certain devices, especially with those that are less ‘chatty’.
The issue of OT security
Mature IT security operations always have a tier one security team made up of Security Operations Centre (SOC) analysts who look at and process specific alerts. The same can’t be said for OT and it is often the IT people who have to contact the OT people in case of an incident. This is an issue not only because it leaves OT more vulnerable, but it may expose regulatory weaknesses whose requirements are often spelled out in cyber frameworks such as the NIST Cybersecurity Framework, which states the governance requirements with regards to the adequacy of security within OT.
Having to use the same resources for both, IT teams are then left with the responsibility of OT security, which can be a little like trying to fit a square peg in a round hole. IT people aren’t always familiar with OT security issues. This is down to the fact that OT networks are philosophically different, creating both a skills and cybersecurity gap.
The consequences of cybersecurity incidents with OT can be catastrophic, which is why it is vital for appropriate and proportionate controls are needed. While the OT team are not a typical part of overall IT governance, communication between both IT and OT is key to a strong security posture.
Communication between both IT and OT teams is a massive step toward bridging the gap and ensuring governance, consistency and certainty between OT and IT environments.
By: Andy Norton, Chief Cyber Risk Officer at Armis