The Challenge of Shadow OT

Written by

I recently started to think about some of the problems with industrial control system (ICS)/operational technology (OT) environments. In particular, how devices within them are sometimes connected to the corporate network and/or the internet. We often hear about shadow IT, but I think a more worrying issue revolves around ‘shadow OT.’

Although many information security teams are now tasked with securing the OT as well as IT environments, not all organizations have fully taken this step yet. Shouldn’t they be looking to secure all the environments anyway?

So, let’s look a little more at shadow OT – shadow OT comes about if an OT device is connected to either the corporate network or the internet without the involvement of the IT or information security team. As a result, the team involved in implementing the new devices may not take into account relevant security practices. This is often due to a lack of knowledge rather than a deliberate act of defiance.

Why is it that OT devices are being connected? The main reason is the associated operational benefits of doing so. Connectivity provides greater visibility of the OT environment, improving monitoring of the devices and the overall environment. This can provide key information that can help to improve the safety, reliability and performance (SRP) of the OT environment.

Three potential shadow OT scenarios follow, illustrating how easy it can be to connect OT devices without realizing the security implications. Firstly, an OT engineer may connect an OT configured laptop to the internet via a 5G dongle or plug a network cable in from the IT network. There may be a legitimate business reason to do so, but bridging the OT and IT networks creates a new attack surface with potentially far-reaching consequences.

Another scenario is when a vendor wants to perform diagnostics of a malfunctioning machine in the OT environment. Since the pandemic, vendors have increasingly run initial diagnostics remotely, which requires an internet connection. To do this, an onsite engineer may find a nearby internet router, unplugging the cable from the firewall and plugging it directly into the malfunctioning machine. This connects the OT device and, therefore, the OT environment to the internet with no protection – not even a firewall.

One final example: an engineer may want to view all the details about the plant’s temperature sensors quickly rather than having to traipse around the plant all day. He finds an industrial internet of things (IIoT) device that allows him to monitor the sensors via an app he can install on his mobile phone and laptop. The IIoT devices connect to Wi-Fi and use a cloud service to send the data to the engineer’s app installed on his phone. This also has the effect of connecting not just the IIoT devices, but leaving the temperature sensors to the internet unprotected, creating a bridge to the OT network.

All the scenarios mentioned above have happened and could occur in one organization at the same time. No matter how your ICS/OT environment is connected, it needs to be secured. Even if you think you are not connected, you may well find you are – our advice is to regularly consider how and where these connection points are made. Once you are aware of the connection points, security tooling can be added to protect the environment. That said, it is not a case of taking the security tools from the IT environment and putting them straight into the OT environment, thought and care needs to be taken so as not to affect SRP and especially the safety aspect within the environment. Our research shows that a collaborative effort from IT, OT and information security teams is required.

What’s hot on Infosecurity Magazine?