From heavy industry and manufacturing to critical national infrastructure (CNI) such as power, water and transport, many sectors that are fundamental to our economy are reliant on operational technology (OT).
OT systems such as SCADA and PLC are fundamentally different from the traditional IT networks used for standard business activity. OT and IT have very different needs when it comes to management and security, and it’s common to find assumptions around applying IT standards to OT environments.
Any errors in this sector have the potential for serious consequences, as high-value industries powered by OT are attractive targets for cyber-attacks, particularly nation state activity that aims to cause maximum disruption. Disabling the OT behind industries such as power supply will have a serious impact on a nation’s population and economy.
To properly defend OT networks from potential cyber threats, it is essential to dispel these misconceptions and clear up the many ways in which OT security differs from a traditional IT network.
Protecting OT is very different from IT
Up until the last two decades, it was standard for OT networks to be unconnected systems that were separated from traditional networks. This meant that most systems were inherently well-secured against cyber threats as they were naturally protected by air-gapping. The only way to compromise such a system would be to physically access it.
However, recent years have seen organizations begin integrating their OT infrastructure into their wider networks as part of digitalization efforts, enabling them to deliver better efficiency through automation. Unfortunately, this has also led to frequent problems where firms have attempted to transfer IT security controls over to OT.
The priorities of OT networks are very different, with a greater focus on system uptime rather than protecting data. The system downtime that is standard in IT for activity such as patching, updating and maintaining software is very difficult to achieve for OT. Likewise, programmable logic controllers (PLCs) used specifically on OT networks are not compatible with standard Endpoint Detection and Response (EDR) technologies.
Does this mean OT security needs to be built from scratch?
Because standard IT solutions do not play well with OT, there is a common misconception that organizations will need to build an entirely separate new program from the ground up, including a separate SOC to manage potential threats.
However, it is essential for organizations to have a single, unified point of visibility and control for both IT and OT networks because, from a threat actor’s point of view, they are the same thing. Too much separation between IT and OT will create blind spots that can be exploited by attackers. Instead, organizations need an extension of the OT management to be integrated into existing IT processes, including the SOC that is providing security metrics and telemetry from the IT network.
That said, data from an OT network can look significantly different to that coming from a standard IT network. This means that OT threat data must be given context and presented in a way that IT security specialists will understand with minimal training.
With a single team governing security policies and addressing issues across both networks, the organization will enjoy a unified posture that minimizes potential threats.
The problem with patching
In stark contrast to standard IT systems which are constantly tweaked and updated with software patches, OT assets are usually built to run for many years without any further changes in the interests of preserving uptime. PLCs for example are often designed to last for three or four decades.
An unfortunate side effect of this design approach is that an OT network using standard operating systems such as Windows will need to continue using the original system it was built around. It is common to find OT assets running Windows XP or even 2000 – with all the bugs and vulnerabilities that come with them.
The extreme difficulty in facilitating any downtime also means that even the rare new updates for these old OS are generally not applied. Maintenance may be done once or twice a year, or perhaps not at all unless something has actually broken.
This is not a particular issue when the OT infrastructure is running in isolation, as the air gap naturally prevents threat actors from exploiting the old software. However, it becomes a serious problem when the OT system is connected to a standard network, providing a potential attack path for cyber threats.
What’s the solution?
The first step to overcoming these issues is to gain full visibility of any outdated OS that are being used, and all of the potential threats that could exploit them. Security teams need to be able to quantify these risks so that the organizations can make an informed judgement call on the cost of maintenance downtime against the damage of a serious cyber-attack.
Alongside this, security teams will need to keep these vulnerabilities in front of mind and be aware of every single OT asset and how it intersects with the IT network to increase the chances of catching and stopping attacks.
With OT assets built around a set of controls and systems that can be utterly alien to standard IT, and with a shelf life measured in decades rather than months, uniting IT and OT is a daunting proposition.
However, by being aware of the fundamental differences and creating a security policy that adapts to them rather than forcing them together, security teams can successfully bring OT security in line with the IT network – along with all the benefits digitalization has to offer.