“Interconnecting with an IT network opens up OT to the predatory world of cyber-attacks and malware for which it is unprepared”
OT networks have been undergoing perhaps the most extreme digital transformation in organizations looking to compete more effectively in the digital marketplace. However, because many OT networks have been isolated for so long, they are also particularly vulnerable to malware and criminal activity targeting today’s networks. Outdated hardware, unpatched operating systems and applications, delicate devices and instrumentation, and a compute environment built around the idea of inherent trust all combine to put OT networks, their organizations, and—in the case of many critical infrastructures—the lives of workers and the safety of surrounding communities at risk.
Ceylon Business Reporter discussed with Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet on the challenges and how organizations can create a secure OT environment without sacrificing the performance and flexibility needed for operation.
OT security has been in the limelight over the last year as digital convergence continues at a rapid pace. What is top of mind on this topic for CISOs right now?
Well, to start, the love-hate relationship is coming to an end. OT has always operated as an outsider of the IT environment mostly because IT and OT have had very different priorities. Initially, OT devices were part of a closed universe that was designed for performance and reliability, a disconnected world that only applied the most basic security rules because connecting the crown jewels to the public IP wilderness was unnecessary.
The routing tables have turned now, and under the irresistible pressure of the CFO, these two worlds are being inexorably converged. Although the convergence of the IT and OT environments continues apace, it is certainly not something that CISOs have wanted. They understand the IT environment, suddenly being handed the OT network portfolio and asked to secure it is a new challenge that few CISOs were asking for. One of their key concerns is that they have so little visibility into the OT risks they face. Of course, they recognize the dangers that convergence entails, but they are also realistic and recognize that this is going to happen regardless of how anyone feels for a variety of financial and operational reasons. The challenge is how to bring the IT and OT worlds together under one roof.
Many, if not most, OT environments are like islands that have been isolated for eons. Their “ecology” has grown up in isolation because the air gap between the OT network and the rest of the IT environment has protected it like a wide ocean protects the species on a remote island. As a result, many OT systems have “evolved” over decades. They use very old technology and have little or no internal security, and are extremely vulnerable. Interconnecting with an IT network opens up OT to the predatory world of cyber-attacks and malware for which it is unprepared. How to protect those OT systems while still allowing important data, telemetry, and HMI (Human Machine Interface) traffic to reach its destination is the conundrum CISOs are wrestling with.
While traditional IT security practices can offer some comfort (think perimeter defense), it is essential that protecting prized, high-value OT assets and the intellectual property that distinguishes a business requires much more than a well-placed firewall. Due to the predatory nature and intent of cyber-adversaries who seek to successfully execute campaigns impacting OT targets, CISO’s need to remain aware of the security industry’s commitment to developing advanced solutions that deliver protection from the inside-out.
Have there been any unexpected insights gained during lockdown that CISOs should learn from going forward, in particular for OT in terms of business or mission continuity?
Automation and Segmentation have been the two attributes that have saved many OT architectures from attacks or malfunctions during these weeks of lockdown. The first one scales up security on networks that have been inverted to accommodate remote workers, and the second significantly decreases the devastating effects of cyber-attacks on industrial infrastructures. However, the OT wave is so large that automation needs to quickly expand to include orchestration. The response team needs to be backed up by machine learning algorithms to cope with the speed and the scope of these attacks. This not only relieves the pressure of monitoring, and manually correlating network and security events, but it also enables humans to do what they do best: imagine defense strategies instead of compiling logs.
Given the global pandemic and associated lockdowns, production teams have been suddenly forced to run—or halt—many systems remotely. This has meant monitoring plants and processes from afar. Even those environments not in use had to be safely shut down and monitored to prevent unintended activity, damage, etc. This sudden scramble for remote control and monitoring has created an enlarged attack surface that bad actors are trying to exploit. CISOs have been racing to catch up and to ensure protection.
Neutralizing the effectiveness of the surge in cyber activity geared to accomplish disruption requires attention on multiple fronts to heighten workforce situational awareness at the edge, as well as with techniques like micro-segmentation that controls movement within the OT network infrastructure. The recent global increase in malicious and disruptive activity has simply reinforced the CISO’s awareness of the need for proactive cybersecurity practices that harden the OT environment to an extent where outmaneuvering the adversary is a realistic objective.
What one OT security strategy stands out in terms of importance or difference for the long term protection of OT environments?
Three important steps have recently turned into golden rules. The first is the identification of all critical assets as a prelude to any security deployment. In addition to identifying what really matters, this sequencing will be very important for an efficient segmentation plan. Next, the operational objectives need to be aligned with IT priorities. When this step is skipped or only partly achieved, we have observed longer downtime—which is the last thing production lines will be able to afford. And last but not least, the design of the protection plan must equally integrate the specifics of the IT and the OT world. This includes the similarities and the differences between both environments. The biggest challenge of cybersecurity is to protect the converged world without degrading the precious performance of the production lines.
Implementing best cyber practices that deliver security beyond just perimeter detection and protection and focus on recognizing and analyzing unknown or unusual behavior is vital. That often starts with complete visibility combined with enforcing earned trust for all devices within the OT infrastructure. Strict identification of approved access and roles, and consistent enforcement of controls to limit movement within an environment are equally important.
In today’s digitally transformed OT environment, it is important to acknowledge the likelihood of breaches, both past and present, and detect any event that could threaten productivity. Implementing such a strategy can deliver the security services essential to sustaining safe and continuous operations, and accomplish such awareness with transparency, scale, and speed.