Attacks on critical infrastructure and other OT systems continue to increase as digital transformation accelerates and OT/IT convergence. Water treatment facilities, energy providers, factories and chemical plants — the infrastructure that sustains our daily lives can all be at risk. Disturbing or manipulating an OT system can cause real physical harm to citizens, the environment, and the economy.
Yet the landscape of OT security tools is far less developed than that of its information technology (IT) counterparts. According to a recent reports from Takepoint Research and Cyolothere is a lack of trust in the tools commonly used to secure remote access to industrial environments.
|Figure 1: New research reveals a large industry-wide gap between the level of concern about security risks and the level of trust in existing solutions for industry-secure remote access (I-SRA).
The traditional security strategy for industrial environments is isolation – isolation not only from the internet but from other internal systems as well. But now, with the opening of OT systems to the world and increasing cyber threats, the lack of OT-specific security tools has emerged as a pressing problem. In this vacuum, IT solutions are often combined in an effort to meet PL needs, but, as you might expect, the results are usually unsatisfactory.
Security solutions designed for the IT environment cannot meet the demands of PL and the realities of the industry, for several main reasons.
Reason 1: OT prioritizes availability over confidentiality
While IT and OT both strive to ensure confidentiality (protection of sensitive data and assets), integrity (data fidelity throughout its lifecycle), and availability (accessibility and responsiveness of resources and infrastructure), they prioritize these different parts of the CIA. three Musketeers.
- IT’s highest priority is confidentiality. IT deals with data, and IT stakeholders concern themselves with protecting that data — from trade secrets to personal information of users and customers.
- OT’s highest priority is availability. OT processes operate heavy-duty equipment in the physical world, and for them, availability means security. Downtime cannot be maintained when shutting down blast furnaces or industrial boiler tanks.
In the interest of availability and responsiveness, most OT components are simply not built to accommodate security implementations.
This marks a fundamental difference in the DNA of IT and OT environments, which immediately makes IT security tools difficult to implement.
Reason 2: The PL system is running on an always-on legacy system
For someone living in the IT world, it might be hard to imagine an environment that still runs on Windows XP or eighties-era mainframes, but that’s the reality of the PL world. Whether for profit or security, PL systems are always up and running at full capacity. This is why OT components are designed for a longer life cycle.
Nearly all IT-based tools require downtime for installation, updating, and patching. These activities are generally not a start for industrial environments, no matter how significant the vulnerabilities. Again, downtime for an OT system means compromising safety.
Additionally, legacy systems that power the OT world are generally unable to communicate with modern security or authentication tools, limiting the effectiveness of these platforms from the outset. Without a security solution like Cyolo, which retrofit old apps to support modern security protocols, IT tools will be severely limited in their ability to secure OT systems.
Reason 3: IT tools almost always need a connection
IT security solutions usually require external connections because servers and applications must exchange data with each other (and with users) to carry out their primary functions. OT systems, on the other hand, often have specific requirements for how and when they can connect to the internet (yes, even in our age of digital transformation). IT tools cannot always be configured to meet these requirements.
That’s the nuance IT and PL systems can interact each other without forming a permanent connection. In this way, OT environments can be positioned to achieve the benefits of automation, production data, and other digital transformation efforts without creating unnecessary access points for bad actors.
Reason 4: PL systems vary widely
The IT world has mostly standardized around the TCP/IP protocols, but the PL world doesn’t have such a consensus. OT systems use a variety of communication protocols, which are often specified by the original equipment manufacturer.
For example, if an PL operator purchased a programmable logic controller (PLC) from several different providers, each provider may have taken a different approach to complying with the IEC-61131 standard. Therefore, PL engineers must learn and maintain as many types of software and protocols as their vendor has available.
Even within OT, protocols are often incompatible with each other, and rightly so Of course not compatible with common protocols used in IT-based security tools. It’s doubtful that any IT tool will cover the entire spectrum of PL use cases for a given environment.
Reason 5: PL systems are complicated
As a function of their variability and always-on nature, PL systems are easily disrupted by the most basic IT processes and security best practices.
- Even passive scans can take fragile OT systems offline, and when scans are scaled down and restricted to offline systems, security coverage shrinks below acceptable levels.
- A sign-in that normally runs on the endpoint will stop the automatic sign-in for critical PL systems.
Because visibility is more difficult to achieve in an OT environment, it can be difficult to predict the consequences of implementing a new tool. For this reason, OT systems generally require more extensive testing and validation before new tools are implemented.
The OT environment deserves an OT solution
It’s often said that strategy precedes tools – and it’s true. The IT and security teams working in the OT space should take the time to understand and understand the philosophy and needs of OT, and collaborate with OT stakeholders to define best practices.
Nonetheless, the right tool is still very important. The cybersecurity market can be noisy and misleading. Together, IT and PL stakeholders must ask the right questions before committing to a particular tool or vendor.
PL World deserves to benefit from modern security controls without compromising the safety of workers, operations or bystanders. The right solution will not only strengthen your security posture against future attacks, but will also position security to contribute to innovation, not get in its way.
To learn more about the main challenges currently facing OT security professionals, read full report from Takepoint Research and Cyolo.