For too long the world of cybersecurity has focused exclusively on information technology (IT), leaving operational technology (OT) to fend for itself. Traditionally, several industry companies have dedicated cybersecurity leaders. Any security decisions that arise fall to manufacturers and plant managers, who are highly skilled technical experts in other areas but often lack cybersecurity training or knowledge.
In recent years, the increase in cyberattacks against industrial facilities and the IT/OT convergence trend driven by Industry 4.0 have highlighted the ownership vacuum around OT security. According to a new Fortinet reportmost organizations are looking for a Chief Information Security Officer (CISO) to address the issue.
Fortunately, CISOs are no strangers to difficult changes or challenges. The position itself is less than 20 years old, but in those two decades CISO has weathered some of the most disruptive cybersecurity events that are truly watershed moments in technology.
However, most CISOs have succeeded in securing IT environments — and IT security strategies and tools rarely translate into an OT context. While collaboration and team building soft skills will certainly assist CISOs as they bring the factory floor into their realm of responsibility, they must also make a concentrated effort to understand the unique PL landscape topography and unique security challenges.
Safety over everything
The CIA triad — Confidentiality, Integrity & Availability — is a key concept in cybersecurity. Critically, IT and OT prioritize the triad elements differently — even though safety is always the common denominator.
|Figure 1: The CIA’s IT security triad is reversed in the PL world, where availability is the highest priority.|
- In IT, security means that data is protected through confidentiality. People get hurt when their sensitive personal data is compromised. For companies, securing data saves them from breaches, fines, and reputational damage.
- In OT, safety means that cyber-physical systems are reliable and responsive. People are injured when blast furnaces or industrial boilers fail. For enterprises, availability keeps systems running on time down to milliseconds, ensuring productivity and profitability.
Ironically, the AIC triad in the OT world has produced systems and tools that prioritize physical security, but often come with little or no cybersecurity features. CISOs will be responsible for identifying and implementing security solutions that protect OT systems from cyber threats without disrupting their operations.
In both OT and IT, segmentation limits the attack surface of the network. in the OT, Purdue models serves as a framework for how and why systems can and should communicate with each other.
In short, the Purdue Model consists of five layers.
- Levels 4 and 5 are the outermost layers which include web and email servers, IT infrastructure, and remote user firewalls.
- Levels 2 and 3 are the operational layers which operate the software and applications running the OT environment.
- Levels 0 and 1 house the devices, sensors, programmable logic controllers (PLCs), and distributed control systems (DCS) that do the actual work and must be protected from outside interference.
The purpose of this layer is to create a logical and physical separation between the process levels. The closer you are to the cyber-physical operations of industrial systems such as injectors, robotic arms and industrial presses, the more checks and balances there are to protect them.
While the concept of segmentation is not new to CISOs, they need to understand that zoning is much more stringent in PL environments and should be applied at all times. Industrial companies adhere to the Purdue model or other similar frameworks to ensure safety and security and to meet many regulatory compliance mandates.
Downtime is not an option
In IT, downtime for upgrades and patches is not a big deal, especially in the Software-as-a-Service (SaaS) world where new updates are released in real time.
Whether for safety or profit, PL systems are always up and running. They cannot be stopped or paused to download a new operating system or even apply critical patches. Any process that requires downtime is simply a non-starter for most OT systems. For this reason, CISOs shouldn’t be surprised to find decades-old systems (likely running on software that has reached its end-of-life date long ago) that still serve as a critical part of operations.
The challenge facing CISOs is identifying security controls that will not interfere with or interfere with complex OT processes. The right solution will be “wrap” existing PL infrastructure in layers of security that protect critical processes without changing, complicating, or crowding them.
All access is “remote” access.
Traditionally, PL systems are protected through isolation. Now that organizations are connecting these environments to take advantage of Industry 4.0 or to allow easier access for contractors, all access must be monitored, controlled and logged.
- The IT environment is a digital place where business happens. Business users do their jobs and systems exchange data all within this space, day in and day out. In other words, humans are meant to actively participate in and make changes to the IT environment.
- OT systems and environments are built to run without human intervention — “set it and forget it.” Man is meant to regulate it and then let it run its course. Users don’t stay logged into the OT environment all day long the way business users do in IT systems.
In this context, anyone who effectively accesses the PL environment is an outsider. Whether it’s a vendor connecting remotely, a business user logging in via an IT network, or even an OT operator accessing an on-premises environment, every connection comes from the outside. Recognizing these key points will help CISOs to understand them industrial secure remote access (I-SRA) tools should be used for all access scenarios, not just those that are considered “remote” by IT.
TI tools don’t (always) work for PL
Tools designed for IT almost never translate to PL.
- Basic functions like vulnerability scanning can interrupt OT processes and take the system completely offline, and most devices don’t have enough CPU/RAM to support endpoint security, anti-virus, or other agents.
- Most IT tools route traffic through the cloud. In OT, this may compromise availability and may not support many of the disconnected components that are common in OT environments.
- The IT tool life cycle is typically much shorter than the PL device life cycle. Due to the always-on nature of the OT environment, any tool that needs to be patched, updated, or discontinued frequently is not applicable.
Forcing IT-designed tools into an OT environment only adds complexity without addressing the fundamental security requirements and priorities of these environments. The sooner CISOs realize that OT systems deserve security solutions designed for their specific needs, the sooner they will implement the best tools and policies.
Soft skills are the key to CISO success
Given that most cybersecurity leaders today tend to come from IT security roles, it makes sense that many CISOs will have a (perhaps unconscious) bias toward IT philosophy, tools, and practices. To effectively secure the software environment, CISOs need to become students again and rely on others to learn what they don’t know.
The good news is that CISOs generally have a tendency to ask the right questions and seek support from the right experts while still pushing hard and demanding positive results. Ultimately, the CISO’s job is to lead people and teams of experts to achieve the larger goal of securing the company and enabling business. Those willing to bridge the OT security gap through strong leadership and a willingness to learn should quickly find themselves on the road to success.
To learn about real-world solutions that can help CISOs better secure their OT environment, Find Cyolo.