There’s an old expression that says, “when it rains it pours.” This has never been more true than the current impact of digital transformation on security teams charged with protecting IT and OT networks.
By Doros Hadjizenonos, regional director: SADC at Fortinet
Today’s CSOs and CISOs find themselves at a crossroads in the transition of their role within an organisation. They not only serve as security experts, but also guide business decisions in order to ensure that security is woven into the expanding infrastructure. The challenge is that this has to be accomplished effectively, efficiently, and comprehensively as there are simply not enough skilled cybersecurity professionals to address the expanding, convergence driven security challenges.
At the same time, the unprecedented proliferation of IoT devices challenges security solutions to identify, secure, and monitor more devices and higher volumes of traffic than ever. Coincidently, this challenge is even broader as networks are expanding into new ecosystems, such as multi-cloud, mobility, and SD-WAN.
The rapid expansion of the attack surface exacerbates the demand on security professional and presents a scenario where dropping the ball on security is most likely to happen. At the same time, the demands of the new and evolving digital economy compounds the implications due to a lapse in security. Adversaries and motivated cybercriminals deploy increasingly sophisticated attacks to accomplish extortion, espionage, and even sabotage.
The Security Implications of Converging IT and OT
Nowhere are the implications of these security challenges more apparent than in the convergence of OT and IT networks. For many cyber physical organisations, OT is the fuel that drives the success of the business. Manufacturing floors, assembly lines, inventory management, and production lines provide the goods and services that consumers demand. It is imperative in today’s digital marketplace to be able to respond to consumer demand as quickly as possible, so many organisations are looking to implement IT efficiencies and solutions into a network environment that traditionally runs in isolation.
Convergence is clearly a double-edged sword. Failure to integrate IT and OT environments means that production lags behind demand and market share can be quickly lost to competitors that are simply more nimble.
Contrasting IT and OT System Values
A significant component of the challenge is that IT and OT networks are founded on very different, and often highly contradictory priorities. IT networks generally follow the well-established Confidentiality/Integrity/Availability (CIA) model. The emphasis in on ensuring the confidentiality of critical data, transactions, and applications, maintaining network and data integrity, and only then ensuring the protected availability of networked resources. These priorities tend to be the basic building blocks of any security strategy.
Conversely, OT networks depend upon and operate with an exactly inverted model. The safety and availability of resources is the topmost priority. Assembly lines, furnaces, generators, and other large systems simply should never go offline. Monitoring critical systems, such as pumps, valves, and thermostats is essential since any system errors can translate into huge financial loss, and pose catastrophic risk to the life and well-being of workers and communities. The integrity of those systems is the second highest OT system priority. As a result, systems that are functioning as designed are rarely patched, updated, or changed. The operative model is, “if it ain’t broke, don’t fix it.”
Confidentiality, the third component of the OT value model receives far less attention. OT networks have historically addressed this element by simply being air-gapped from the IT network and the internet. Within the network itself, however, most OT environments were designed around implicit trust. It is not unusual for an engineer to be able to control any Programmable Logic Controller (PLC) (devices that control manufacturing processes such as assembly lines or robotic devices) anywhere in the OT network using a single laptop. This enables services for requirements like the rapid troubleshooting of issues happening anywhere in the plant or factory.
Conclusion
Converging IT and OT environments is essential for many organisations to compete effectively in today’s digital economy. But unless great care is taken and the needs of the OT environment are fully understood, a broadened attack surface will be available to adversaries. Both criminally motivated and nation-state driven cyber actors will accomplish a wide array of attack scenarios that can result in great consequence to include lost revenue, impacted brand reputation, significant damage to physical plant, and even worse lost lives.