With many security organisations in Australia now responsible for protecting both IT and OT environments, there is a great opportunity to manage cyber-risk more holistically across the industrial enterprise. Doing so efficiently requires a combination of leverage and integration as well as specialised security tools to provide visibility into each environment.
It also requires a knowledge of OT networks and identifying some of the misconceptions about how they differ to IT networks, their specific security vulnerabilities and how to best protect them.
OT’s propriety nature offers protection
One common misconception about OT networks is the result of OT’s long history as a technology isolated from IT. It is that OT relies on decades old, proprietary technologies that are not vulnerable to today’s cyber-attacks.
Unfortunately, the truth is quite the opposite. OT networks are often vulnerable because they were designed many decades ago when security was not top of mind. Furthermore, many industrial facilities do not have up to date documentation on what exists within their control environments, and how all this equipment interacts with each other.
In these scenarios, behavioural monitoring that is not dependent on device-specific protection techniques and on detailed knowledge of the functioning of individual components can be extremely valuable. These technologies can monitor OT networks to establish normal behaviour, detect and alert on any anomalies.
This is hugely valuable because unlike people-centric IT networks, OT networks are machine-centric and therefore highly predictable: any behavioural anomaly is highly likely to represent compromise by cyber attack.
OT and IT can be secured in the same way
Another misconception is that IT and OT are the same and therefore can be treated the same when security measures are being developed and implemented, but this is not the case.
Corporate IT networks have down time when system upgrades can be installed and vulnerabilities patched. On the other hand, OT networks often operate around the clock to maximise productivity. So, taking OT assets offline for maintenance or security upgrades can impact production and have a direct impact on revenue.
Further complicating vulnerability management for industrial enterprises is the 25-year (or more) lifecycle of most OT assets, which often run proprietary applications supported by legacy operating systems. Many of these systems were never designed to be patched, and that leaves them exposed. Upgrading this expensive hardware and software can be expensive, but vulnerabilities are of little consequence in the absence of credible threats. Unfortunately, the last several years have borne witness to a marked increase in the rise of capable and willing attackers.
OT and IT networks are separate
One of the most common misconceptions is that IT networks are separate from OT networks and that OT networks do not require protection from cyber-attacks because they are separated from the Internet by ‘air-gaps’.
What many organisations don’t realise is that today’s OT environments are highly networked and integrated with IT networks to optimise efficiency.
Recent cyber-attacks on IT networks have demonstrated that attacks on IT networks can cause extensive “spill-over” damage to industrial environments when the malware spreads from the IT network to poorly segmented OT networks.
While IT systems with good backups can recover lost data relatively quickly, the impact of a malware attack on an OT environment can potentially be far worse. This was the case in 2019, when global aluminium producer Norsk Hydro was hit by the LockerGoga ransomware that infected 22,000 computers across 170 sites in 40 countries. The result was the entire workforce - 35,000 people - resorting to pen and paper and production lines being closed down.
The integration with IT networks is beneficial as it facilitates data sharing across enterprises and with third parties, but this also comes with cyber security concerns.
For example, some OT networks require third-party management and access from third-party vendors to support equipment. By granting this access, organisations are opening themselves up to vulnerabilities, trusting that their partners follow stringent cyber security controls and practises that they enforce. Many security breaches have been conducted through these types of third-party vendors who prove to be the weakest link in the chain.
Organisations with OT networks need to protect these networks not only from threats posed by the Internet but also threats introduced by unmanaged remote access.
OT and IT integration creates many potential benefits, such as gaining access to data from the OT environment for analysis, and giving business divisions better visibility into production processes.
But knowledge of how to protect an OT network from a cyber-attack is imperative. Protection can come in the form of reducing the OT attack surface with tools that manage tracking, approval and auditing of remote access requests; and tools able to quickly detect behavioural changes that can indicate when an attack is underway.
Eddie Stefanescu is Regional Vice President, Business - Asia Pacific & Japan at IoT/OT specialist Claroty.