By Sachin Shah, CTO of OT, Armis
The distinction between information technology (IT) and operational technology (OT) is rapidly converging as the Industrial Internet of Things (iIoT) – with cross-boundary traffic pollination from enterprise-connected devices, applications, and connectivity of all types – proliferates across the Federal ecosystem.
Agencies have long managed and secured these two types of technologies in distinct silos, using different approaches and solutions, sharing little data, and relying on management by distinct teams with unique skill sets. They have also largely relied on control segmented networks to protect OT devices. The convergence of IT and OT is closing that gap, and in doing so is making the legacy siloed security model increasingly outdated and risky.
Although many legacy control systems still maintain effective segmented networks, the trend is to connect OT devices on the edge directly to the enterprise network. As a result, the Purdue Enterprise Reference Architecture model, which for years indicated a standard hierarchy of applications, controls, data flows, and enforcement boundaries, is being flattened and the lines between levels are dissolving. Today, agencies simply can’t secure OT without securing IT along with it.
The industry is already embracing a more integrated approach to IT/OT security, with Gartner projecting “by 2025, 75 percent of OT security solutions will be delivered via multifunction platforms interoperable with IT security solutions.” Gartner further notes that “brownfield operational technology/information technology convergence acceleration and a growing number of greenfield cyber-physical systems push OT security needs to evolve, and more IT security leaders to become involved, as threats and vulnerabilities increase.”
Today’s agencies need a passive and agentless security approach that secures all types of connected devices—OT, IT, and IoT devices. It needs to be able to:
- Generate a comprehensive inventory of all connected devices – OT & IT
Today’s enterprises still struggle to see their complete IT asset inventory – from managed to unmanaged to IoT devices, from virtual machines to clouds, and more. Most organizations cannot accurately identify all of the devices in their environment and airspace – on-premises and on the edge – leaving them exposed to compliance, vulnerability, and security issues.
- Ensure that all devices and technology are discoverable
IT teams depend on asset discovery and configuration transparency to ensure visibility into the environments they manage. If the IT team cannot see a device, they cannot securely manage it. Therefore, government agencies must ensure discoverability – with the ability to track IT and OT devices in real-time – identifying critical information, such as location, users, which applications they are using, and more.
- Deliver comprehensive coverage for security controls, devices, and communication.
The security controls should meet most of the important cybersecurity goals specified by security frameworks such as NIST CSF or CIS CSC, and NISTIR 8228. In the IT world, this typically requires the use of several different security tools. For the OT environment, it would be desirable to obtain comprehensive coverage of the required security controls using as few tools as possible. The security platform should work for all types and brands of devices common to agencies and their facilities, including IP security cameras, fire alarm systems, switches, firewalls, wireless access points, printers, and more. Finally, the platform must be able to directly monitor all communication pathways that could be used by a cyber attack, including Ethernet, Wi-Fi, Bluetooth, BLE, and possibly other wireless protocols such as Zigbee. Wireless coverage is important because attackers can exploit vulnerabilities such as BlueBorne, KRACK and Broadpwn to compromise OT devices over the air, without any user interaction.
- Identify risks associated with every device
Beyond discovering the assets, agencies require a platform that enables them to identify risks and vulnerabilities for devices in the office, at remote locations, as well as those interacting with cloud environments. This requires understanding what a device is and how it is being used and an inherent understanding of device characteristics. The organization must then be able to compare the device’s individual risk profile with the agency’s risk posture to provide security and policy enforcement. Automation is critical to ensure accuracy and efficiency when managing environments with tens of thousands of devices and counting.
- Passively monitor the behavior and communication patterns of every device
Real-time collective intelligence helps agencies make policy recommendations to better protect their environments, maintain mission continuity and operational resiliency, and reduce risk. The ability to passively monitor all unmanaged and OT, IT, and IoT devices on a network and in the airspace is key to not interfering with device performance.
- Take automated actions to thwart attackers
When a device operates outside of its known-good profile, the platform should issue an alert and/or trigger automated actions. The platform must have the ability to correlate observed activity in the network with broader industry and device-specific threat intelligence, as well as take into account the presence of vulnerabilities and other risk factors to detect actual attacks with higher confidence.
The security outcomes needed for OT environments are well understood but can’t be achieved using traditional security tools. Neither specialized OT security tools nor traditional IT security tools were designed for today’s hybrid OT/IT environment. With the continued convergence of OT and IT, agencies need a different approach to security—one that bridges the two domains for a more secure agency and greater mission continuity.
About the Author
Sachin Shah is the Chief Technology Officer, OT at Armis. A Chief Technology Officer, OT at Armis Security, He is responsible for setting a technology, outlining the goals, resources, and timelines for the research and development team of all technological services. Making executive decisions on behalf of the company’s technological requirements, he also acts as a mentor to evangelize the technical leadership team, maintaining a consumer-focused outlook and aiding in the delivery of projects to market. He is also responsible for ensuring all technology practices adhere to regulatory standards. He is a visionary public speaker to meet current and future technology security needs.