Securing OT Environments from Cyber Threats
By Jim Montgomery, Principal Solutions Architect with TXOne Networks
Securing operational technology (OT) environments from the latest barrage of vulnerabilities and threats is no easy task. We are constantly reminded of the vulnerabilities and exposure that plague the OT world. From Industroyer, to Stuxnet, to new and laser-focused attacks like Pipedream, we are at a distinct disadvantage when it comes to protecting industrial control systems (ICS).
The scope of concern with an attack like Pipedream is that it targets common programmable logic controllers (PLCs) used by a range of companies, which is a sector that no government wants to see disrupted. Additionally, it is assumed to have been developed by a nation-state, which means its scope for disruption could be catastrophic. Pipedream is also a part of a larger malware framework, which means that whoever created it did so as part of a long-term effort. While security is not an easy task, the immediacy and priority must certainly be recognized and addressed.
OT’s counterparts in information technology (IT) have had a strong head start and several advantages when it comes to securing environments. One of the primary contributors that separates IT from OT is that OT is comprised of systems that date back decades. This is also a contributor as to why those who manage OT are reluctant to upgrade and patch. There’s sensitivity around the requirement to change and modify legacy operating systems in order to upgrade to modern operating systems, and the directive to keep the operation running at all costs contributes to the technical challenges present in OT.
One of the most prevalent issues an IT organization struggles with is the challenge of implementing an OT security strategy. While IT departments are well-versed on protection strategies in their carpeted spaces, the shop floor is a new, highly complex environment, built from decades of necessity, and typically in a silo. IT has been kept at arm’s length when it comes to OT. The prevailing OT strategy has been, “If it’s not broken, don’t fix it.” In order to ensure the security and integrity of today’s ICS and critical infrastructure, that’s simply not an acceptable approach.
If we look at history for perspective, we recognize similar struggles related to cloud adoption and protection. Every organization is somewhere along a continuum moving from the awareness stage, all the way to a fully implemented security strategy to protect the cloud environment. IT departments struggled to understand the new environment, and moving into cloud or hybrid compute environments necessitated a new way of thinking, as well as a modified organizational structure. Most importantly, the move required a skillset update for the engineers who were involved and tasked with securing these environments.
IT/OT Cross-Functional Teamwork
OT is not any different. Implementing protection at the OT level will require new skills to be acquired by the individuals tasked with security. The primary question that needs to be addressed right up front is, Who owns the task of securing the environment? If it’s decided this is an OT initiative, we find a critical shortage of skills when it comes to executing basic IT tasks. Choosing the IT department to lead the charge provides instant skills related to security but likely not much knowledge of OT/ICS environments. When you account for the skills gap and lack of operational ownership, you have a recipe for a project that gets bogged down indefinitely.
The most successful projects are generally top-down directives. It was true in cloud, and it is certainly also true in creating a protection strategy targeting ICS. We must eliminate the siloed approach to security. Yes, OT is different, but the general strategies and the necessity of protection are critical to the overall health of our population, economies, and enterprises. A joint effort is required between the teams creating a cross-functional organization that contributes security knowledge with OT knowhow to get the job done.
Success comes down to our ability to adapt, learn, and cooperate within our organizations to achieve a protection strategy that transcends network and functional role boundaries. Our people are the most valuable asset we have. We must encourage the awareness, required growth, and learning in our organizations to equip all of our assets with the mindset and discipline to protect our environments, eliminate the operational and technological silos, and take a positive step toward securing our infrastructure against outside forces intent on disruption of service or monetary gain.
About the Author