The Changing Face of OT Security
By Thinking of IT, OT and IoT as Components of One Backbone, We Can Improve Resiliency
Well before the COVID-19 crisis, companies had already started to realize the business value digital transformation unlocks in terms of operations efficiency, performance, and quality of services. Projects such as opening new connectivity vectors to enterprise infrastructure and collecting data from machinery and processes and storing and analyzing it in the cloud, cemented the role that cloud on-demand infrastructure plays in the modern enterprise. Others had progressed even further with devices on the edge or robots in warehouses and on factory floors that monitor, manage, and execute processes leveraging the power of machine learning and artificial intelligence. The COVID-19 crisis accelerated digital transformation, revealing that companies further down the path were able to pivot faster to continue operations and gain competitive advantage.
In lock step with these digital transformation projects, we’ve seen organizations think much more holistically about how operational technology (OT) fits into their overall cybersecurity strategy. They are adopting the best practice of centralizing responsibility and accountability for securing the OT environment with the CISO. This organizational change that started over the last two to three years is paying off. CISOs who already started to incorporate their OT cyber programs into their overall core security controls, and looked at risk management and governance practices holistically, empowered their IT and OT teams to support dramatic changes to the workplace – sometimes overnight – with data and processes secured.
So, what has changed and why is it important?
OT networks are no longer a mystery. Security teams have become increasingly sophisticated in their understanding of OT. They realize that trying to apply the same IT playbook to OT environments introduces unnecessary complexity, and that measures such as lengthy physical segmentation projects within the OT networks and deploying multiple security tools don’t scale and don’t reduce risk immediately. At the same time, they understand that while the approach to protect OT networks might be significantly different, the outcomes are the same.
OT networks are designed to communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, and more. As such, OT network traffic provides all the security information needed to monitor for threats. Agentless solutions that are purpose-built for OT visibility and continuous threat monitoring can be implemented quickly, integrate equally well with OT and IT systems and workflows, enable IT and OT teams to look at OT environments together, work from the same set of information, and take specific steps to build resiliency. Understanding which processes and technologies can be brought under the umbrella of the security organization and which ones still require special treatment goes a long way toward achieving the shared objective of risk reduction.
Mindsets are shifting. Humans are used to doing things a certain way and our natural tendency is to continue down the same path. However, as COVID-19 taught us, when faced with a crisis we are willing to experience short-term pain for long-term gains. And organizations are making the necessary investments to realize those gains. A recent McKinsey & Company survey found that over the next 12 months large enterprises will spend even more on network security, identity and access management, and messaging security, which are the exact priorities of a distributed workforce and infrastructure.
The move to cloud infrastructure is forcing security teams to be more accepting of cloud infrastructure for OT cyber products. Cloud-based solutions can be more secure, updated more easily, and new features added more quickly. There are technically feasible ways of making this transition happen, but they require a change in mindset and sometimes temporary disruption of existing processes. Of course, this trend will be much slower with certain industries such as electric utilities whose business criticality and in some cases regulation prevent them from faster adoption, but the vast majority of organizations that rely heavily on OT networks will be able to benefit from cloud infrastructure for OT cybersecurity.
Labels matter less. As part of the convergence of IT and OT, the labels that we put on different parts of the network and endpoints aren’t very important and could be holding us back. To adversaries, infrastructure is infrastructure, so attacks are intertwined. NotPetya is a prime example of an attack devised to spread quickly and indiscriminately across an organization. While OT networks were not the primary target, the accidental spill-over of NotPetya from IT to OT networks was a wake-up call that, instead of using labels, we must think holistically.
What matters is criticality to the organization, striving for a consolidated picture of our technology infrastructure, and having a consistent governance and risk posture. We still have a large portion of networks that are invisible to attackers – call it OT, IoT or Industrial IoT. Security teams are becoming laser focused on illuminating these assets and applying the same security controls to them as to the rest of the organization. By thinking of IT, OT and IoT as components of one backbone, we can improve resiliency. Again, the specific solution applied might be different, but the desired outcome is the same – risk reduction.
There’s a lot that has changed about OT security – for the better. As we understand OT environments more deeply, shift our mindsets to protect them more effectively, and view our infrastructure more completely, we can take full advantage of cloud on-demand infrastructure to modernize our enterprise while building resiliency.