by Anastasios Arampatzis
The information technology (IT) and operational technology (OT) domains are converging. According to Automation, 82% of survey respondents worked at organizations where IT – OT collaboration was either in its early stages or already a productive business reality. In addition, Gartner estimates that 50% of OT service providers would partner with IT-centric providers for Internet of Things (IoT) offerings.
The IT – OT convergence introduces benefits and challenges. In a series of articles, we are going to review how OT security (or the lack of it) impacts crucial sectors and our society. But first, a bit of background information.
What is Operational Technology?
First, let us remember what Information Technology is. According to ISO/IEC 38500:2015, Information Technology is the set of “resources (especially computers and telecommunication) used to acquire, process, store, and disseminate information.” Therefore, under the term IT we can include communication networks and interfaces, IP protocols, computing systems, software applications and operating systems, and databases.
On the other hand, ISO/IEC TR 23188:2020 defines Operational Technology as the “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices and systems, processes and events in the organization.”
Reading the above definition, we understand that OT includes:
- Customized communication networks and interfaces, computing systems, applications, operating systems, and other technologies critical for the real-time operation of industrial processes.
- Interface and component technologies of Industrial Control Systems, such as PLCs, and SCADA.
IT – OT convergence
As part of their digital transformation initiatives, industries are connecting previously isolated services and systems either internally with corporate systems or externally with partners through the open internet. The main driver is to improve their operations, increase manufacturing production, and facilitate decision making through insights for future business needs.
In this framework, industries are bringing together their IT and OT environments to enhance their physical operations. IT – OT convergence enables organizations to use their IT network within the OT domain to better manage their OT and ICS assets and control the critical operational functions of sensors and other Industrial Internet of Things (IIoT) devices.
Risks of IT – OT convergence to health, safety and environment
The convergence of IT and OT worlds benefits industries and greatly enhances efficiency. Businesses can centrally control and monitor the various production phases and identify faults and hazards through data acquisition and auditing. Early warning notifications for hazardous conditions allow industries to reduce the impact of potential incidents, safeguard the health and safety of employees and preserve the environment.
Besides the above benefits, organizations face several challenges in bringing their OT and IT environments together. The increased use of interconnected IT devices in the OT domain has created increased interdependencies among all OT components. These interdependencies can create new systemic risks and challenges that were not present for as long as OT systems were isolated.
The biggest challenge that industries need to focus on is the exposure of critical OT systems to cyber risks. The impact of cyberattacks is no longer limited to data breach and financial consequences. These attacks can have catastrophic repercussions on the physical world and may even result in a loss of human lives, just like it happened recently at a German hospital.
What many organizations fail to notice is that cyber-attacks are not affecting only cyber-enabled systems, they can impact our physical world. Cyber-physical attacks create an increasing risk on health, safety and environment (HSE). According to the European Union for Safety and Health at Work (EU-OSHA), Health, Safety and Environment (HSE) is a multidisciplinary framework of actions that organizations must take to ensure the protection of the environment without harming the health and safety of their employees or local communities.
These cybersecurity incidents happen when organizations are negligent and fail to establish and enforce strong security controls to protect against emerging cyber threats. While in some sectors the damage is typically financial or reputational, in critical industrial sectors the damage can be physically devastating. For example, when the air or the water is polluted because of a cyber-attack, or when people’s health and safety is jeopardized, the consequences are far-reaching. The recent incident in Florida proves how serious the consequences can be when OT security is weak.
Cybersecurity is a shared responsibility
Considering the far-reaching effects of cyber-physical incidents and attacks, industry executives must understand that cyber risks can become as serious as the “traditional” safety risks they are used to address. In fact, cyber threats can trigger safety risks if organizations fail to establish adequate measures to prevent them.
Figure 1: Cybersecurity is a shared responsibility. Source: Siemens
Based on this context, cyber risk can no longer be regarded as a siloed responsibility of the IT department. Just like technology has blurred the boundaries between IT and OT, risks in the IT world can quickly become business risks. An isolated approach to cybersecurity creates blind spots that adversaries are eager to exploit to launch their nefarious actions. In fact, Siemens mentions in a report that:
Cybersecurity should be a shared responsibility of all employees in a company, from the executive suite to close collaboration among OT, operations, and enterprise IT. Cybersecurity should also engage health, safety, and environmental (HSE) teams, because of the potential HSE impacts of a severe security breach. HR must be involved, too, because all employees need to be aware, trained, and accountable for their potential roles, intentional or not, in opening the doors — physically or virtually — to attackers.
What are the steps to enhance OT cybersecurity?
ADACOM offers a wide range of services related to OT Security starting with the recommended OT Security Assessment and gradually moving to actual implementation of Security controls, based on best practices, that provide:
- Visibility, so that the organization is able to see all OT assets and behaviors in its networks.
- Detection of cyber threats, vulnerabilities, risks and anomalies.
- Analysis & Evaluation of identified risks.
- Prioritization of proposed remediation controls.
- Unification of monitoring and Protection against advanced and targeted OT related attacks.
through a combination the most appropriate solutions focusing on:
- Identification, classification and prioritization of OT Assets
- Dynamic segmentation of the network and segregation of IT from OT
- Deep analysis and protection of the traffic and the environment for threats and vulnerabilities, specialized to ICS/SCADA protocols
- Enforcement of access security controls for users and devices, both wired and wireless.
- Protection mechanisms such as encryption.
Last but not least, the usage of Certificate-based digital identities are the strongest form of identity, offering superb user experience, reducing the burden of remembering, updating, and managing passwords, and enabling higher levels of security for IoT devices