Industrial Security: Not Just IT and OT, but Old OT and New OT

Tim Erlin: Welcome to the Tripwire Cybersecurity Podcast. I’m Tim Erlin, vice president of product management and strategy at Tripwire. I am joined by Lane Thames, principal security researcher at Tripwire. Today, we’re going to talk about industrial cybersecurity and the IT-OT divide that we see in the industry. Lane will come at from a security researcher standpoint. I will come at it from a market standpoint. We’ll see where we end up. Welcome, Lane.

Lane Thames: Hi, Tim. Good to be here.

Background on the IT-OT Convergence

TE: Awesome. I wanted to start out with the term “IT-OT convergence.” How did that term surface in the security research space that you’re in, Lane?

LT: Let’s go back the late 90s, early 2000s. When we dealt with manufacturing, we were living in what was called the “third industrial revolution” where we had machines that had computers and controllers. We also had digital technology where we could process signals and such. What happened is folks wanted to start connecting their operational technology (OT) devices—things like sensors, actuators, robots, programmable logic controllers, etc.—to their IT or internet protocol-based networks.

TE: I want to point out what I think you’re saying and make sure I understand it. There was a time where the manufacturing and industrial technology was built, developed and placed in market parallel but separate from what we would traditionally call IT. Is that right?

LT: That is correct. There’s a whole plethora of industrial-based protocols that would speak their own language. Sometimes, it will just use serial communication. For example, their focus was on digital and analog inputs and outputs. And your sensor would connect to a programmable logic controller, which was a very, very simple computer. At most, those devices would connect to machines on the shop floor. And those devices are still connected on the shop floor, but they were totally isolated. They spoke their own language, and there was no way to get data into higher-level analysis outside of what we called sneaker nets—people running into the field with a clipboard, taking measurements, coming back and entering in that information into spreadsheets and such.

TE: I think that’s important because it’s not like these industrial technologies are just showing up now and being introduced to our IT networks. They’ve been around for a long time. So, there’s an established industry there that just happens to have been built very differently from IT.

LT: Absolutely. Totally disconnected from IT. Totally different technologies.

TE: That brings us to this point about convergence, which I think is where you were going.

LT: Right. So, two things are happening right now in terms of this IT-OT convergence. One is retrofitting. We’re taking cheap computer devices like Raspberry PI and interfacing these devices with old equipment.

But on the other hand, you have new equipment that is being built now with ethernet or Wi-Fi already built in. And so over time, as people start replacing their equipment, these devices will still sometimes speak the old languages. They still have to interface with other technologies, but they’re also going to be equipped with a little bit more intelligence and the ability to communicate over the internet.

The Industrial Internet of Things (IIoT)

TE: That brings me to another term that I wanted to throw into the mix here that you see everywhere these days, which is IoT. Where does IoT fit into this trend of convergence?

LT: The Internet of Things (IoT) kind of originated a long time ago—even before we had lots of mini-computers. This was back in the time where flip phones were still the thing but where RFID technology existed. So, the idea of IoT originally originated from, “Okay, we’re going to put these RFID chips on everything, and that way, we can start tracking it.” It was initially a tracking mechanism for inventory, as an example.

Then computing got cheaper and cheaper, and bandwidth got greater and greater. Now we have this idea of building intelligence. When I say intelligence, I’m really meaning computing and communication. And when I say communication, I’m talking about Internet-based communication or IP networking. It got to a point where everything needed to have a computer and a networking capability. That’s where the idea of the Internet of Things evolved.

There’s also another term that we should mention—the Industrial Internet of Things (IIoT). The IT-OT convergence and IoT come together in all the devices that are coming onto the shop floor with computer and Internet-based communication capabilities. That is the Internet of Things pretty much by its definition. The IT-OT convergence exists because of the so-called Internet of Things paradigm.

TE: And the term “IoT” really seems like it’s a modern label for things that were already in existence but have now continued to develop. There have been devices that have a network interface to a physical device that makes a physical change in the environment prior to the emergence of the term “IoT.” I had an OT engineer who categorized IoT as just the cheap consumer version of what he’s been doing for years and years.

LT: I would take it a step further. You have devices that are at the shop level. If you look at what’s called the Purdue Model, you have various levels. These devices on the bottom of the drawing, level zero, are all of the sensors and actuators and equipment on the floor, and they connect to say engineering workstations, HMI (human machine interfaces) and such. They’re connecting over a network, whether it be IP or their original industrial protocols.

To me, one of the things that stands out with IoT is that these future devices might still connect in that way, but there are going to be capabilities for these devices. They’re going to be communicating into the cloud either directly or through a gateway. This is where various newer protocols like Message Queuing Telemetry Transport (MQTT), for example, are going to help shine because we will be able to do that in a secure fashion.

TE: Let’s talk about the technology there for a minute. You mentioned MQTT as the technology that might allow these devices to connect to the cloud directly. What’s the alternative today?

LT: You have your legacy integration that’s kind of following the Purdue Model where everything is separate. All the different networks are separated via firewalls and switching and things of that nature. And the data doesn’t necessarily leave the organization. It flows up and down these levels of the Purdue Model. But this is where you start getting into the IT-OT battles. IT, for example, might want to connect through the different networks to a device for some reason, but then the OT guys might want to be able to send the data from PLC controllers up to say their ERP (enterprise resource planning) systems for manufacturing optimization purposes.

Right now, that’s being done via opening firewalls and stuff and allowing this communication. But it’s very complex just because of how the systems are involved, just because of the complexity of the network. And it’s not scalable. So, you might have 500 devices on your floor today, but in 10 years, you’re going to have 50,000 that are potentially communicating. And so that’s the other option.

Going back to your question, it’s like the wild west right now. Anytime something new arises, you have a lot of folks that are offering various gateways. The gateway will ship it into the cloud, but it’s usually on a per-vendor basis. So, the idea of something like MQTT is a big idea in the advanced manufacturing space. It’s not vendor neutral; it’s a unified and open architecture.

TE: That brings us back to that challenge of the convergence, not just of IT and OT but also of old OT and new OT. If you want to think of it that way, MQTT isn’t suddenly going to show up on those devices that you installed 10 years ago. You’re going to be stuck with a mix of approaches until you fully modernize that plant floor or that manufacturing facility.

LT: I think it’s going to stay that way forever. We know for a fact that the cloud is forever going to be hybrid, right? Organizations are going to have legacy systems, and they’re going to have cloud systems. And that’s why we call it “hybrid.” I personally believe that this IT-OT convergence is going to be hybrid at least for the next 20 years.

Security Challenges of Managing Legacy Environments

TE: Given that we have this future that’s hybrid, how are you seeing security professionals dealing with legacy environments today? What are the trends and complications there?

LT: They’re fairly significant. So, you have all these folks that are just buying whatever kinds of devices they can find to solve their current problems. That’s in addition to the new devices we have that are coming in. The problem is inventory, you know, visibility. How do we know what’s out there? And then, how do we know what kind of weaknesses they have?

What’s going to happen, and where the security problem lies, is when the malicious actors penetrate the top level of the Purdue Model—our enterprise IT systems. And then they work their way down through the networks and gain access to these devices on the shop floor. And this is a huge problem because one thing we haven’t really mentioned are really the priorities in terms of security when we talk about devices on the floor, the shop floor. Safety and availability are the two main drivers. And so, the security concern here is not so much that they can hack into the device. The data that’s down there, living on these little devices, is insignificant. It’s misconfiguring the devices so that they screw up a real-world process and damage equipment or even cause of death or harm to people.

When we talk about security, what I constantly want to say is making sure your IT systems are safe and secure is priority one. That is their entry to the networks. And then, you know, as an industry, we’re learning about OT. How do we solve the security problems? It’s a very complex environment. You can’t just update software. The biggest thing is scale. Today, it might be 500, but in five years, it might be 50,000. How do you deal with that scale? These are going to be some challenges that we’re going to have to address and find new, innovative solutions for.

TE: Well, Lane, it seems like we didn’t come up with any solutions here, but we certainly covered the problems in interesting ways. There’s a lot more to talk about as we move forward. So, I really appreciate you spending the time with us. I hope it was interesting for all the listeners. Thank you. Please tune in for the next episode of the Tripwire Cybersecurity Podcast.