Ghosts in the Machine – Looking at OT & IT Convergence
There is a saying in cybersecurity that “Data is the new oil.” If that is true, then that oil is powering not only the economy but also industry. The term ‘Industry 4.0’ refers to the fourth industrial revolution where traditional manufacturing and industrial processes are increasingly using IT and data to the point that we’re now seeing the emergence of ‘smart factories.’
From the management and control of power and water to the management and control of farms, Operational Technology (OT) control machinery ensures they run effectively and efficiently. OT devices are increasingly becoming part of our IT world, and although the convergence has been happening for some time, it would seem we are only just beginning to recognize its significance.
OT/IT Convergence – The Past
Since the 1960’s, Supervisory Control and Data Acquisition (SCADA) systems have been controlling manufacturing operations. These operations include water and wastewater systems, electric generation, transmission and distribution systems, oil and gas systems as well as food and health products production.
SCADA systems display the process under the control of the Industrial Control System (ICS), providing important feedback to the operators that everything is functioning appropriately.
But back in 2010, we discovered this communication could be disrupted when the computer worm STUXNET was used to disrupt the Iranian creation of plutonium. In 2011, a study was carried out where 200 IT security executives from critical electricity infrastructure enterprises in 14 counties were surveyed. The resulting report focused on critical civilian energy infrastructure that depends most heavily on ICS, and it revealed the following:
· Four-fifths of respondents have faced a large-scale denial-of-service attack.
· A quarter of respondents have been victims of extortion attempts.
· More than 40% of executives believe that their industry’s vulnerability has increased.
· Almost 30% believe their company is not prepared for a cyberattack.
· More than 40% expect a major cyberattack within the next year.
· The energy sector increased its adoption of security technologies by only a single percentage point to 51%.
· Oil and gas industries increased by only three percentage points to 48%.
· Nearly 70% of respondents frequently found malware designed to sabotage their systems.
· A quarter of respondents reported daily or weekly DDoS attacks.
OT/IT Convergence – The Present
Fast forward to today, and we see a world that is heavily reliant on the smart grid and smart factories. As OT and IT networks converge and devices become an extension of our networks, IT and cybersecurity professionals must take a closer look at their security controls and put in measures to protect these devices.
For the longest time, we’ve recognized the importance of protecting endpoint devices such as printers and fax machines. (Remember those?) But how many of us are considering a risk assessment of the refrigeration units, the vending machines or the machinery that is manufacturing our products? These unsecured devices, perhaps monitored and controlled by third parties, are entry points for lateral movement into and across our networks and systems, which can then be exploited.
We need to remember that cybercriminals are nothing if not inventive. As we see the continued evolution of cybercrime, it is not difficult to imagine a new strain of ransomware that attacks the physical aspects of an organization and the data it processes. Imagine for a moment a hotel keycard system that is hacked where the criminals refuse to let guests into or out of their rooms until a ransom is paid. Could that happen? Well, yes, it could, and it already has. In an article published in 2017, it was revealed that hackers demanded that the hotel pay €1,500 (in Bitcoin). The threat was simple: pay up and control of the key card system as well as room locks would be returned.
OT/IT Convergence – The Future
The world in which we are now living and moving to requires a deeper understanding of what is happening on our networks and how Data is being used (as well as how it can be manipulated). I often say you can not protect what you do not understand, and in the world of the Industrial Internet of Things (IIoT), this couldn’t be more true.
Cybersecurity and IT professionals need to understand what devices are on the network and what they are doing. We need to identify where the vulnerabilities are and what monitors we need to put in place to continually assess the vulnerabilities. We need to ask ourselves what the impact could be should we have a critical failure of these operations. This then goes beyond the usual remit of a cybersecurity professional and moves into true risk management and business continuity. The good news is that technologies and practices such as real-time monitoring and assessments can help us with these problems. But we first must understand where we need to deploy them. Fundamentally, do we truly understand the level of risk we’re facing?
I believe the first task we face is asking and answering those fundamental questions about the impact on our operations should there be some loss of service or a compromise of integrity. From there, we can understand how those risks could manifest themselves and where we are vulnerable. Finally, we’re ready to identify the tools and techniques we need to protect ourselves at that stage.
Max Gilg, an Industrial Cybersecurity Account Manager at Tripwire, noted in another blog post that organizations can sometimes use standard IT controls for securing their OT. But they need to be careful in the process.
“Some recommended IT practices and monitoring options can definitely be used in OT, but they have to be adapted exactly to the industrial context where they will be used, and they must be communicated clearly,” Gilg pointed out. “IT security has become an incredibly complex field with very sophisticated threats. It is not always easy to explain this complexity to OT teams where people tend to have different priorities.”
Conclusion
There are always going to be gaps in our knowledge and understanding; we can’t expect to know everything. Therefore, what we need to recognize is the need for greater collaboration between all aspects of business. We could call this new way of working “Convergence of IT/OT” or simply look to a discipline like organizational resilience that has been around for some time now. We must work more collaboratively to close the gaps in our systems and knowledge. These gaps are the windows of opportunity that cybercriminals can climb through. And if we’re not mindful, those windows could be under the control of the very people we’re trying to keep out.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology. You can follow Gary on Twitter here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.