Closing the security gap in OT/IT convergence

Schneider Electric knows the business value of connecting its 200-plus distribution and production centers and converging them with IT systems. As more and more industrial environments are connected through sensors and actuators to produce data for proactive insights and services, “IIoT [industrial internet of things] is becoming the new normal,” says Christophe Blassiau, global CISO at Schneider.

Connecting operational technology (OT) and IT operations has become a business imperative for organizations that want to drive reliability, gain competitive advantage or make operations more agile and resilient.

Blassiau also knows the risks. “IT can infect and wipe out OT environments at-large and at speed as seen with WannaCry and NotPetya,” he adds. “OT and IT experts need to collaborate to protect plants and critical infrastructure.” 

Today Schneider has cybersecurity initiatives under way to segment and monitor industrial networks worldwide, which puts them far ahead of many organizations with OT environments. “Security for the longest time hasn’t been a concern because nothing was connected, but now it is,” says Dr. Abel Sanchez, executive director and research scientist at the Laboratory for Manufacturing and Productivity at the Massachusetts Institute of Technology. “IT has its own security stack and well-established practices, but when it comes to the OT and IIoT world, there is a very different picture. For a lot of companies this is new,” he adds.

In 2018, 78% of operational assets were connected to a network, up from 60% in 2016, according to IDC. That number is expected to rise again this year.

Whether it’s wireless sensors being deployed at a remote power substation or oil field, or a corporate environment’s interests in getting visibility into how the shop floor is performing, the productivity of the manufacturing line or its current safety status — all the information that originates in operational environments has to travel to the IT environment. At the same time, enterprise environments are sending commands back to the production environment to help create operational change.

Not surprisingly, threat actors are looking for gaps and seams in those connections, leaving many OT environments unprepared. As the borders between traditionally separate OT and IT domains blur, the two sides must align strategy and work more closely together to ensure end-to-end security.

IT/OT security gaps

Solving the security issues of IT/OT convergence is not as simple as bringing OT into the IT security fold. Several technical and cultural differences separate the two worlds.

For starters, operational systems like supervisory control and data acquisition (SCADA), manufacturing execution systems (MES) and controllers are typically managed as individual devices from disparate vendors, which has made it very difficult for IT to maintain its cybersecurity mandate.

In many OT environments, even the way systems are patched is outside the control of the organization. “Some provisioned legacy assets in an operational environment have hard-coded passwords that if exposed can’t be changed, or trying to change password creates operational problems,” says David London, senior director at the Chertoff Group. “Security tools and technologies around those assets have not had the maturation and sophistication that you see on the IT side.”

The three key areas of conflict between IT security and OT are:

More risk with downtime in OT

In the OT environment, fixing vulnerabilities carries more risk than in the enterprise environment, London says. Bungled maintenance on the IT side might cause some inconveniences, such as slower systems or an unavailable app, “but on the OT side those risks are amplified, with more safety concerns and consequences if you attempt to remediate a vulnerability and create a critical failure in a system,” like a large power outage or massive flooding due to pumping station failure, London says.

Culture clash

Longstanding differences exist between OT engineers and IT security professionals. “IT is very focused on security; OT is focused on availability. When you put those together they butt heads,” says Jonathan Lang, research manager for IDC’s Worldwide IT/OT Convergence Strategies research practice. Production requirements are changing rapidly and equipment may need to be changed over very quickly. “When IT starts meddling with their equipment, that translates into a loss in productivity.”

Few security best practices or frameworks

Current standards and guidelines are an essential foundation for security, but most are not interoperable for both OT and IT environments.

IT/OT attack vectors

Some 42% of cybersecurity professionals in OT environments say that connections to internal systems, such as enterprise networks or system to system, presents the highest risk to OT operations, according to SANS Institute’s 2019 OT/ICS Cybersecurity Survey of 338 global professionals. “Most risks to the OT environment actually begin as an initial point of contact within the IT environment, often in web facing apps, spear-phishing attempts or credential subversion. From there, sophisticated threat actors find ways to then compromise the operational environment,” says London.

OT servers with legacy operating systems run the highest security risk (58%), often running Windows NT and XP with low rates of routine patching. IT could be helpful in these cases with more routine patching, according to the SANS report. “A strategically designed network and security architecture can enhance or mitigate vulnerabilities through how server assets are placed and protected at, or near, the boundaries between the IT and OT domains, specifically the industrial DMZ,” states the SANS report.

Closing the IT/OT security gap

Mature industrial organizations understand that there needs to be shared accountability and risk sensitivity in both IT and OT groups, London says.

Shared security responsibilities

“A high-level governance body over IT/OT issues can bring together staff members from both sides for some real accountability,” Lang says.

Some organizations have created one CISO position with visibility and accountability over both the IT and OT security environments, “or they’ve created a dotted-line counterpart between the CISO and a person with operational authority over industrial automation control systems [IACS] or SCADA security,” London adds. “Those two individuals are talking regularly, creating threat reporting that reflects threats to both environments along with consequence analysis,” Lang says.

Schneider Electric took a different approach and created a network of about 200 cyber leaders in each factory supported by protection, monitoring and detection technologies, and a security operation center augmented by cyber industrial experts. Going a step further, SANS believes the entire OT workforce should be included in all security awareness campaigns and educational programs, not just enterprise workers.

An industrial DMZ

The industrial demilitarized zone, recommended as an addition to popular industrial architecture frameworks such as the Purdue Enterprise Reference Architecture (PERA), also known as the Purdue Model, is an interconnect zone between IT and OT systems. This zone typically holds a jump host for secure remote access to industrial control systems. When network access is not permitted directly between the enterprise and the plant, but data and services are required to be shared between the zones, the industrial DMZ provides architecture for the secure transport of data, including remote access servers and mirrored services. 

Shared visibility through kill chain analysis and attack frameworks

New industrial tools have been introduced in the last six months to bring more visibility and actionable security options to IT/OT convergence. Systems engineering company MITRE released a framework for cyber attacks on industrial control systems in January, with a knowledge base of the tactics and techniques that cyber adversaries use when attacking the industrial control systems. 

It uses the standard threat framework and kill chain, from reconnaissance, to initial entry, persistence, and lateral movement used to achieve the threat actor’s ultimate objectives and organizes a set of actions against each of those steps for the OT environment. Security teams can map the tools and technologies that they already have in place to the actual threat behavior. It also maps the organization’s activities to specific threat actors who might be targeting them.

This could help create a shared kill-chain approach, including helping establish a standard language for security teams to use as they report incidents, London says. 

Creating standards and alliances

“Sharing of best practice that take place in alliances is really valuable — a virtuous cycle of shaping demand, and vendors can deliver within consistent boundaries,” Lang says. The Operational Technology Cyber Security Alliance (OTCSA), a new global alliance focused on cybersecurity, launched in October 2019 to help companies address the OT security challenges that continue to put operations, and consequently, business at risk.

Today half the OT organizations surveyed by SANS have an OT/IT convergence strategy that they are implementing or have completed, and another 33% are developing an OT/IT convergence strategy. The success of their convergence strategy, however, may require being more accepting of risk, Lang says. “Loosening of risk tolerance precedes maturity of IT/OT convergence,” Lang says. “It’s a scary concept, but the technology is there to support it — and security is getting its due attention right now.”