In our previous discussions, we delved into the multifaceted role of cybersecurity as a strategic business asset. We highlighted its pivotal role in safeguarding revenue, fortifying customer trust, and enhancing operational efficiency. In this discourse, we will dissect why unified cybersecurity has become more crucial than ever, amidst an escalating backdrop of cyber threats targeting Operational Technology (OT).
The Digital Fabric of Modern Society
The fabric of modern society is interwoven with computer-controlled devices that influence the physical, not just digital, sphere of our existence. From delivery robots and intelligent buildings to shipping and transportation, OT permeates our daily activities, revolutionizing the factory floor, managing advanced buildings, steering ships across oceans, and soon, supplanting human drivers on our roads.
While OT presents a goldmine of opportunities to extract data that can be converted into profits, it also harbors a plethora of technical debts that amplify cybersecurity concerns. These concerns pose a threat to neutralize the potential gains and potentially precipitate enterprise-wide catastrophes. The convergence of Information Technology (IT) and OT realms is upon us.
A Glimpse into the Past
The global stage was first introduced to OT security in 2010 when the notorious Stuxnet virus infected the Programmable Logic Controllers (PLCs) governing the centrifuges of an Iranian nuclear weapons facility. This incident disrupted Iran’s weapons program and inadvertently spread far beyond its intended target, infecting thousands of devices worldwide and spotlighting the threat posed by OT. Fast forward to recent times, Russia orchestrated attacks on insecure UPS devices during its conflict with Ukraine, once again casting a spotlight on the vulnerabilities in OT security.
The Complex Web of OT Security
Securing OT presents a daunting and intricate cybersecurity challenge, compounded by four interrelated issues:
1. The Supremacy of Uptime:
In environments where OT solutions are deployed, uptime is paramount. Any downtime translates to halted production, adversely affecting customers and revenue. This necessitates multiple 9s of availability, overshadowing requirements such as patching or dynamic protections. To avert operational outages, manufacturers often resort to extreme measures, including stockpiling and cloning obsolete equipment like Windows XP PCs to circumvent accommodating dynamic elements in the environment. Hence, the adage “Cash is King” in the Wall Street parlance translates to “Uptime is King” on the manufacturing floor.
2. The Significance of Productivity:
Productivity is a close second to uptime, as more efficient workers yield more products at the same labour cost, thereby generating more profit. Any friction, such as entering a username and password, is perceived as lost time. Increasingly, standardized automation systems are remotely supported by engineers and designers who do not have physical access to the devices but remotely retrieve data or optimize machine parameters. While this maximizes efficiency for the organization, it simultaneously expands the attack surface for cybersecurity.
3. The Longevity of Devices:
Devices in the manufacturing realm are engineered to endure for decades and often carry a hefty price tag. Maintenance on the factory floor typically involves periodically shutting down machines to calibrate sensors, change oil, tighten bolts, or refurbish parts. It does not encompass applying monthly security patches to the HMI or PLC. This oversight is not trivial. The lifecycle of these devices can span 15 to 20 years, unlike the 3 to 5 years of an IT asset, imposing a significant burden on cyber and IT organizations.
4. The Oversight in Design:
The final challenge lies in the exclusion of cybersecurity requirements during the design process. This oversight is not merely a by-product of the technology designed to optimize uptime, productivity, and long lifecycles. It highlights a gap in awareness or understanding of the threat. Contrary to phishing or malware incidents, OT compromises seldom make headlines. They fall into a neglected quadrant of a standard heatmap – highly unlikely but potentially catastrophic – often leaving them unaddressed on the priority list.
Navigating the Hurdles
Despite these obstacles, organizations have a repertoire of options to mitigate risks. These options must be judiciously implemented, acknowledging that some control is better than none, and excessive friction can be counterproductive. Additionally, it is essential to recognize that OT is distinct from IT. For instance, imposing strong credentials and Multi-Factor Authentication (MFA) on machine operators is impractical. Similarly, your favoured Endpoint Detection and Response (EDR) may be incompatible with a PLC running a custom version of Windows 7. Moreover, a standard GPO enforcing a session timeout may disable a domain-connected Human Machine Interface (HMI).
A Crucial First Step: Segmentation
The most pivotal control to implement is segmentation. To paraphrase a well-known adage from Las Vegas tourism, “What happens in OT, stays in OT.” Demarcating a boundary between the IT and OT environments is crucial for gaining visibility, identifying risks, and exerting a degree of control. This approach mirrors the barrier between a private network and the Internet. It is inconceivable for an organization to permit unregulated access to the unpredictable terrain of the Internet, given its uncontrolled nature and unknown threats. Similarly, considering the hygiene of a typical OT environment, it should be equally unthinkable to allow unrestricted access between IT and OT.
Building on a Solid Foundation
With a robust boundary in place, it becomes feasible to deploy other core elements of cyber defence. In the cyber realm, Visibility (not Cash) is King. It is impossible to defend against invisible threats. Monitoring traffic entering and exiting the OT segment can unveil surprising risks, but also pave the way to controlling those risks. Is there a surge of SMB traffic infiltrating the OT segment? Investigate the cause and the source. Are third parties remotely accessing the OT segment? Determine who they are and their reasons. Are devices signalling out to known Command and Control (C2) sites? Halt those immediately. Then leverage the incident to craft a comprehensive strategy to safeguard OT, spanning from awareness to asset management, procurement to active prevention, and cyber requirements to remediation.
A Complex Yet Manageable Task
Safeguarding OT is a complex and unique task, dictated by its key drivers – uptime, productivity, and extended lifecycles – but it is not insurmountable. The principles employed by cyber defenders to secure information technology can be adapted to protect operational technology; the tools utilized can be successfully modified. As the worlds of IT and OT converge, a well-orchestrated cyber response can facilitate a harmonious merger rather than a collision.
In Closing
The escalating significance of unified cybersecurity in a digitalised world cannot be overstated. As the interconnectedness of our world continues to deepen, it is imperative to invest in robust cybersecurity measures that not only safeguard our digital assets but also ensure the seamless integration of IT and OT environments. By doing so, we can navigate the complexities of this digital age, protect our enterprises, and foster a more secure and resilient future.