The ever-expanding overlap between information technology (IT) and operational technology (OT) networks is forcing many organisations to assess and improve their cyber risk.
With the exposure of legacy OT devices to the internet, and new attacks specifically built for them, industrial control system (ICS) network protection is now commanding board-level attention.
Steve Hunter, senior director, systems engineering, Asia Pacific and Japan, Forescout, says, “The reality is that the failure of an ICS network controlling critical infrastructure such as an electricity grid, oil rig, or emergency response service could have catastrophic results. This is why it is important for IT-OT organisations to understand where risks can come from and prepare for them.”
Forescout has found the following four unique challenges that IT-OT convergence is creating for critical infrastructure companies:
1. Increasing cyberthreats targeting OT/ICS networks
The presence of newer, IP-connected devices in OT networks makes organisations that use them vulnerable to internet-based threats. Many companies are also using third-party vendors as a cost-effective alternative to on-site staff to patch, update and repair their systems. Unfortunately, the protocols used for remote access can be vulnerable to exploits, as was seen recently with the BLUEKEEP vulnerability and adversaries can leverage this to gain access to the corporate network and compromise OT devices. In November 2019, Shodan.io showed over 40,000 internet facing systems with the vulnerable port exposed. The end result is that networks with proprietary systems and legacy technologies, once isolated from the internet, now require protection from traditional IT cyberthreats.
2. The Internet of Things (IoT) explosion
Many IoT devices are now consumer-grade technologies that are mostly unmanaged, come from a multitude of vendors, use non-standard operating systems, support a variety of often insecure protocols, and may connect to other devices inside or outside of the organisation’s network. As the scale and diversity of IoT devices grow, monitoring and controlling them should become a critical focus of an organisation’s cybersecurity plans along with eliminating ‘bad’ security practices like having unencrypted traffic, or leaving default or simple credentials in place.
3. Increasing workloads for security operations teams
The mounting pressure to bulk up OT cybersecurity has resulted in security leaders at many critical infrastructure organisations investing sizeable amounts of money into the latest and greatest cybersecurity tools. This has led to organisations using many disparate tools that force them to manually analyse yet more data, when they should be starting with maximising the value from tools they already have. Obtaining the capability to unify visibility and control for IT and OT networks into one interface can help reduce the burden of piecing together security and operational alerts from separate tools.
4. Complex compliance fulfillment
To achieve compliance, many organisations implement manual compliance processes, sending staff to perform site visits and map assets as best they can, while compiling this data for their reports. Despite these costly and labour-intensive efforts, this process is tedious and error-prone, and the possibility of being fined for non-compliance remains relatively high. Organisations should consider automating their asset inventory and management, as well as the required reporting for audits, which can help reduce an organisation’s compliance burden.
Hunter says, “By taking simple steps to understand how IT and OT networks interoperate, organisations can holistically manage risks to organisational OT infrastructure. There are many challenges that have arisen due in the IT and OT fields, and taking precautions can help minimise the potential for disruption for organisations.”