Dispelling key misconceptions in operational technology
Australia’s infrastructure is becoming smarter and more connected, but this means potential security threats have skyrocketed. There are a number of key misconceptions that need to be addressed in order for infrastructure to remain protected. Dick Bussiere is here to bust the myths.
To thrive in today’s competitive environment, businesses know they need to get smarter with technology. By bringing operational technology (OT) online, companies are combining physical processes with data and business intelligence to greatly improve their operations. This convergence of OT and IT is taking place across our industry and infrastructure as organisations accelerate their digital transformation endeavours. Most organisations are aware of the enormous financial costs associated with cyber attacks.
Research suggests that the financial damage caused by cybercrimes will reach US$6 trillion by 2021; however, the threat to OT is often overlooked. This is despite a 2019 report by Siemens finding that 56 percent of critical infrastructure operators reported at least one shutdown or operational data loss yearly, with 54 percent expecting an attack on critical infrastructure in the next 12 months.
Lateral attacks that gain a foothold in IT and spread to OT networks have been well- documented. What is less known is that bad actors can target OT environments as a path of least resistance to IT infrastructures. For example, a compromised industrial control system can be leveraged to gain access to customer databases residing on the corporate IT network. Defending the convergence between IT and OT across Australia’s industrial sectors requires a multifaceted approach.
As a first step, there are a number of critical misconceptions that should be addressed immediately if organisations are serious about reducing their IT or OT cyber exposure.
‘Air-gapped systems are sufficient’
Air-gapping is a network security measure that has traditionally been used to protect OT systems. It works by completely isolating the industrial network from the business network and the internet. In most cases, this is no longer a realistic solution as digital transformation forces real-time interaction between the world outside and the OT environment, making the case for increased connectivity between the two worlds. Even if OT systems are completely disconnected, vulnerabilities may still exist through third-parties when vendors connect to perform maintenance.
‘Only passive security technologies can be used in an OT environment’
Most technologies that are used to inventory assets, determine configurations and detect possible malicious activity within an OT environment rely heavily on ‘passive network’ monitoring techniques. This means that no traffic is introduced by the monitoring technology, so OT remains undisrupted. However, passive techniques are not 100 percent accurate since they never truly ‘see’ the actual configuration on the devices themselves. In today’s hyperconnected environment, more advanced OT monitoring solutions are available that query OT systems to reveal detailed configuration information, code, status and more, providing an unparalleled depth of information. This information is stored for reference. When suspicious activities are detected, these stored copies of the device configuration can be compared against the current state to identify potentially malicious or accidental changes.
‘Traditional vulnerability management tools are relevant for OT environments’
The convergence of IT and OT systems has fostered the idea that traditional vulnerability tools can work effectively in OT environments. This is unrealistic as such tools do not ‘understand’ OT protocols or systems, and are not practical when placed within an industrial environment. Additionally, such tools may show signs of disruption when tested against OT equipment. This issue is likely to become more apparent as the cyber skills gap widens. As organisations integrate IT into the OT network, security teams managing these interconnected networks need to have a blend of specialised skills that are relevant across both disciplines. IT professionals in charge of securing OT environments shouldn’t fall into the assumption that their go-to tools will be sufficient to secure physical assets.
Don’t settle for a one-size-fits-all approach
Preventing attacks requires the ability to understand the complete attack surface and prioritise vulnerabilities according to the business risks they pose. As businesses interweave OT and IT systems to deliver greater efficiencies and drive innovation, the risk of cyberattacks becomes greater. With this in mind, this lack of visibility into the converged attack surface can potentially disrupt industrial systems, hinder business operations, or result in lost information when cybercriminals jump between OT and IT networks.
To truly ensure businesses are protected from the financial damage of cyberattacks, security leaders need to ensure that OT security is afforded specialist technology and techniques, rather than approach it with a one-size- ts-all mentality.
Dick Bussiere is technical director for the Asia-Pacific region at Tenable.