June 30th 2019
IT Security - From Show Off to Pay Off
Since the introduction of the first virus in the 1970s and more so with the rise of the internet in the 1980s, the need to secure information and keep it private has become increasingly important.
Over the years, the IT world has been witnessing a shift in cyber threats. It used to be that programmers launched bothersome viruses and malware to gain reputation in their communities. Today, with the increased reliance of civilization on computers, and the advancements of technology, attackers have become much more sophisticated.
Up until recent years, cyber-attacks remained almost solely within the IT realm – affecting what we would call “standard” computers.
In 2010, the Industrial Cyber Threat Landscape Took a Turn
STUXNET - Though it was not the first cyber-attack to target an industrial environment, STUXNET was the first ICS dedicated attack to receive such global attention. STUXNET is a malicious computer worm believed to be responsible for causing substantial damage to Iran’s nuclear program, ruining almost 20% of its nuclear centrifuges.
Since then, there has been a constant increase in cyber-attacks targeting industrial organizations, affecting different industries such as power grids (Industroyer), energy (Black Energy) petrochemical (Havex), and oil & gas (TRISIS). Hackers are infiltrating industrial networks in order to shut down machines, demand ransom, steal data, and more. The hardware and software that monitor and control the physical components of an industrial network are often referred to as Operational Technology (OT).
The New Age of Operational Technology
Traditionally, OT was an ‘air-gapped’ environment, meaning that it was not connected to external networks or digital technologies. In recent years, what was known as “traditional OT” has started to change, since the rise of the fourth industrial revolution, also known as "Industry 4.0". Companies taking part in this change have begun implementing new digital solutions in their networks looking to stay ahead of their competition. These solutions aim to increase automation, add “smart” devices, make data more efficient and available, and interconnect networks for convenience.
As part of the interconnection, and in order to make OT components more accessible while being able to collect and analyze data about them, IT and OT networks are also becoming interconnected. This movement is referred to as IT-OT Convergence.
While connecting operational with information technology opens a great door to new opportunities, it also introduces a vast landscape of cybersecurity threats to what was once an air-gapped network.
OT Security Has Undergone Fundamental Changes
OT has been relying on computers for several decades to monitor or change the physical state of a system, such as the use of SCADA systems to control train traffic on a rail system. In traditional industries, OT security is composed mostly of straightforward physical tasks, including making sure that a machine repeats the same task correctly, an assembly line continues, etc. Since the inception of IT-OT convergence, there has been a shift in how OT is seen in factories, and in its security.
The Blurry Lines Between Operations and Information
Today, OT security mainly stands for the protection of traditional operations and assets from cyber incidents due to the increased connectivity between cyber and physical realms. It involves the detection and mitigation of weak spots and changes in systems that control physical devices such as valves and pumps as well as vulnerabilities stemming from their integration with enterprise software.
Though operational and information technologies are becoming more connected, there are several important differences that both IT and OT staff need to be aware of.
IT vs OT - Four Core Differences
1. Enterprise vs Industry
The most fundamental difference between the technologies is perhaps the most important one. The two technologies operate in different environments and serve different purposes. Briefly, IT is the world we all know. Computers, keyboards, screens, and mice. IT environments involve common environments and solutions (the cloud, servers, firewalls, antivirus, etc.), they communicate over known protocols (HTTP, SSH, RDP), and so forth.
Conversely, OT includes completely different components that can be found primarily in industrial environments. These components are often screenless (machinery, PLCs), they communicate over industrial protocols that are never seen on IT networks (e.g., Modbus, Ethernet/IP, Profinet), they lack security tools (firewalls, antivirus), and they are even programmed differently than “normal” computers.
2. IT Prioritizes Confidentiality, OT Focuses on Safety
Because IT primarily involves storage, retrieval, manipulation, and transmission of digital information, data and confidentiality are a top concern. IT security is crucial in every organization in order to keep its data secure and under control.
In OT, the safety and availability of equipment and processes dominate. Dealing with physical systems that must maintain stable values, such as temperature and RPM, requires meticulous control. Lack of control can lead to extensive financial losses due to temporary halts in production or even result in direct physical harm. For example, a ransomware attack that blocks access to operations can lead to a few days of inactivity where each day may be worth millions of dollars.
3. IT Incidents are More Frequent, OT Incidents are More Destructive
While OT incidents may lead to more destructive outcomes, IT has more ways in which it can be manipulated. Simply put, IT has more touchpoints with the internet. These gateways pose higher security risks because each one can potentially be a hack waiting to happen.
OT has a lower number of gateways, making it comparatively safer. However, the potential magnitude of compromised physical equipment tends to be greater than that of a data breach. Even slight OT cyber-incidents can lead to huge financial losses and have damaging ramifications that can affect the general population, such as water contamination and power outages.
4. Security Patching - Every Week vs Every Ten Years
IT components advance so fast and have relatively short life spans, that a network can look completely different only several years apart. In fact, IT security updates are so frequent that many IT vendors have a designated "update day of the week" or "Patch Tuesday".
Security patching does not work the same way in OT. Since patching OT components requires complete shutdowns which halts production, vendors running OT networks rarely patch their components, if at all. Since OT components are rarely updated, they may have many more public vulnerabilities when compared to IT computers. This means that the probability of a successful exploit on an OT system is exponentially higher than on an IT system.
What Does the Future Hold for Industrial IT Professionals?
It is clear that IT and OT work differently, are used differently, and have different objectives and risks. However, as digital systems continue to connect to industrial systems, the industry will enjoy improved production growth but at the same time, it exposes itself to more cyber threats.
Industry experts predict that IT-OT will only continue to converge. This means that OT administrators should do their best to understand the IT environment, and vice versa - the sooner the better. Gartner recommends that organizations align their standards, policies, tools, processes, and staff between the IT and the business to the changing OT systems. The approach to dealing with the organizational changes in response to IT/OT convergence is called IT/OT alignment.
IT/OT alignment begins with understanding what each environment does and how they differ from each other. A comprehensive cybersecurity strategy which considers the entire security lifecycle, beginning from the production floor and up to the enterprise, is key when looking to advance through the industrial revolution as the new industry champions.