2021 was the year that cyberattacks on industrial targets and critical infrastructure went mainstream. From the Colonial Pipeline attack to the most recent Transnet hack, it was the year in which the public – not to mention the C-suite – learned the difference between IT and OT networks. And everyone learned that OT cybersecurity vulnerabilities can carry consequences that affect us all, personally.
2022 will be at least as challenging for manufacturers and critical infrastructure utilities. And it’s this outlook that makes it more important than ever to understand the differences between OT and IT cybersecurity – and to grasp why exactly existing OT cybersecurity paradigms are still falling short.
IT cybersecurity specializes in securing bits and bytes – crucial for the administrative side of any business. OT cybersecurity, on the other hand, focuses on securing both data and physical systems. In 2021, OT network stakeholders learned how crucial it is to choose a cyber defense approach that specifically fits OT environment needs – one that’s built from the ground up to meet OT challenges.
In a recently-released 2022 OT Cybersecurity Survey we asked 200 CISOs from leading industrial organizations if they feel they are receiving the best value from their existing cybersecurity solutions. Many of the respondents agreed that they are not. Why do existing OT security paradigms fail to deliver on their promise? Let’s take a closer look.
According to our survey respondents, the top five reasons why their existing OT-cybersecurity solutions fail to deliver the desired value are: “lack of skills to operate” (57%), “mitigation actions are not feasible” (49%), “creates huge alert fatigue” (44%), “too complicated to use” (33%), and “effective only for post-breach detection” (27%).
But what do these responses actually mean, in the real world?
According to our survey, at 31% of companies OT cybersecurity is the responsibility of the VP/Head of Manufacturing/Engineering – not a cybersecurity specialist. However, first-generation OT-cybersecurity solutions were designed for the IT (i.e. enterprise) environment and retrofitted for OT. As such, they demand a special skill set that, while available in the IT SOC, is almost non-existent in the OT side of the house. The result: OT cybersecurity tools are often implemented or operated incorrectly, and thus provide sub-optimal protection.
Many solutions detect potential threats, but offer only theoretical or vague instructions as to how to mitigate these threats. Others provide detailed playbooks that are not relevant for the OT.
Let’s look at “patching” as an example. Security patching in OT is very different than in IT. That’s because patching OT components requires complete shutdowns that halts production, so vendors running OT networks rarely patch their components, if at all. Any mitigation plan in OT that includes patching, is almost always unfeasible.
Additionally, for industrial or critical infrastructure professionals, who often operate without a full-fledged team of security engineers or analysts on-site – mitigation steps when a breach is detected need to be highly-detailed, clear, and specifically relevant to each environment in order to enable rapid and effective implementation.
Today's OT solutions rely mainly on detection of potential cyber breaches, then alert security stakeholders. Yet even the best detection tools purposefully issue many alerts, preferring to err on the side of caution. To make matters worse, most OT security paradigms rely on multiple disparate solutions - each with its own alert threshold. It’s not uncommon to have a number of different solutions sending out alerts from various parts of the network that relate to a single event. The resulting ‘alert fatigue’ can enable attackers to go undetected for relatively lengthy periods, and hampers security teams from focusing only on actual critical risks rather than false positives.
As already mentioned, many OT cybersecurity solutions are actually retrofitted IT solutions. They don’t exactly synch with OT-specific processes or procedures, requiring their operators to have a deep understanding of both OT and IT in order to “make sense” of it. Unfortunately, as we have already asserted, the OT sector already experiences a skill set shortage - rendering many legacy OT solutions unusable.
Most existing OT security solutions rely on reactive, post-breach detection. While after-the-fact detection and mitigation is an important part of the overall cybersecurity mix, after-attack response is as a rule more costly and less effective than attack prevention.
OT environment - unlike enterprise IT - have zero downtime tolerance. Getting a production floor back online after it’s been shut down can takes days and even weeks, leading to large financial losses. And the cost isn’t strictly monetary – successful breaches can pose serious danger to the health (and sometimes the life) of operators and employees. Lastly, they can bring reputational harm to the brand that tends to linger over a long time.
OTORIO’s RAM2 is an OT-native platform designed for use in real world OT-native ecosystems. With a user-friendly interface that can be easily managed by cyber experts and operating floor managers alike, RAM2 features a unique and simplified dashboard that helps lay users understand exactly why and where alerts are coming from. To improve the speed and efficiency of mitigation processes, RAM2 offers simple, easily-understandable mitigation steps that are customized to each unique operating floor.
RAM2 also helps overcome alert fatigue by orchestrating thousands of suspicious events across the IT-OT-IoT network into a handful of meaningful, prioritized insights with simplified and proactive mitigation playbooks.
The key takeaway from this portion of our 2022 OT Cybersecurity Survey is clear: OT is a unique environment that demands organic OT solutions that can be used by real people. This is what drove us to develop RAM2, and what’s driving more and more industrial and critical infrastructure players to adopt it!