Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
 

Integration Headache: Cybersecurity Challenges With IT/OT Security

Integration Headache: Cybersecurity Challenges With IT/OT Security
By

Even if you don't know what Operational Technology (OT) is, chances are you've used the technology at work, and once you understand it, it's pretty easy to see how OT can be a present vulnerability from a cybersecurity perspective.

If you ask the average person to define Information Technology (IT), most of the time you'll get a correct answer. That's not the case with Operational Technology (OT). Often, even managers at most organizations are either unaware of OT's existence or have varying ideas of what OT is, even though OT plays a critical role in many organizations. 

What Is Operational Technology (OT)?

Operational Technology is hardware and software that monitors or controls an environment or certain activities. Unlike IT, which is generally programmable, most OT devices have specific functions, or even a single function. So OT is the technology that aids in the day-to-day execution of an operation within its environment, usually without human intervention. OT can detect, measure, and in some cases execute a change or an event within a given physical area. Most commonly, OT is associated with physical access devices or environmental controls such as temperature sensing and control. Within manufacturing OT has also increasingly become integrated within the IT backbone of many organizations.

MORE: A Guide To Physical Data Center Security
MORE: Shadow IT: How To Detect And Mitigate Cloud Security Risks

SCADA (Supervisory Control and Data Acquisition) is one of the more common examples of advanced OT. This operational technology software system automates or monitors industrial processes. SCADA is often found in various vertical markets including manufacturing, transportation, energy management, and even building automation. SCADA is essentially the technology used in an environment where real-time operational data is used to make decisions. In a sense, SCADA can bring OT together into a closed-off version of an IT network.

IT/OT Security Challenges

Traditionally, enterprises treated OT and IT as two autonomous parts of an organization. Each technology was developed independently of the other because each technology has different objectives. IT was developed to address the use of data and intellectual property (IP). OT was built with the availability and integrity of a system or activity as a top priority.

One common example of OT are buildings that are increasingly equipped with technologies that allow centralized monitoring and control of multiple building systems, like fire and carbon monoxide monitoring, energy management, access control and overall building automation.

Even at home, we're starting to see a greater integration of OT within the advent of these types of home-monitoring systems. It's only a matter of time before all lights and garages will be linked to an app on a mobile device.

To the enterprise, these differences meant a separate set of protocols, policies and procedures for each technology. However, a convergence between IT and OT is more prevalent every year as OT hardware is starting to incorporate functions and capabilities that more closely resemble IT. These increasingly complex features introduce the need for networking, patches, software development, lifecycle management and upgrades that have blurred the lines between IT and OT.

As a result, the buildings and homes that are increasingly reliant on OT with features that are starting to mirror a traditional PC are creating vulnerabilities from a cybersecurity standpoint.

Adding to the woes from the IT and OT integration are new capabilities in sector-specific organizations. In the new "digital" oilfield, for example, there are smart meters that measure the volume and flow of oil or gas remotely and allow for up-to-the-minute change in pricing and inventory. Traditionally, the reading of oil and gas OT would be manual and often would require someone to take a long and arduous trip into the frozen tundra or some other sparse terrain. Since the integration of IT and OT, not only can companies get all the readings sent electronically to a centralized location, but those readings come at faster intervals and can be paired with analytics to create forecast models.

In manufacturing, assembly systems are now fully integrated with operation technology that includes software for improved records-keeping with regards to cost and billing associated with assembly builds.

The convergence of IT and OT produces a clear benefit to any organization, namely an elimination of a silo. This can then have a positive impact on cost, performance and flexibility.

But one major challenge as a result of this integration is a merger of technologies. The current common cybersecurity standards and practices were designed and built for traditional IT and IT-related processes, not for OT. This IT driven push to secure OT using IT methodology is complex and often ineffective.

Additionally, if cyber history has taught us any lessons, one important fact is that the integration of technologies, without proper cybersecurity enforcement, often leads to an attack. The key question for many companies is how to integrate cybersecurity effectively into a hybrid IT and OT model?

Solving For The IT And OT Security Risk

The more OT adopts the attributes of IT, the closer OT seems to resemble magic. Let’s take our previous example in manufacturing. OT plays a critical role in the development, build and even the billing perspective associated with many assembly plants. Just imagine if you were able to time-travel and bring Henry Ford to a modern automobile manufacturing plant. There’s little doubt that the OT in the room would look like magic to Ford. But despite the urge to marvel at the capabilities that arise, the more we infuse IT capabilities into OT, the more we have to first understand a cyber-paradox that stems from this magic.

In order to best defend from the integration between these two technologies, organizations need to:

  • Understand the common ways OT is changing with its integration into IT
  • Understand the purpose and strengths of each technology, and how integration can negatively affect each one along with the more obvious positive benefits.

The Future: How OT Is Changing

IT has predominantly changed OT in two ways. First, IT has added a network connectivity capability to OT. We used the oil field as an example earlier of this change. However, another perfect example of this network connectivity is taking place in healthcare, where soon we could start seeing operational technology monitoring admitted patients and then interfacing with their physician's mobile devices whenever their relevant stats change.

The second way IT has changed OT is by adding common, off-the-shelf hardware and software to OT. Similar to hardcoding a PC running a Microsoft Windows operating system to an OT device, this cumbersome attachment opens up OT to two main vulnerabilities:

  1. Network connectivity to OT opens that device to the world, and hackers could theoretically gain access to a network through an improperly protected OT device.
  2. Off-the-shelf technology creates the need for patching and performing anti-virus scans on a technology that wasn't built for that type of interaction. Added to this issue is the fact that some IT wasn't initially built to handle OT.

The need to create, store and communicate intellectual property is a major driver for IT, and many tools and technologies have been developed to help protect these systems and the data they manage. We are aware of the risks in IT, and managing them is a part of managing any IT system. However, OT was built differently with other goals in mind. Understanding those goals is another key to protecting an enterprise from this technology integration.

To avoid the pitfalls associated with the present conditions and the future of integrated IT and OT, organizations need an intelligent solution that protects the data in IT, and the access to OT. By understanding the nature of each technology and the way IT and OT influence each other, organizations can make great strides in protecting the IT and OT they currently use, as well as implementing future IT and OT systems in a more effective manner that mitigates the inherent risks of such a merger.

RELATED: