The rise of computer-controlled devices in our society has brought both opportunities and challenges. These Operational Technology (OT) devices, which operate in the physical rather than digital realm, are becoming increasingly embedded in our daily lives. From delivery robots to smart buildings to autonomous vehicles, OT connects and automates various aspects of our world. However, these devices also carry a significant amount of technical debt, posing serious cybersecurity concerns that can potentially lead to disastrous consequences. The collision of Information Technology (IT) and Operational Technology has become a pressing issue that needs to be addressed.
The concept of OT security first gained global attention in 2010 with the emergence of the Stuxnet virus. This notorious worm infected the Programmable Logic Controllers (PLCs) of an Iranian nuclear weapons facility, causing operational disruptions and derailing Iran’s nuclear program. The unintentional spread of the worm to thousands of devices around the world highlighted the vulnerability of OT systems. More recently, attacks on unsecure OT devices have been used as part of Russia’s war on Ukraine, further emphasizing the flaws in OT security.
Securing OT poses a unique and challenging problem due to several interconnected issues. Firstly, uptime is a critical requirement in OT environments. Any downtime can directly impact the production process and harm a company’s revenue. As a result, measures are often taken to avoid operational outages, such as stockpiling and cloning obsolete equipment. This focus on uptime often overshadows cybersecurity considerations like regular patching or implementing dynamic protections.
Secondly, productivity is another essential aspect of OT environments. Operators and engineers prioritize efficiency to maximize profits. Frictions like entering usernames and passwords are seen as time wasted. As standardized automation systems become more prevalent, engineers and designers remotely access devices to gather data or optimize machine parameters. While this enhances efficiency, it also expands the attack surface for potential cyber threats.
Additionally, OT devices are designed to last for decades and often cost millions of dollars. Maintenance in these environments typically involves calibrating sensors or refurbishing parts, rather than applying security patches. The long lifecycles of these devices place a considerable burden on cyber and IT organizations, as they need to manage and secure assets that may remain in operation for 15 to 20 years.
Lastly, cybersecurity was not built into OT systems from the outset. Unlike IT incidents that frequently make headlines, OT compromises rarely receive the same level of attention. This lack of awareness and understanding of the threat leads to a disregard for cybersecurity requirements during the design process. As a result, OT security remains an unaddressed item on many organizations’ priority lists.
Despite these challenges, there are options available to reduce the risk associated with OT security. These options must be implemented smartly, recognizing that some control is better than none, while avoiding excessive friction. It is essential to understand that OT is not IT and requires specific approaches. For example, forcing strong credentials and Multifactor Authentication (MFA) on machine operators may be impractical. Endpoint Detection and Response (EDR) solutions designed for IT environments may not be suitable for custom-built OT devices. Therefore, a tailored approach is necessary.
The most critical control to employ is segmentation, establishing a boundary between IT and OT environments. This boundary allows organizations to gain visibility, identify risks, and exert a measure of control. It mimics the barrier between a private network and the Internet, preventing unmanaged access to the potentially ungoverned and unknown threats of the OT environment.
With a well-defined boundary in place, other core elements of cyber defense can be implemented. Visibility becomes crucial, as defending what can’t be seen is challenging. By capturing and monitoring traffic moving into and out of the OT segment, organizations can gain insights into potential risks and take appropriate actions. Monitoring traffic can reveal unusual patterns, such as excess SMB traffic or third-party remote access, highlighting potential vulnerabilities. By addressing these risks proactively, organizations can develop comprehensive strategies to defend OT systems, ranging from awareness and asset management to procurement and active prevention.
Protecting OT is undoubtedly complex due to its specific requirements, such as uptime, productivity, and extended lifecycles. However, it is not an impossible task. Many principles and tools used in IT security can be successfully adapted for OT environments. As the worlds of IT and OT converge, a well-planned cyber response can help merge these worlds instead of causing a collision.
In conclusion, the increasing presence of computer-controlled devices presents both opportunities and challenges. OT devices have the potential to improve various aspects of our lives, but their cybersecurity vulnerabilities can lead to significant consequences. Addressing the issues of uptime, productivity, long lifecycles, and the absence of cybersecurity requirements in the design process is crucial. Implementing segmentation and adopting core elements of cyber defense can mitigate these risks and protect OT systems effectively. With the right approach and awareness, the convergence of IT and OT can be a harmonious one, ensuring the continued advancement and secure operation of computer-controlled devices in our society.