Blog / 12 min read
Historically, information technology (IT) and operational technology (OT) environments were designed to operate independently, be managed separately by different teams with different objectives, and have absolutely no connectivity between one another. These conditions, however, have changed dramatically over the past decade — largely due to the acceleration of digital transformation. Organizations in all sectors have since become increasingly reliant on newer types of cyber-physical systems and other technologies that both require and continue to expand connectivity between IT and OT. As a result, these previously disparate environments are converging, giving rise to undeniable business benefits ranging from greater efficiency and sustainability to innovation. Unfortunately, this convergence is also fueling new risks and challenges — particularly when it comes to IT and OT cybersecurity.
The main objective of any IT environment is to manage and process data and information and the various systems through which it flows. Examples of IT systems include servers, computers, software applications, databases, and other resources used for communication, data and information storage, and/or analysis. The major responsibility of IT systems is to manage the data and information used to support business operations.
OT, on the other hand, is responsible for managing and controlling physical devices which are typically involved in the production or delivery of goods and services. Examples of OT systems include industrial control systems (ICS), sensors, robotics, and more that are used in critical infrastructure industries. The major responsibility of OT systems is to manage the control and automation of physical processes and the devices that are critical to business operations. To break it down in the simplest terms, IT is focused on data and communication while OT is concentrated on behaviors and outcomes.
The integration of IT and OT systems have created more connectivity between these two previously disparate environments, leading to improved efficiency, increased visibility and control over operations, and better decision-making capabilities for an organization. A prime example of IT/OT convergence are industrial internet of things (IIoT) devices, which involves the connection of physical devices, sensors, and machines to IT networks, often via the cloud. These devices enable data collection, remote monitoring, and analysis of performance — allowing critical infrastructure organizations to improve automation, predict maintenance, and make real-time decisions.
This form of IT/OT convergence has allowed organizations to greatly accelerate their digital transformation initiatives. By converging IT and OT systems, organizations can further automate their processes to reduce human error, increase productivity, and streamline their operations. They can also gain deeper insights into their operations and make data-driven decisions with enhanced visibility into data. As a critical enabler of digital transformation, IT/OT convergence helps align operational processes with digital capabilities, thereby changing the ways businesses deliver value. Although converged IT/OT brings the promise of cost savings and resource efficiencies, this rise in interconnectivity has also brought its share of challenges. As more IT devices and systems become interconnected with OT environments, and the extended internet of things (XIoT) continues to expand, more organizations will see implications associated.
IT and OT systems have very different security requirements, and face unique cyberthreats, causing IT and OT operations within an organization to be soiled. There is a need for specialized security controls and collaboration between IT and OT security teams to ensure their systems are protected against cyberthreats. To do this, organizations require security professionals who have expertise in both IT and OT security to ensure the safety and security of critical infrastructure and processes. Following these steps for a converged IT/OT security operations center (SOC) will allow your organization to present a unified front against attacks, and protect your environment in a holistic manner. These steps are also a great place to start when addressing the other implications the siloed nature of IT/OT convergence has led to,including:
IT devices and systems were developed to manage and process information using computers and software. These devices were designed to be connected to the internet and have been secured to protect the confidentiality, integrity, and availability of information. OT on the other hand was initially designed to manage and control physical devices and processes, and never intended to be connected to the internet — hence why security protection was never built-in to the devices. As digital transformation continues to flourish and more IT systems converge with OT devices, their interconnectivity has expanded the attack surface for cyber criminals, giving them new pathways into these inherently insecure OT environments.
Amplifying the inherent insecurity of OT, many OT devices were built decades ago and typically communicate with one another via proprietary protocols that are largely incompatible with traditional IT security solutions. Meaning, due to the fragility and complexity of OT assets, it is difficult for them to handle the volume and type of traffic generated by traditional IT solutions. If a traditional IT security solution is used on an OT asset it can result in disaster as OT systems operate in real-time and cannot tolerate the latency associated with IT systems. Their incompatibility due to the differences in hardware, software, and communication protocols can cause disruptions to an OT system which can have immediate and severe impact on safety, productivity, and revenue.
As noted above, the prevalence of legacy systems and proprietary communication protocols in OT environments make them largely incompatible with traditional IT solutions — including those used to support asset discovery and management. Therefore, IT security teams typically have difficulty gaining a complete inventory of OT assets, making it impossible to identify and assess threats and vulnerabilities. Without granular device attributes such as the exact model, firmware version, and configuration security personnel will also find it difficult to match assets to common vulnerabilities and exposures (CVEs).
Cybersecurity poses critical concerns for both IT and OT, but there are fundamental differences in how to protect the two that require different approaches. One of the main differences is the types of assets that need to be protected in IT environments vs those in OT. As previously mentioned, IT systems are primarily used for the storage and processing of data, while OT systems control physical processes and systems. This means that IT cybersecurity is mainly focused on protecting sensitive information such as social security numbers, protected health information (PHI), or education records. The impact of a cyberattack on sensitive data for example can result in reputational damage, theft, financial losses, or fines.
OT on the other hand focuses on ensuring the safety and reliability of critical infrastructure in industries such as oil and gas, chemical, electric, transportation, and manufacturing. To reiterate, unlike IT, the OT devices that provide these critical functions can have a lifespan of several decades and can be widely distributed across physical sites or plants. They also commonly use proprietary protocols which cannot be deciphered using traditional security tools, making it impossible to gain full visibility in the OT network. Since OT networks are so fragile, the use of traditional vulnerability scanning can cause OT device failure, and in some cases, entire plants can go offline. Additionally, remote access connections are commonly used by in-house support staff or third-party vendors to service OT assets. Visibility into these remote sessions is necessary for auditing, change management, and risk assessments but traditional IT remote access solutions are not suitable for industrial environments.
Repercussions of cyberattacks on OT in critical infrastructure organizations can result in much more dire consequences including facility shutdowns, equipment malfunctions, and even could cause power plant explosions. These consequences affect way more than data, and can potentially have detrimental impact on health and human safety. As we know, connectivity is increasing rapidly, and the unintended consequences to this connectivity will only become more severe as cybercriminals become more advanced in the sophistication of their attacks. Now is the time to establish a strong cybersecurity strategy that differentiates between the risks of IT and OT and successfully defends your organizations from attacks.
Now that we understand the consequences of cyberattacks on OT systems in critical infrastructure organizations, it's important to understand the definition of OT vulnerabilities and how to protect against them. OT vulnerabilities can be defined as CVEs, misconfigurations, or other security flaws in an OT system that have the potential to be exploited by a hacker to gain unfettered access or control over said systems. OT vulnerabilities can arise due to some of the following issues:
If OT networks are not properly segmented, an attacker who gains access to one part of the network has the potential to move laterally through the entire OT environment.
In critical infrastructure organizations, it is common to have a mix of new and legacy devices in the environment. These legacy devices are many times running on outdated software that is no longer supported — leading to CVEs and other vulnerabilities.
If remote access to OT by internal personnel and/or third-parties such as maintenance technicians or original equipment manufacturers (OEMs) is not properly controlled, monitored, and secured, attackers can exploit these conditions to gain unauthorized access over the system.
Weak passwords that can be easily guessed or are used across various personal and professional platforms make it simple for hackers to breach OT systems. Without visibility into user sessions, breaches can be difficult to identify and mitigate.
The challenges listed above can result in a wide range of consequences including financial losses, production downtime, environmental damages, and hazards to human health and safety. That is why it is crucial to understand that each OT system is unique and has their own specific vulnerabilities that require identification and remediation.
But before teams can evaluate which vulnerabilities to prioritize, they must determine which ones are present. This process starts with gaining a comprehensive, detailed, and up-to-date inventory of each asset in your OT network. Next, to pinpoint vulnerabilities in your environment, you must be able to correlate the details of each of your OT assets against a database of the latestCVEs and other vulnerabilities. This database must be extensive and, in addition to CVEs, also include vulnerable protocols, misconfigurations, and more to enable organizations to identify security flaws with accuracy and efficiency. The challenge, however, with establishing a strong vulnerability management and overall OT security strategy is where to begin.
According to Claroty’s biannual State of XIoT Security report, their Team82 researchers found that of the 688 published vulnerabilities in the second half of 2022, 74% of those affected OT devices. They also found that “62% of published OT vulnerabilities affect devices at Level 3 of the Purdue Model for ICS, while one quarter of published vulnerabilities impact Level 1, or Basic Control devices, including PLCs and other controllers and sensors''. These statistics show the urgent need to implement a strong OT security framework — where network segmentation and secure remote access are successfully implemented.
At times, mitigation is the only available remediation option when dealing with legacy ICS devices that have end-of-life status and are no longer supported by the affected vendor. Network segmentation is a top step organizations need to consider when mitigating cyber risk. By separating critical zones with virtual segmentation, organizations can set zone-specific policies that are tailored to engineering and other process-oriented functions. Network segmentation has become a necessary control as air-gaps shrink and perimeters diminish as organizations move data, applications, infrastructure and services to the cloud. With a network protection solution, like Claroty’s XDome, organizations can get visibility into their critical assets and their behavioral patterns to automatically define and recommend network communication policies. These capabilities allow organizations to lay the foundation for Zero Trust practices, which are core to improving your overall cybersecurity posture.
Segmentation goes hand-in-hand with secure remote access, which is typically the second most recommended mitigation for OT security. SRA involves securing remote user sessions through the use of granular role-based access controls (RBACs), encryption, multi-factor authentication, and other Zero Trust-based capabilities that mitigate risks posed by remote users without infringing upon their use cases. Claroty’s secure remote access tool, for example, is purpose-built for specific operational, administrative, and security needs of industrial networks — unlike traditional remote access solutions which are designed solely for IT systems. With RBACs and comprehensive monitoring, organizations can ensure that only necessary access is being provided to the right users. This granular visibility and control over third-party users and employees allows administrators to monitor activity in real-time and respond to any malicious activity that may arise. SRA helps organizations minimize the OT attack surface, reduce exposure to cyber risks, and strengthens incident response capabilities.
Now that we understand the difference between IT and OT systems security, your organization can implement a successful security framework to protect your unique environment. As we’ve now learned, traditional IT security solutions are not equipped to protect OT systems. In the midst of IT/OT convergence, a successful cybersecurity framework demands greater collaboration between IT and OT teams, and a solution that can secure all critical assets within the environment. As OT vulnerabilities continue to dominate the top impacts affecting industrial control systems, it is paramount that organizations act quickly to implement remediation efforts such as network segmentation and secure remote access. These security measures serve as the foundation for your overarching strategy and will lay the groundwork for strong cybersecurity posture.