13 Jun The challenge of merging IT and OT security
OT security leaders must guide c-suites to a ‘this could happen to us’ epiphany, or risk disaster, says Hadi Jaafarawi, managing director for middle east, Qualys.
In recent years, amid the whirlwind of cyberattacks that hit organisations as they hybridised their infrastructures, it security was a frequent concern of boards and cases. But in a region engaged in rapid economic diversification, particularly in the manufacturing and heavy industry spaces, security investment for operational technology and industrial control systems is strangely lagging. The lack of action is troubling for two reasons. One, OT/ICS systems are at the core of industries that governments have singled out as ripe for digitisation. The united arab emirates’ Operation 300bn initiative is just one illustration of this point. This means that entire nations have a greater stake than ever in such industries not being victims of a cyberattack. The second reason for alarm is that regional OT is more vulnerable than ever because it is no longer air-gapped. Modern efficiency drives have made it necessary for ICS to join the Internet of Things. At a time when downtime would be more damaging than ever, it is more likely than ever before. This calls for immediate action. According to the Dragos 2022 ICS/ OT cybersecurity year-in-review report, just over half (53%) of ICS and OT systems now have external network connections. IT and OT are starting to merge. But if that is so, we must rise to the challenge of merging their security and governance.
Visibility and Discovery
Gone are the days when we could simply prioritise operations and consider cybersecurity a frivolous luxury in OT. Like its information counterpart, OT now recognises the critical nature of comprehensive visibility — the obvious need to know what the security team is protecting. IT teams use metrics such as the percentage of assets that are managed versus those that are unmanaged. Vulnerability tracking is not an exact science, but it is improving, despite the new hybrid reality where connected user devices hop the corporate perimeter fence and return at will multiple times daily. OT must find a way to duplicate this level of control. While physical plant machinery isn’t subject to a user’s whimsical road trip the way a laptop or tablet would be, it still has multiple interconnected components, including staff-assigned IT assets that can move off premises. OT ecosystems are notorious for unknown assets and unknown connections. This realisation alone makes the case for enhanced procedures — asset management, patching, network segmentation, threat intelligence, and more. Think about Industroyer, malware that targeted ICS systems used in electrical substations in Ukraine. Consider the general-purpose INCONTROLLER, which goes after programmable logic controllers (PLCs) to access devices, download and upload files, and exploit vulnerabilities. OT attacks are on the rise. Even if you are not following specific strains, you will have heard of the US Colonial Pipeline story. The real damage is occurring with direct economic and safety consequences.
First Steps
Prevention starts with an overhaul of access controls and continues with improvements in intrusion-detection and analysis capabilities. Real-time asset detection will help with both steps. While a lot of good work on industry standards has already happened, each organisation can take matters into its own hands. Merging IT and OT security management into one team will help. But this is a challenge because of the difference in skill sets. OT teams tend to have engineering backgrounds and prioritise operational uptime. IT teams are steeped in data, software, and network topology and think little of users having a cup of tea while their desktop or laptop is patched or upgraded. Critical infrastructure such as production lines, power generators, or drills have no interest in tea breaks and could not afford to take them if they did. They must operate 24-7. How do we apply patches to such machinery? Downtime has a direct impact on revenue. And while those with an IT background may make the reasonable point that downtime will be longer if a cyberattack occurs, the OT mindset may not be receptive to offline repairs when equipment is operating within normal parameters. It is important to merge the teams so that the issue of controlled outages vs uncontrolled outages can be adequately aired and addressed at the policy level. In the end, the conversation can be boiled down to the balance sheet. The board’s primary responsibility is to shareholders, and many industry analysts predict that risk-based KPIs will soon be written into C-level employment contracts. A CISO that can present a cyberattack as a greater risk than planned downtime will find it increasingly easy to grab the attention of senior executives in the coming years.
The epiphany
With the right metrics, security leaders can compare the short-term effects of upgrades against the devastating potential losses from attacks. Many cautionary tales are out there to help drive home the point — from Colonial Pipeline to the closer-to-home Saudi Aramco’s 2012 tussle with Shamoon. Real-world consequences can help to diffuse the abstract perception many non-cybersecurity executives have of an attack scenario. Following their ‘This could happen to us’ epiphany, senior executives may be more open to planned downtime. If downtime is impossible for operability or safety reasons, mitigation measures will at least become a task for multiple teams rather than just the SOC, and the costs of inaction will be better understood. Security will then be able to work more effectively across IT and OT to protect sensitive assets. Processes like applying updates will be structured correctly and tied to risk management. New threats targeting ICS and OT systems will still be there, but teams will no longer be powerless in combating them. And with a common team pulling in a common direction toward a common purpose, the organisation will be better prepared for the sinister forest ahead.