For many years, a topic of conversation in the utilities space has been that the traditional corporate IT and operational technology (OT) worlds are converging.
In the IT world, it’s the hardware, software, network resources and other devices used for back-end functions that perform various business operations, such as sales, development, maintaining customer information, billing, and revenue collection. Predominantly, these devices are located in offices, server rooms and data centers. In the OT world, there are field-based devices that are used to perform actual operations. These OT systems are usually proprietary technologies, which are vendor-specific. They operate in a real-time or near to real-time environment.
So, the convergence of the IT and OT worlds is about integrating operational technologies, such as SCADA, remote terminal units, sensors, meters and smart meters. These technologies are working in real time or near to real time with IT systems to ultimately promote a single view of an organization’s information and process management to help ensure that every user, application, sensor, switch or other device has the right information, in the right format, at the right time.
With these operational benefits in mind, we now need to think about cybersecurity threats that the converged IT and OT worlds create for utilities. Unlike systems in the IT world, where they can be (sometimes are) updated with service packs, new releases and bug fixes, systems in the OT world are rarely, if ever, updated. It’s very common, if not the norm, that these systems are running the same software they were initially set up with, which, in many cases, can be 10 or more years old.
Furthermore, these devices have very little security capability because they were installed at a time when, even with an “air gap” or physical separation from systems in the IT world, they were considered to be “secure.” Traditional firewalls were used to create the silos between the two worlds. Whilst still being used today, they alone are not enough. In the OT world, where security lags, this will usually be a softer target than in the IT world, and so, compensating measures, such as physical perimeter and cyber perimeter protections, will always be more important for OT than for IT.
In the IT world, the number of applications, devices and services now used creates a larger attack surface, which creates a bigger target, if left unprotected, or a focus is placed on preventing new or unknown attacks. If the basic hygiene (patching operating systems and applications) is not maintained on these systems, this could allow for a compromise. Take a look at the US-CERT’s recently released alert regarding the 30 most prevalent vulnerabilities in targeted attacks that took place in 2014. The startling fact is that vulnerabilities from 2012 and backwards comprise more than half of the list.
Moreover, once a host is compromised, it would allow for an attack to “cross over” to the OT world. One recent example is a targeted attack against a German steel mill where the blast furnace suffered "massive" damage [1]. Attackers were able to compromise the steel mill’s IT network and, from there, reach into the OT network.
So what are the fundamentals needed to secure this environment?
We need to see what is traversing our systems and understand the risks by gaining visibility. Whilst many people may see this as an arduous process, the capability exists in most advanced network appliances, which can provide deeper visibility with no disruption to daily operations in either the IT or OT worlds. Once that is done, a process can begin to segment the OT systems into security zones based on risk profiles and security requirements to control who the users accessing the systems are and what applications they are using. This allows a “least privileged” access model, in which only explicitly authorized protocols, applications, and users are allowed.
Network segmentation is an effective method to reduce the scope of attack and reduce risk, but only if it is deployed correctly with prevention in mind. Merely turning a device on and logging does not give you the control needed. Protecting data with tighter segmentation, based on application whitelisting, a user access control model based on least privileged access, and systematically inspecting all payloads, including those of authorized applications, will reduce risk significantly, enabling security teams and advanced security tools to operate at their best.
Additional security best practices that should be implemented to complement the convergence should include organizational processes, such as the establishment of ongoing risk management procedures, routine self-assessments, periodic security audits and reviews with teams skilled on a streamlined approach to focus on least privilege and inspect and prevent attacks from crossing between the two worlds.
Cybersecurity needs to be an integral part of the conversation about IT and OT convergence. For all of the operational benefits convergence brings, it also carries significant risk. Proactive cybersecurity as part of that convergence is the most effective way to mitigate that risk. If treated as an afterthought, the chances of success are much lower.
[1] http://www.wired.com/2015/01/german-steel-mill-hack-destruction/