Converging IT and OT systems in the Fourth Industrial Revolution requires a crafted security strategy with segmentation and access controls.
August 19, 2019
By Rick Peters, Operational Technology Global Enablement Director at Fortinet
We stand at the beginning of the Fourth Industrial Revolution (4IR): a fusion of technologies that blurs the lines between the physical and digital worlds. It includes nanotechnology, quantum computing, biotechnology, IoT, autonomous transportation, 3D printing and robotics. In response, organizations are shifting from strict hierarchies to flatter structures, like decentralized consensus, in their decision-making process.
4IR changes herald the transformation of entire systems of production, management and governance. They also provide new opportunities for crime. Cybercriminals exploit the weaknesses within an evolving cyber threat landscape. Organizations are struggling to get ahead of these increasingly sophisticated threats.
IT and OT systems
At the moment, most digitalized organizations run two separate networks:
- The Information Technology (IT) network is composed of laptops and smartphones, connected printers, VoIP communications, ubiquitous applications and servers located in a data center or in the cloud.
- The lesser-known is the Operational Technology (OT) network. It is usually unseen but is responsible for hardware or software that causes a change through the direct monitoring or control of physical devices, processes and events.
These two systems have been running as independent network environments for decades. But digital transformation efforts are driving these two environments together. As digital technologies advance, IT solutions can deliver impressive value when integrated with OT operations.
For example, adding sensors to a production line can help revise processes and improve yield or output, saving millions of dollars. Likewise, connecting commercial systems with sensors and machine learning software can significantly improve a company’s ability to predict system failures in the field. The ability to redirect a manufacturing floor based on real-time market information and efficiencies related to digital modernization means these traditionally isolated systems must work together.
The risk of convergence
Making IT-driven changes in OT-based environments also introduces major risk. For example, legacy systems are vulnerable to attack. Many OT systems depend upon delicate devices that cannot withstand tampering and rely on security models built around inherent trust – many organizations are substantially increasing their OT system risk by providing manufacturers and partners with a high level of physical or digital access into their systems.
As IT and OT systems converge, controls for physical equipment are immediately accessible via connection to external computer networks. The converged infrastructure creates an opportunity for malware and cyberattacks to penetrate industrial organizations. In a recent Forrester Consulting report commissioned by Fortinet, nearly 9 in 10 organizations with a connected OT indicated that they had experienced a breach in their ICS and SCADA systems—with nearly 6 in 10 of them breached in just the past year.
Addressing the challenge
This problem is solvable. It just requires some careful analysis, proper perspective and controlled oversight regarding change—both in the technologies we employ and in the way we think about solving these challenges.
For many organizations, this starts by transitioning away from an inherent trust system – where any “trusted” systems engineer has complete access to virtually any system, process or device – to a zero-trust model. Examine every individual and device operating inside your OT network and ask, “What could happen if this person or device was compromised?”
The natural follow-on step is to quickly implement segmentation and access controls to limit the scope and scale of any breach and employ User and Entity Behavior Analytics to further prevent, detect and respond to abnormal behavior. Fortunately, since most devices inside a typical OT environment have very specific responsibilities, baselining normal behavior and identifying when that behavior falls outside of scope can be relatively straightforward.
Once these best practices are in place, organizations can start to deploy industrial-sized security systems and gain sustainable safe, reliable and continuous operations. Due to the delicate nature of many OT systems, securing an OT environment requires a multi-layered defense where some security is imposed directly on a device or system, while the balance of defense is accomplished via proximity security and controlled segmentation. Equally important, this entire process needs to satisfy regulatory or industry-based security standards.
Partner with innovative security leaders
There is a growing trend for OT customers to integrate OT security solutions through a single vendor rather than relying on the traditional approach that makes security operations very complex to deploy, manage and optimize. Leading OT solutions vendors need to support a single integrated design-in strategy that identifies and shares threat intelligence at speed, correlates data and responds to threats in the OT space without introducing production latency. For the newly converged OT system, manufacturers must create a larger security framework that can accomplish visibility, control and behavioral analytics, both at speed and scalable across the entire distributed network.
About the Author
Rick brings more than three decades of cybersecurity and global partnering experience working across foreign, domestic, and commercial industry sectors at the National Security Agency (NSA). As Fortinet’s Operational Technology Global Enablement Director, he delivers cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments. Prior to Fortinet, Rick led development of cyber capability across Endpoint, Infrastructure, and Industrial Control System technologies. Previously, Rick also served as an executive leader supporting the Information Assurance Directorate at the NSA.