September 14, 2018
By: Tom Gilbert, CTO & SVP Engineering at Blue Ridge Networks
Do you remember the days when OT (operational technology) and IT (information technology) departments operated independently? Both groups would go about their individual business operations, without any interaction or crossover.
Fast forward to today, and the growth of IIoT and network-connected OT systems — deployed to help spur innovation and productivity — have forced OT and IT to operate interdependently to keep the business operating efficiently. Yet, many organizations have found that traditional roles and beliefs are hard to break —putting IT and OT in direct conflict and creating a culture clash and security vulnerabilities that are counterproductive.
IT has often been viewed as ancillary to the main business, working separately from those intimately involved in producing the company’s end product. And, when it comes to cybersecurity, IT and OT don’t often see eye to eye. For example, looking at the CIA triad of cybersecurity (confidentiality, integrity and availability), IT is taught that confidentiality is the most important element, doing whatever is needed to keep systems secure. However, OT’s priority is availability, expecting the technology that runs the manufacturing facilities to be operational 100 percent of the time — and viewing IT’s reboots, patch updates and other forced downtime as hindering productivity.
This has created an internal tug of war about what types of tradeoffs and priorities need to be made, meanwhile opening the door to major data vulnerabilities. Consider a situation where users want to collect data points in a factory or aggregate data from SCADA networks in an oil field where users aren’t co-located with their large-scale cloud infrastructure. These organizations are rapidly extending sensors and measurements, and they want to stream their data to the cloud to report on analytics and uncover insights — critical information for the OT department. However, getting the information there and back, introduces all sorts of security risks.
The overarching challenge is that many standalone systems in the manufacturing industry, such as programmable logic controllers (PLCs), which may cover miles of SCADA networks, were never meant to be publicly accessed. These OT systems hold extremely sensitive data, yet are now accessible from anywhere in the world. Factor in that OT systems within manufacturing could be more than a decade old, using differing and possibly proprietary operating systems, and have no common way to apply standard patching, scanning or other cybersecurity practices. Plus, the ‘if it’s not broken, don’t fix it’ culture within OT won’t permit aging equipment to be replaced until the day it dies.
So, what’s an organization to do to enable OT and IT to work together and still keep itself safe from the vulnerabilities interconnected systems can introduce? Here are three steps to get started:
- Find out where your data is flowing. Do you know which devices are talking to the internet? And where entry points exist? The reality is that you can’t secure what you can’t see. With so many OT and IT devices coming and going from your network, you need visibility into every type of device on your network. Turn to a third-party monitoring solution to help discover and classify your assets and gain much-needed visibility to secure IIoT.
- Isolate and contain. Once you determine where potential points of entry exist, an important next step is to isolate and contain your OT networks, which were never meant to be publicly accessed, to protect them from malicious attackers while still enabling authorized employee access. With the right solution, you can provide universal connectivity to your network infrastructure without worldwide addressability — deploying a pain killer for both OT and IT. By deploying network isolation and containment, you can enable complete and autonomous protection of ICS networks, even ones lacking critical updates and patches, by enabling your network to shield itself from cyber attacks without any knowledge of the attack vector or any user intervention.
- Run a pilot program. Don’t feel like you need to immediately purchase and deploy new technology to protect your IIoT devices. Talk to vendors and evaluate your options and consider taking part in a pilot program with a subset of your business — potentially with more than one vendor with complimentary technology. This can be a no-cost way to test the waters and see what solution best addresses your cybersecurity goals.
Maintaining the integrity of your infrastructure, whether manufacturing supply chains, power grids, water treatment plants, communications networks or another critical service, is imperative to the livelihood of your business and our economy. Minimizing the very real and advanced threats to critical systems, as well preventing the downtime of those systems across industries, has to be a top priority. When done correctly, your IT department can confidently check the cybersecurity boxes and keep threats at bay, while OT delivers the performance and results to catapult the business forward.
About Tom Gilbert
Tom Gilbert has supported the definition and development of cyber-security products and services for more than 30 years. His extensive security experience and technical background have been strong assets in bringing Blue Ridge Networks products and services to market quickly and successfully. Like many members of the Blue Ridge team, Gilbert has seen his share of “firsts” in the technology industry. He was on the first team to provide commercial delivery of high-speed multimedia over satellite while working at Satellite Business Systems, a one billion dollar company. He was also on the team that developed and launched the first V-LAN during his tenure at Network Systems Corporation, where he served as director of business development, marketing director, technical sales consultant, and a national account sales manager, leading the IBM and AT&T accounts.
Gilbert also managed the worldwide development and support of programming tools at IBM. He received a Bachelor of Science from Rensselaer Polytechnic Institute in Troy, New York.