OT organizations are still moving too slowly toward fully protecting their OT assets – but there are ways to address these challenges.
By Jim Richberg, Field CISO, Public Sector, Fortinet
Let’s start with the bad news first – operational technology (OT) organizations are still moving too slowly toward fully protecting their OT assets – even as industrial systems come under increased threat (with geopolitical events making attacks more likely). A major challenge is that as IT and OT have converged, it’s created new opportunities for bad actors – in other words, there are more vectors for potential attack. It’s no surprise, then, that 93% of OT organizations experienced an intrusion in the past 12 months, and 78% experienced more than three, according to the 2022 State of Operational Technology and Cybersecurity Report.
Here’s the good news – there are ways to address these challenges, including encryption, network segmentation and cybersecurity governance, among others.
The threat landscape is evolving rapidly
The report referenced above finds that enterprises are still moving too slowly to ensure that their operational technology (OT) assets are fully protected. This comes at a time when industrial systems are becoming more essential to the well-being of many businesses, more OT systems are connecting to the internet, geopolitical events are increasing the likelihood of attacks and IP-based threats are getting more advanced and damaging. This confluence of variables is pushing OT security up the risk hierarchy in many enterprises.
While OT security has the attention of corporate leaders, it continues to be owned by relatively low-ranking workers, according to this year’s report. Though security is a factor in most survey respondents’ performance metrics, many are evaluated more on efficiency criteria, which may tempt leaders to cut corners on security.
Enterprises’ security outcomes haven’t changed much during the last year. Money or data loss, brand erosion, downtime, and even lower physical safety were all consequences. Most organizations, without a doubt, have more work to do. However, a small percentage of survey respondents reported experiencing no incursions last year, and the report outlines some best practices that are likely to be used by such organizations. These include implementing role-based network access control (NAC) and making security vulnerability response time one of their top success metrics.
How convergence has changed the game
OT networks used to be air-gapped, isolated environments. Availability and reliability have traditionally taken precedence over cybersecurity in critical infrastructure and production scenarios. However, the advent and proliferation of IT applications that monitor and manage real-time industrial environments has caused OT and IT networks to converge. Because of this convergence, OT is now vulnerable to the same cybersecurity dangers that IT has been dealing with for decades.
Machines and devices may connect and share data thanks to this convergence of IT and OT networks. However, the growing risks to critical infrastructure are significant. You can better protect your business from cyberattacks by understanding the ramifications of convergence.
Five fixes for convergence challenges
- First, focus on network segmentation of IT/OT: To effectively protect data, enterprises must understand how the data flows between IT and OT. To provide visibility into data flow, enterprises should create a data classification and data process framework. Data should be classified according to its level of sensitivity and access should be controlled or restricted consistent with the data’s sensitivity. Data classification procedures should be documented and followed; doing so offer will create visibility into data flow and use.
Organizations can intelligently segment network and infrastructure assets using commercially available technology. For example, a next-generation firewall can provide internal, end-to-end segmentation to separate critical IT assets and to assure timely detection and prevention of threats though via automated analytics and response measures.
- Encryption during transmission: Encryption is a critical security step, since data transfer can be intercepted by unauthorized third parties. Encryption ensures that sensitive data is not readable by anyone other than the intended receiver when it passes between IT and OT settings.
- Native security and risk assessment: Security should be designed in from the beginning, along with regular risk assessment. Organizations should seek to better understand the security vulnerabilities that may lie within online apps – such as runtime attack vectors in open-source software components – by incorporating native application security measures into their development processes.
- Security at the component level: For software supply chains, component-level security is a key concern. Vulnerabilities in software arise at any point in the process, from the initial design to post-deployment patching.
- Managing cybersecurity: To secure important information assets against unauthorized access, use, disclosure, alteration or destruction, enterprises should have a well-defined cybersecurity governance framework. To assess an organization’s security posture, a variety of cybersecurity metrics can be used to establish a baseline and to measure change. These metrics can be used to track the performance of security controls and pinpoint problem areas.
Efficiency, productivity, and overall profitability have all improved due to the digitization of operational processes. Even though the convergence IT and OT has had a significant influence on enterprises, new cyber risks have emerged because malicious actors now have access to newly connected systems. Organizations require security solutions that bridge their IT and OT networks and meet the operational needs of both sides. Segmentation, encryption and the other best practices noted above will help meet the requirements of today’s converged organizations.
About the author:
Jim Richberg is a Fortinet Field CISO focused on the Public Sector working to bring cybersecurity solutions to industry and the public sector following a 30+ year career driving innovation in cyber intelligence, policy and strategy for the United States Government and international partners. He served as National Intelligence Manager for Cyber and the senior Federal Executive focused on cyber intelligence within the $80+ billion U.S. Intelligence Community (IC) annual operating budget. He was the Senior Advisor to the Director of National Intelligence (DNI) on cyber issues and set collection and analytic priorities for the IC’s 17 departments and agencies on cyber threats.