A recent survey finds a troubling number of OT security breaches as manufacturers move toward IT-OT convergence.
By Rick Peters, CISO, Operational Technology, North America, Fortinet
The Industrial Internet of Things (IIoT) enables real-time decision making and significant cost savings, especially with respect to resource consumption and employee efficiency. Despite these benefits, however, organizations must also understand the potential security risks they are facing as IT and Operational Technology (OT) departments and their respective support systems converge. Absent an effective OT security plan, the enterprise infrastructure, to include ICS/SCADA systems are left vulnerable to cyberattacks that could result in financial loss, reputational damage, diminished consumer confidence, and threaten the safety of citizens – and in the case of critical infrastructure, even place national security at risk.
Exposure to New Threats
It’s difficult to overemphasize the need to protect the OT networks of enterprisesand their integrated ICS/SCADA systems. In fact, the cyber physical plant in its entirety represents an enormous investment and clearly warrants proportional proactive security consideration. There’s an absolute dependence on safe and sustained operations that span everything from manufacturing to utilities to transportation infrastructure – many of these OT verticals comprise and deliver a range of services that citizens around the globe depend on daily. This risk raises a significant number of cybersecurity concerns as these historically air-gapped systems are now exposed to cyber risks and a considerably broader attack surface.
New research from Fortinet and Forrester surveyed industry leaders who manage and maintain OT infrastructure to gain better insight into security trends and practices affecting their operations.
Here are three of the most significant findings:
OT is Falling Victim to Security Breaches
The proliferation of OT security breaches is worrisome. While only 10% of the study’s respondents reported that they have never experienced this type of threat, more than half – 58% – said they’d had a breach in the past 12 months. This is attributable toOT systems becoming an high value target of interest for cyberattacks. It is no surprise, then, that there has been a strong drive within organizations to commit greater resources to security – with 78% planning to increase their OT security budgets this year.
Intentional Move Toward IT-OT Convergence
In the past, OT systems preferred an “air gap” to achieve security since they functioned as whole independent and isolated networks. This was in part due to the fact that they were built on legacy software, with hardware and life cycles measured in decades. Naturally, one significant takeaway from the shift to converge IT and OT networks is the increased risk that IT networks can pose to these previously isolated environments. Another is the risks introduced through the expansion of the potential attack surface. Indeed, the pursuit of operational efficiency through IT/OT convergence and broader connectivity promoted the exposure of OT networks to more traditional IT threats.
The recent survey also found that organizational leaders are concerned about the complex nature of converged IT/OT systems. Almost all respondents (96%) foresee challenges as they move toward convergence, resulting in deliberate, careful movements that center on concerns around about security. Among respondents, more than one-third reported worrying about the following OT security challenges:
- Keeping up with the latest security tactics and protocols
- Third parties lacking the security expertise to help with converged technology and IoT
- The compromise of sensitive or confidential data
- Increased regulatory pressures for ICS/SCADA
- In-house security teams that lack the expertise to secure converged technology and IoT
- Breaches due to growth in connected smart devices
- The inability to achieve isolation or containment when a breach occurs
Increased regulatory pressures for ICS/SCADA have also become a growing concern for those managing OT systems. Seven in ten report mounting compliance pressures over the past year. The regulations with the most significant impact are the Federal Information Security Management Act (FISMA), the EU Data Protection Directive (GDPR), and International Society (ISA) Standards.
The Importance of Partners
Exposing proprietary OT infrastructure to business partners constitutes an additional source of risk and concern. Granting appropriate privileged access to appropriate personnel is critically important, especially when those outside the organization require access to internally controlled resources. Those organizations that were most successful with securing their environments were also 129% more likely to severely limit or even deny access to their business partners.
Along similar lines, OT organizations with the fewest breaches also closely governed access to IT providers, granting only moderate access. Finally, these top-tier organizations were 45% more likely to execute vital security functions in-house as opposed to outsourcing such responsibility. Conversely, they were more likely to have outsourced network analysis and visibility.
Indeed, partner relationships are in many instances important, and on occasion even essential. However, a careful approach to granting appropriate access, making the best outsourcing decisions, and identifying situationally ready partners are vital to securing OT systems amid digital transformation.
The Near Horizon
Those responsible for managing and maintaining critical infrastructure have a complex role to play due to IT/OT convergence. With diminished reliance on the air gap, and an expanding threat landscape, new challenges will necessarily lead to new security priorities. Organizations engaged in digital transformation will need to pay greater attention to the latest cybersecurity trends and make intelligent security investment decisions to ensure a secure migration to this new converged IT/OT business model.
About the author
Rick Peters is the CISO for Operational Technology, North America for Fortinet Inc., delivering cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments. He is charged with overseeing growth of Fortinet’s penetration into the largest global OT marketspace. That charge entails identifying and partnering to gain traction on existing OT business campaigns as well as targeting emerging customer opportunities.