According to a 2020 report by Deloitte, 90 percent of companies in the operational technology sector have reported at least one security compromise to their infrastructure in the previous two years resulting in the loss of confidential information or disruption to operations. Additionally, 97 percent of companies say that many of these security challenges were the direct result of their IT-OT convergence efforts.
“The blurring of the lines between IT and OT is not slowing down at all,” says Paul Brager, director of global OT security programs, Baker Hughes. “The connectedness of assets is going to continue to increase. The threats are going to continue to increase as well.”
Brager has 30 years of experience in OT cybersecurity. His expertise is born out of decades spent finding ways to secure OT assets in increasingly at-risk industrial environments. Now, he specializes in building and designing security systems and architectures to support IT-OT convergence efforts.
“I started working in environments where we were getting requests to connect these assets that were traditionally not designed to be connected to the internet,” Bragers says. “We had to come up with creative ways to do that while protecting assets that were incapable of protecting themselves.”
According to Brager, OT assets present unique challenges that make them susceptible to attack. Many of these assets were designed and built to last for decades, which can make them vulnerable.
“All assets in OT aren’t created equal.” Brager says. “Many of them have proprietary operating systems. They have operating systems that are outdated, that there are no commercial patches for. Many of them have legacy hardware that there aren’t drivers for anymore. Many of them have components that were manufactured by entities that no longer exist.
“There’s absolutely significant risks around some of these assets, particularly when you start trying to connect them. If those assets have minimal security controls they can be damaged very easily and very quickly and subsequently impact whatever production they’re driving and ultimately impact the bottom line of the organization.”
Much has changed since Brager first started working with OT assets. While IT-OT convergence efforts have increased the connectedness of OT assets, he says these assets are increasingly being designed to be more inherently secure.
“There are a lot more capable assets that are able to provide a lot more information around how they’re operating and other data points that are useful for analytics and visualization,” Brager says. “The connectedness of these assets has increased pretty significantly. In some asset classes, you’re seeing a stronger security presence. They’re starting to shift toward having stronger security postures. From an industry perspective, we’re seeing movement toward attempting to secure some of these assets, but that wasn’t the case years ago when this phenomenon first hit the mainstream.”
Despite these improvements, Brager says digital transformation initiatives and the increasing incorporation of industrial Internet of Things devices in OT environments is putting OT organizations at increased risk.
“You now have this exploding attack surface that not only involves an IT-OT environment separated by a firewall, but sensors, gateways and other devices that are providing telemetry data out of industrial environments into public clouds and other parts of the internet,” Brager says. “The more that happens, the more expansive the attack surface becomes.”
Brager says secure remote access for vendors is one area industrial organizations should be investing in. He says the COVID-19 pandemic has further exacerbated issues with remote access because its use in industrial environments has increased.
“In many of these industrial environments, some of these machines are very large. They can be the size of half of a football field or larger. Oftentimes, there are third parties that are monitoring and managing those assets and they have to be able to do so remotely,” Brager says. “Those remote connections are vectors for the attack of those assets. The remote access components of IT-OT convergence certainly need a lot more attention.”
In order to protect industrial environments amidst IT-OT convergence efforts, Brager recommends organizations adhere to the ISA/IEC 62443 series of standards, developed by the ISA99 committee. These standards involve segmentation, network separation between traditional IT and OT, deploying controls to manage the attack surface, and increasing visibility.
“At the end of the day what you’re trying to do is reduce the attack surface and make compromising these different assets as difficult as humanly possible,” Brager says. “The strategies you use are closely linked to the type of environment it is, but there are some universal things you can do.”
Despite the challenges IT-OT convergence efforts present for industrial environments, Brager says organizations are seeing exponential benefits. Moving forward, he says organizations will need to make cybersecurity in line with that transformation a priority.
Luckily, many organizations seem to be doing just that. According to the Deloitte report, securing OT or ICS was ranked high in cyber leaders’ digital transformation initiatives for the next 12 months.
“On one hand it’s exciting to see technology being leveraged the way that it is. The access to information and data that we historically didn’t have, and that data being at your fingertips allows us to make real-time decisions around manufacturing processes,” Brager says. “But with all of that power and access comes a lot of responsibility. Security in any industry is typically lagging. Technology often outpaces security’s capacity to protect. So I would caution everyone as they’re going down their IT-OT convergence journey to make sure you understand clearly how your industrial environments can be interacted with and from where because that’s going to help you manage your attack surface overall.”