Digital Transformation and Industry 4.0 are driving the need for IT/OT collaboration in industrial companies, making an integrated SOC a strategic initiative for many.
“There is going to be a whole different set of challenges for Factory 4.0 and beyond that traditional OT SOCs aren’t going to be able to manage”
In 2019, the SANS Institute released the results of a survey looking at security operations centers. SOCs are the backbone of an organization’s cybersecurity efforts. They’re tasked with continuously monitoring and improving an organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
However, according to the SANS report, budget and staffing constraints often mean that SOCs focus solely on IT systems, leaving operational technology or other specialized systems behind. In fact, only 10 percent of survey respondents said they have all of their smart systems covered by the SOC.
Threats to industrial control systems and OT continue to rise. According to an IBM report, 2019 saw a 2,000 percent increase in incidents targeting OT. Yet SOCs at some organizations fail to protect industrial components.
In an effort to fill the gap, many organizations have turned to OT SOCs. These SOCs specialize in preventing, detecting and responding to cybersecurity threats and incidents in OT environments. Another SANS survey from 2019 found that 25 percent of organizations had a SOC for OT and control systems, while 31 percent said they wanted to add this technology in the next 18 months.
While OT SOCs fill a need, Nozomi Networks Product Evangelist Chris Grove says they’re not the future of cybersecurity for OT environments. In order to be effective, he says today’s organizations need an integrated SOC.
“If we start building today and we have greenfields to work with, we’re not going to build an IT SOC and an OT SOC,” Grove says. “We’re going to build one SOC and it’s going to handle the IT/OT convergence. The OT SOC was really important to fill a specific need that was not being addressed and since then things have changed. The world has matured.”
OT environments have come a long way in recent decades. For many years, industrial systems relied upon proprietary protocols and software with little to no connection to the outside world. There was minimal integration with IT systems and as such IT security personnel often had little knowledge of OT systems.
“Back in the day when OT SOCs were really a distinguished different entity, it was mostly because the IT SOC folks didn’t have the skillset or knowledge to handle the differences between the two,” Grove says. “It’s different. The risks are different. It’s human lives. You might have to evacuate a small city.”
During his nearly 30 years in cybersecurity, Grove has seen the differences between IT and OT environments first hand. From protecting online casinos and missile silos, to protecting healthcare data and election integrity, he’s worked in a wide range of sectors.
“It’s one thing if your Twitter app goes down, but it’s another thing if the power goes out. [In OT security,] you’re actually protecting the fabric of society,” Grove says. “[Industrial cybersecurity is] everything–from transportation systems, to water, the power, the goods we buy, the cars being manufactured.”
However, while there remain vast differences between IT and OT cybersecurity, today, most cyber attacks on OT environments actually originate on IT networks. That’s one of the reasons Grove says an integrated SOC is so important.
“I think what’s important to distinguish is there’s going to be different answers for different verticals,” Grove says. “But in general if today, you’re building from scratch, you would think about where you’re going to be in 10 years and in 10 years, you’re not going to want two different SOCs, you’re going to want one.
“There are distinguished use cases where an OT SOC is really required. For companies that are very disconnected between a headquarters OT team and distributed oil pipelines all across a continent, they might have a need today, but they would probably even take the route of going towards a more integrated SOC.”
In order to be effective, Grove says an integrated SOC starts with good leadership and an established set of businesses drivers. He says organizations must fully grasp the impact of OT to protect it.
“Everything on OT is proprietary in nature and there’s a physical impact to decisions being made and there’s also a lot of plant level, or facility, or process type knowledge required to understand whether or not something’s actually important,” Grove says. “It’s a different kind of thing so the terminology and mindset has to change from a pure IT mentality.”
Now many OT environments find themselves in the midst of digital transformation efforts that go way beyond an influx of IT and that transformation is poised to advance at a rapid pace in the next decade. In a 2018 Deloitte survey of 361 executives in manufacturing, power, oil and gas, and mining, nearly all indicated that digital transformation is a top strategic objective for their organization.
“There is going to be a whole different set of challenges for Factory 4.0 and beyond that traditional OT SOCs aren’t going to be able to manage,” Grove says. “It’s going to take a convergence of cloud mentality, data center mentality, OT mentality, and it’s going to require some theological changes. I think we have to give up the idea that we can wrap our arms around all of our assets and secure them like we used to.”
That’s why Grove says an integrated SOC is key. Not only is it more cost effective to have an integrated SOC, but Grove says an integrated SOC is necessary to deal with the challenges of technologies like the Internet of Things, industrial IoT and 5G.
“OT doesn’t necessarily address IoT and that’s becoming more prevalent in OT,” Grove says. “Also with the advent of 5G, that’s going to really change everything. All of this equipment is coming out with 5G stuff in it and that’s going to require a whole different mindset like cloud computing brought to cybersecurity.”
Grove says the shift toward an integrated SOC that encompasses various kinds of technology mirrors trends in the cybersecurity market as a whole.
“The tools and the space are migrating in that direction also,” Grove says. “You have big companies like Microsoft trying to move to OT. You have companies in OT trying to move to IoT, and you have IoT players trying to move around to OT and IT.”
Nozomi Networks’ industrial cybersecurity solution is designed to help organizations manage cyber risk and improve resilience. Their platform provides real-time ICS monitoring, hybrid threat detection, process anomaly detection, industrial network visualization, asset inventory, and vulnerability assessment.
“We help these facilities increase their cybersecurity posture as well as monitor the systems, looking for attacks and anomalies,” Grove says. “We go into these industrial facilities and provide a set of features that weren’t there before.”