Industrial Cyber Security: Why IT & OT collaboration is no longer an option but a necessity
Since the mid-1990s, many industrial companies have interconnected their industrial control systems (ICSs) to improve productivity, maintenance, and safety in the operational environment. Some of this interconnectivity was to the Internet. While, this connectivity helped to improved the efficiency, security was at best a minimal consideration. The lack of adequate security planning has resulted in the increased attack surface and resultant cyber attacks. In addition to the lack of security consideration, there was lack of collaboration between ICS Operational Technology (OT) – (the term “OT” didn’t exist at that time) and Information Technology (IT). The situation is very different today than it was in the 1990s or early 2000s:
- companies want to speed up and increase the connectivity between IT and OT to continue the business productivity improvement,
- hackers (individual or state sponsor) are now explicitly eyeing ICSs for damage and extortion, and
- the need to collaborate between IT and Operations (not just the term “OT”) is not just important, but necessary. This collaboration is important because IT security has the security knowledge, but OT has the domain expertise and understanding of how new security technologies may affect the operational systems (essentially hacking your own systems). It is also critical to include the C-Level who need to consider security in the overall business plan as well as to assure that IT and OT are working seamlessly together.
Currently, in the industrial environment, many people equate network anomaly detection (malware) to cyber security. Moreover, many people associate network anomalies to physical process anomalies. However because of the lack of authenticated, secured process sensing (e.g., pressure, level, flow, temperature, voltage, current, radiation. etc), it is not possible to correlate physical process anomalies (e.g., changes in boiler temperature, pipe pressure, tank level, voltage, etc.) to network anomaly detection (e.g., malware, network packet compromise, etc.). The lack of correlating network anomalies to process anomalies has led to self-inflicted denial-of-service disruptions. We believe that having an informed decision as to when to shut down a physical process occurs when you have a view of the actual process via the raw process sensing. This is because the raw process sensing will indicate a process change regardless if the change is from unintentional or malicious reasons. Moreover, viewing the raw process is independent of network cyber considerations. Given how sophisticated hackers are able to bypass cyber security protections such as CrashOverride, viewing the raw process becomes even more important. Consequently, there is a need to coordinate network anomaly detection (more of an IT function) with process anomaly detection (OT Operations function).
With IIOT we are in a very uneven battle. ICSs were not made to be cyber secure and often cannot be upgraded to provide what many in the cyber security community would consider to be a minimal level of protection. On the other hand, the hackers (individual and state sponsored) are dedicated to finding and exploiting vulnerabilities and have been given access to the latest zero-day exploits. As we believe it is a losing battle to secure ICSs, we need to be able to detect cyber attacks that affect operational system performance and we need to have a resilience/recovery plan. This has been demonstrated in the Ukraine with the ability to operate the systems in manual operation for an extended period of time. We also need to reconsider whether critical control and/or safety systems should be connected to the Internet. If control and/or safety systems are connected to the Internet, there’s a need to provide some base-line cyber security controls and security policy to minimize the potential impact from any cyber attack due to this connectivity.
Regardless if your company is an industrial, commercial, or healthcare company deploying IIOT devices, we highly recommend you consider cyber security strategy and planning as an overall organization responsibility, starting from the top, with coordination across the IT and OT environment.