Protecting Traditional Stand Alone OT Systems As They Are Introduced To The IIoT
Re-Emagineering the CyberSecurity driven convergence of OT to IIOT
The exploitation and sabotage of resources has been a concern to mission critical operations since the dawn of the industrial age. With the advancement of Information Technology (IT), opportunities to compromise, corrupt and disable networks and systems have exponentially grown, creating new development of malicious mechanisms.
Although the first patent of Cybersecurity occurred in the early 1980s, the enablement of business needs and the protection of mission-critical operations are increasing priorities for National Security, Intelligence Agencies and commercial businesses.
Where Cybersecurity within the IT sector has seen exponential growth over the last three decades, security of traditionally standalone non-connected systems in the Operational Technology (OT) space, for example Industrial Control Systems (ICSs) Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCSs), Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs), continue to lag due to the typical independent, stand-alone nature of their use and functionality. This is changing rapidly with the huge rise in acceptance of OT systems being connected to the Industrial Internet of Things (IIoT).
During the past decade, there has been a dramatic increase in the demand for connected OT utilization with multiple deployments of advanced technologies requiring connectivity for operations and maintenance of equipment. This use of IT-enable OT systems and components has led to increased vulnerabilities where the security characteristics from the convergence of IT and OT have exposed new opportunities for cyber-attacks.
In fact, in July 2020, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) issued an alert to American corporations that they should take immediate actions to reduce vulnerabilities and exposure across all of their OT and ICSs. This advisory stated:
“Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against Critical Infrastructure (CI) by exploiting Internet-accessible Operational Technology (OT) assets. Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or retaliate for perceived US aggression.”
This critical warning establishes a call to action for United States (US)-based Utility companies that do not adhere to federally regulated security guidance leaving much of their Critical Infrastructure (CI) potentially compromised. The implementation of Cybersecurity approaches and the prevention of vulnerability exploitation is one of the largest concerns for most CI manufacturers, policy developers, and Federal leadership.
Connectivity and Critical Infrastructure
Now, imagine a CI manufacturer or a Utility supplier without clearly understanding the security implication on critical services, such as energy, water, and/or food. Imagine unintentionally, or intentionally, propagating a virus on a large-scale complex system that supports our transportation communications, and/or emergency services infrastructures and not knowing or understanding the multiple vulnerabilities opportunistic hackers can exploit on our operational network through our Defense Industrial Base (DIB). This is why applying the maturity and automation of Cybersecurity to CI could provide comprehensive identification and assessments of vulnerabilities, while employing a security and risk culture among Federal, State and Local decision-makers. This not only includes protection from inappropriate access to CI systems, but the reduction of data disclosure, compromise, and/or loss through the optimization of these assessments via automation.
“Energy companies rely on operational technology to control the generation, transmission, and distribution of power. While there are a number of useful products available to monitor enterprise networks for possible security events, these products tend to be imperfect fits for the unusual requirements of ICS networks.”
To address Cybersecurity concerns in the OT/CI sector, the following questions should be addressed when considering any future deployment:
- What are the components relevant within the OT and CI?
- How are they connected?
- What data is stored and/or in transit between each component and any external entities?
- What are the risks, threats, and vulnerabilities within the system?
- Where do you find them?
- How are they uncovered?
In conclusion, Cybersecurity within the IIoT sector requires significant consideration and investment due to the real potential of releasing cyberattack into the defense, energy and commercial sectors through the connection of traditionally stand-alone and isolated OT/CI systems.
About the Authors
Steven Seiden is the president of Acquired Data Solutions. The company has over 20 years’ experience providing technology solutions for the engineering life cycle to government agencies and the commercial sector. To learn more visit www.acquiredata.com
Leighton Johnson, CISSP, CISM, CMMC-AB Provisional Assessor L-3, is a senior cybersecurity engineer at Acquired Data Solutions and has over 40 years of experience in computer security, IT and cybersecurity.
Dr. Tony Barber, CSEP, RMP, is a system engineering executive at Acquired Data Solutions and has over 20 years of experience in system engineering, cybersecurity and IT.
Djenana Campara is president of KDM Analytics. She has more than 30 years of experience in software and security. To learn more, visit https://kdmanalytics.com.