OT Cybersecurity: Different Space, Different Solutions
Operational Technology (OT) is a category of computing and communication systems that manage and control industrial operations with a focus on the physical devices and processes they use. But with the evolution of manufacturing — including industrial transformation and Industry 4.0 — the need for OT cybersecurity has never been greater
For decades, OT has relied on computers to monitor or change the physical state of a system. OT covers a wide range of computing systems that manage industrial operations, monitoring pipelines and utilities, manufacturing, and more. For example, OT includes the industrial control system (ICS) used to oversee and guide production in a steel plant. In manufacturing facilities they’re seen as essential to ensure the repeatability of assembly lines.
Traditionally, OT was air-gapped or siloed, meaning it operated without being connected to external networks or digital technology. For example, a simple Windows 95 box could be used to guide and direct a multi-million dollar press in a manufacturing environment. Massive equipment, maintained and monitored by OT, is built for duty cycles spanning decades — not years. You wouldn’t replace that Windows 95 computer running the press because that would mean replacing expensive equipment essential to the business.
However, the IT/OT convergence has merged the two traditionally separate realms. IT and OT networks are becoming interconnected, opening the doors for more solutions, convenience, and efficiency in managing OT components. That air-gapped OT machine running your press is now connected to the outside world — through your corporate network and/or the internet — and can be accessed remotely or provide real-time updates for monitoring performance.
But introducing OT components to your corporate IT network, the cloud, and the internet at large introduces a new landscape of cybersecurity threats that didn’t have to be considered before. This dramatically increases the risk for organizations reliant on OT.
And the threats have proliferated over the last decade. The Colonial Pipeline attack in 2021 was the most visible recent assault on OT, and indicates the potential for massive disruption from such vulnerabilities. The ransomware attack caused a five-day shutdown of pipeline operations that supplied gasoline and jet fuel to the U.S. Eastern Seaboard. Although Colonial paid the $4.4 million ransom almost immediately (this doesn’t include the company’s total cost in response or potential fines), the shutdown’s effects rippled much longer and led to massive shortages. It’s considered the largest cyberattack on an oil infrastructure target in U.S. history. The incident certainly raised the profile for the need for OT cybersecurity and has put it in focus for manufacturers, and their leadership, across the country.
Industrial Products Solution: Read how Inversion6 crafted a two-phase program between us and an industrial products lead supplier.
OT Cybersecurity Involves Different Priorities
It’s important to remember that IT and OT, while similar, are not identical. They operate in different environments, serve different purposes, and have different goals.
- While IT is concerned with system uptime as well, it primarily with data and prioritizes keeping it secure. For OT, however, the priority is the safety and availability of equipment and processes.
- IT incidents tend to be more frequent, but OT incidents are more disruptive. While OT tends to have fewer getaways or access points, the loss of key production equipment, even for a few days, can be crippling for a manufacturer.
- IT security updates are common, and components have relatively short life spans. IT security patches can come on weekly, or monthly, cadences. Since patching OT components can require complete shutdowns that halt production — and some OT operates on a 24x7x365 schedule with no planned maintenance periods — businesses running OT networks rarely patch their components, if at all.
- OT systems are designed with duty cycles of decades, and often run outdated, delicate software that will crash if basic vulnerability scans and other typical network traffic reaches it.
IT and security personnel are in tune with the vulnerability in their environment and have developed proven processes and protocol for safeguarding IT systems. However, these solutions don’t translate seamlessly into OT cybersecurity.
For OT, it’s essential the machinery and equipment remain operational. They fuel the production that powers the business and company. Frequent patches aren’t possible, either due to the technology in question or the stoppages necessary to implement them. OT doesn’t have established regular maintenance cycles or built-in redundancies — unlike IT. Massive investments in equipment, and the tools used to control them, mean they are not easily swapped out for more secure options.
Solving OT cybersecurity issues and developing plans for such environments require a different toolkit and approach for the security experts operating in this space.
Don’t Wait, Begin Certification Now: Worried about CMMC after additional changes? Let Inversion6 walk you through what you need to do, now, to get on firm footing.
Tools for Improving OT Cybersecurity
Improving your security posture surrounding OT elements in your organization isn’t as simple as hiring a security expert or settling on a new product. The first step is to work with a partner on the OT side that understands it’s paramount to success to align expectations and build dialogue between OT and IT — and will work to bring both sides together. IT personnel will know how to implement the needed security improvements. By bringing OT personnel to the table, you can identify key windows for when new patches or solutions could be implemented without impacting the business. You can highlight critical periods when testing should NOT be attempted.
Remember, OT cybersecurity requires different policies. IT solutions can be quickly adopted, but OT requires a slower, more careful approach to avoid disruption and costly offline time. You can’t rely on the same end-point security tools, or rapid-fire patching and updates. Even the implementation of pen tests in OT environments should be undertaken with extreme care. While these steps might be usual or expected for IT, they have the potential to disrupt or break essential processes in an OT environment. This leads to more internal pushback, a loss of credibility, and a likely worse security state than before.
By brokering discussion between all parties, the right security partner can then help craft a full game plan for tackling OT cybersecurity concerns.
Get An Awareness for What You Have
Feedback from OT personnel — the people that run and operate the plant equipment — is critical here. You can conduct network and physical audits or inventory to see what elements exist, how critical they are, and learn about potential opportunities to address the vulnerabilities present in the environment. Vulnerability scans, carefully conducted (remember existing IP stacks might be 20-30 years old), can provide visibility. Plan to use different policies for OT environments, scaling back more aggressive checks and limiting the number of concurrent connections made to systems to limit potential impacts.
Develop Strategies to Account for Vulnerabilities
After getting a thorough understanding of the environment, solutions can be created. Some equipment may be able to be patched. Other components may be near the end-of-life and can be dealt with until they’re replaced. Problematic elements that must remain as-is for production can be segmented on the network. Remote access tools that are not needed can be turned off. How these methods are applied tends to be different in every environment. Develop your list of options and develop an approach that works best to balance security and availability in your own business.
A standard model for remote access can greatly improve OT cybersecurity. Eliminate remote access methods that IT doesn’t know about, such as vendor-managed access. Create one or two solutions for access and funnel all requests for access through them. Make an employee responsible for monitoring that access when it’s granted. It’s common for the vendor to be the subject matter expert, and for employees being used to taking their direction from them. However, it needs to be clear that even if they aren't the SME, the employee is responsible for actions the vendor is taking and that access isn’t left open when it's not being used.
Combat the FBI’s No. 1 Cyber Threat: Business Email Compromise consistently remains the top online danger for organizations. Learn more about it, and solutions to address it, in our free ebook. Download it here.
Experience is the Inversion6 Difference for OT Cybersecurity
Inversion6 is uniquely positioned to address OT cybersecurity issues for manufacturers and production environments in Northeast Ohio, and beyond. Inversion6 has decades of experience and industry experts who provide the insight needed to find the solutions to improve your security profile — without negatively impacting your production. Every CISO at Inversion6 has been a security and IT executive in a manufacturing company with an OT component.
At Inversion6 we understand that your MSSP needs to be a facilitator and not dictate IT solutions in an OT environment. We’re comfortable with, not intimidated by, the challenges of OT cybersecurity. We know how to navigate those challenges, what questions to ask, and where to push — and not to — when it comes to raising the bar for security. Combined, our team has the practical experience to cover virtually every industry. We know what’s worked, what’s critical to consider, and how to expand your internal communications to help build consensus.
Inversion6 is the proven risk management provider that brings a full suite of information security services to help you define your strategy, deploy the right technology and protect you from malicious attacks. From fractional CISOs to full-service MSSP, we partner with you to protect your business at every level.