As organizations make their operations more agile in response to a quickly evolving marketplace, many operational technology (OT) systems are being connected to the outside world for the first time. This trend promises great benefits for organizations, but also directly exposes OT systems to cyber threats they were never prepared to address.
Historically, OT has generally operated autonomously and fully isolated both from the internet and the IT network. This isolation has been known as the “Air Gap” that traditionally – and perhaps, questionably – protected OT systems from reconnaissance, hacking attempts, and other malicious activities. In most organizations today, however, this Air Gap is now considered history. And if still operational here and there, is certainly prone to security holes as a result of the increased number of connectivity vectors in place today. Consequently, adversaries are increasingly targeting OT systems as a result.
As OT systems become more connected, this trend of increased attacks seems likely to continue. New levels of exposure for critical systems require organizations to adhere to more rigorous security operations and life-cycle management best practices, enabling them to protect their organizations from major threats to the core of their business. As a result, OT and IT teams need to come together to respond comprehensively and cohesively to this increasing threat.
While convergence provides clear benefits, the decline in the use of the Air Gap, and the tendency for OT to adopt IT solutions and protocols, exposes critical systems to cyber threats across a far broader spectrum than ever before. Using common and consistent security measures as part of any convergence strategy is a good business approach. Indeed, taking such an approach to convergence efforts provides effective monitoring, faster incident response, and thorough process control, to name just a few advantages, as well as significant cost savings through a unified converged infrastructure.
However, one of the industry’s main challenges is that the operational life span of provisioned OT systems is far greater than in any IT environment. As a result, you’ll find unpatched and unsupported technologies sometimes years or decades old, which are now being exposed to the outside world for the first time.
A brief glimpse into the scale of this issue is worth considering. According to a recent Fortinet commissioned survey conducted by Forrester Consulting:
Recently, FortiGuard Labs conducted a thorough analysis of malicious ransomware built for and targeting critical infrastructures. At the time, LockerGoga was a new ransomware family that had been detected successfully attacking industrial companies, sometimes severely compromising their operations. Interestingly, there was little about LockerGoga that set it apart from other ransomware in terms of sophistication, other than its focus on OT systems. But while most ransomware tools rely on some level of obfuscation to avoid detection, when FortiGuard Labs analyzed LockerGoga patient zero, they discovered that it used little if any obfuscation. The developers knew that the environments they were targeting generally had no ability to detect malware. This should be taken as a clear statement on the state of – and general lack of – appropriate cyber security measures in place within the OT sector.
Cybersecurity factors are controllable in an OT network; however, organizations need to build an integrated team, using a member from both IT and OT, with the authority to decide upon risks and the measures required to control them. This is borne out from the same Forrester study cited previously: 58% of respondents believe that clear and regular communication from a central management team is essential for ensuring a successful IT/OT convergence. Of course, some aspects of unified teamwork might be slightly more difficult due to clearly different – and sometimes oppositional – objectives between teams. (For example, while confidentiality is the top concern for IT systems in order to protect data, and occasional systems downtime is expected, this is the reverse for OT networks, where uninterrupted availability is mission-critical.) At such times it is important for teams to not only communicate effectively, but also listen carefully, remembering that the only constant in life is change.
IT/OT convergence is key for organizations to meet evolving business demands, establish enterprise agility and maintain a strong cybersecurity profile. And ensuring that convergence cannot be successful without full cooperation, and compromise, between both the IT and OT teams. The goal of converging IT and OT is to strengthen the entire organization. Achieving this requires finding ways to address the differences between IT and OT environments while enabling modern technology capabilities to support digital innovation, with both agility and security as common objectives.
Rapidly embracing today’s cyber security technologies should be a top priority for decision makers. However, before the demands of competing in a digital marketplace began driving the need for agility and performance, security was often only applied as an afterthought.
Organizations that take that approach today expose themselves to serious risk. Therefore, thinking, planning, and implementing a convergence strategy, with a common and unified a cybersecurity framework at its core, will enable systems owners to confidently move forward towards a converged infrastructure while sustaining safe and continuous operations.
Read more about Fortinet commissioned study by Forrester Consulting about the role of Cybersecurity in OT.
Learn more about Fortinet Security Solutions for Industrial Control Systems.
Learn how Fortinet can help you extend security and maintain compliance in any ICS/SCADA-connected environment.
Note: Commissioned study conducted by Forrester Consulting on behalf of Fortinet, October 2019. The survey included 459 IT and OT decision makers responsible for ICS at industrial enterprises with 1,000 employees or more (automotive, transportation, manufacturing ,maritime, and aviation engineering) in Europe and India.