The IoT genie is out of the bottle. With 5G access on the horizon for Australians, its last remaining hurdle to becoming a ubiquitous technology for businesses is being overcome.
Integrating Operational Technology (OT) with IT will provide far greater insight and control over operations for business decision makers. It will bring a wave of efficiency that will be very tempting to almost every business with physical assets (e.g. utilities and manufacturing). The writing is on the wall, so we should prepare ourselves as a profession for what this integration will entail and identify where new thinking is needed to make it work.
Hundreds of devices that have been considered standalone and therefore out of scope (and out of mind) will suddenly join the network, opening up a new frontier that traditional approaches to security will struggle to overcome.
There’s a number of reasons why this challenge will be like no other faced by the profession. The obvious first point is that OT devices are physical and sit outside the traditional IT network. These realities mean an attacker is more likely to gain access to poorly or unsecured OT assets creating pathways into more critical IT systems via the IP connections these OT devices rely on.
Non-standard operating systems used by connected machinery compounds the problem - there will likely be a lack of regular security patching, combined with standard IT tools being incompatible. Preventing malicious actors making the ‘jump’ from OT to IT (where real sensitive data resides) will be a key to securing organisations’ living in the connected IT/OT paradigm. The people currently responsible for this equipment (both maintenance and operations) are typically operating under a completely different set of policies and motivations to cybersecurity professionals.
In short: The OT team may not consider a ‘minor system’, e.g. one that logs employee time at the plant, worthy of much attention. Increasingly, attackers are realising they will succeed by moving laterally through a network. This change in tactics to target ‘east-west’ network traffic has meant we have to expand what we view as the traditional ‘perimeter’.
This raises the priority of minor threats significantly. They can and will be used to get at the main prize. Modern attackers are patient too - often spending months (146 days on average) moving laterally inside data centres and cloud environments, undetected, until reaching their goal.
Worse, there will be a lot of new OT devices. Not just the large visible machinery - individual valves, pumps, switches etc. will be added to the network. That’s a lot of new opportunities attackers could use to gain access to other more valuable areas of the network.
If you were to attempt to tackle this kind of challenge using only traditional security approaches, you will struggle to succeed.
Now we understand the scope and nature of the problem, the first step is to address the human side of the challenge by creating policies that clearly delineate responsibility between the OT staff and the IT teams.
Once policy is defined, it’s showtime. Given the size of the ‘new perimeter’ and the difficulties in securing OT running on obscure and outdated OS, tight control of boundaries within the network should be the first step. Work to map out your network to as great a level of detail as possible - you cannot protect what you cannot see.
The second step is to accept that breaches are virtually inevitable.
This is not to be defeatist. The mix between human and technological challenges that IT/OT integration brings is as close to a perfect storm for attackers as it gets. So, we should plan for this eventuality.
Security-segmentation technology was developed as the only logical response to this kind of threat. Think of it like a submarine: when a submarine’s hull is damaged, watertight doors on either side of the section are sealed, and so the flow of water is limited. This lets the submarine continue, instead of sinking.
Security-segmentation provides the same effect, but for a network. It compartmentalises the high-value areas of your network away from the low-value areas (where your would-be intruders will start from).
This way, when a small pump in a forgotten area of the plant is breached, an attacker’s ability to laterally move within your network is dramatically curtailed. Through security-segmentation, they may get access to mostly useless data in a low-value network, but won’t be able to use this position to infiltrate to where they really want to be.
IT/OT integration is a modern twist on the King Canute fable. Rather than attempting to create a castle of ever-increasing size to keep out the tide, cybersecurity professionals need to instead change their mindset to scceed.