What is Operational Technology (OT) Security?
Before we get into defining OT security, it is important to understand the scope of OT. There has been a lot of recent focus on OT, internet of things (IoT), and industrial IoT, leading to some confusion for cybersecurity professionals. These areas are related in that they represent machines as opposed to users on a laptop or mobile device. OT systems include all the industrial systems that are in a manufacturing or production environment, meaning that they are critical to a company’s ability to produce what is likely its main source of revenue. Unlike IT systems, which constantly change, OT systems tend to be long-lived, ranging anywhere from a few years to even decades old. Industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems are subsets of OT that are also used to refer to OT systems in certain vertical markets
OT systems use purpose-built software to achieve industrial process automation, and OT security refers to the controls that are used to safeguard these systems from cybersecurity threats. OT security has become a new requirement as a result of the convergence of IT and OT, which are driving greater automation and efficiency in Industrial plants.
OT security breaches can be even more dire than IT system breaches. The monetary loss due to the shutdown or slowdown of manufacturing or production could easily run into the millions of dollars. Ransomware attacks at Norwegian aluminum producer Norsk Hydro, UK-British consumer goods Reckitt Benckiser, UK-based advertising group WPP, Danish shipping company AP Moller-Maersk, and U.S. delivery service FedEx have resulted in damages exceeding a billion dollars. A single incident at global drugmaker Merck cost over 1.3 billion dollars.
Among other things, NotPetya so crippled Merck’s production facilities that it couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer. Merck had to borrow 1.8 million doses—the entire U.S. emergency supply—from the Pediatric National Stockpile. It took Merck 18 months to replenish the cache, valued at $240 million.Bloomberg, December 3, 2019
How do IT and OT systems differ?
Unlike IT systems, which are designed for a variety of uses for people, devices, and workloads, OT systems are purpose-built to achieve automation for specific industrial applications. The technology lifecycle management for OT systems is vastly different and can span decades when compared to IT systems, such as laptops and servers, which are shorter, between four and six years. OT systems may also be highly regulated. For example, FDA regulations require diagnostic machines to be supported by the manufacturer for 20 years from the date of deployment. OT systems are also managed by the business units, and CIOs and CISOs are not typically responsible for procurement, management, or security of these systems. However, IT and OT systems do have something important in common: IT and OT are both increasingly dependent on connectivity to the internet or public networks.
What are the challenges for OT security?
The following challenges include those we most frequently hear from plant operations leaders, CIOs, and CISOs. This is not an exhaustive list, but it covers some of the major challenges in OT security.
- Lack of security awareness among OT staff
- Lack of visibility into all of the OT systems on the manufacturing floor
- Shared network infrastructure within the manufacturing floor between systems
- Inability to address security issues by patching the OT systems
- Increased attack surface with the increase in OT/IT convergence
- Remote maintenance of OT systems occurs over the internet
- Providing access to third parties for remote monitoring and maintenance
- Different plants within the same company have completely different OT environments
While no single vendor can address all of these challenges, it is important to understand the risks and create a strategy to mitigate them.
Zero trust network access (ZTNA)...grants access based on the identity of the humans and their devices, plus other attributes and context (such as time/date, geolocation and device posture), and adaptively offers the appropriate trust required at the time. ZTNA will appeal to organizations looking for more-flexible and responsive ways to connect and collaborate with their digital business ecosystems, remote workers and partners.Gartner, Market Guide for Zero Trust Network Access, June 2020
Zero trust for OT security
The principles of zero trust in a cloud-first world for IT security are completely relevant to OT security:
- Application access should be adaptive, contextual, and independent of network access—such zero trust access allows third parties and contractors to access only the applications and systems they need without requiring complex firewalls or VPNs.
- Microsegmentation should occur at the application level without network segmentation. Network segmentation is the old approach that has failed to provide protection against threats and vulnerabilities. Application-level microsegmentation prevents users from discovering applications that they are not authorized to access, reducing the attack surface for malicious insiders as well.
- Applications and networks must be invisible to the open internet. This is the most important principle for OT systems. As more OT systems are integrated with IT systems to drive automation, efficiency, and lower costs, keeping these systems known and available on the internet only for authorized users eliminates the biggest attack surface.
- The internet becomes the new corporate network via encrypted microtunnels. When the internet becomes your secure network, you achieve IT/OT convergence without compromising security or convenience.