Attacks on critical infrastructure and other OT systems are on the rise as digital transformation and OT/IT convergence continue to accelerate. Water treatment facilities, energy providers, factories, and chemical plants — the infrastructure that undergirds our daily lives could all be at risk. Disrupting or manipulating OT systems stands to pose real physical harm to citizens, environments, and economies.
Yet the landscape of OT security tools is far less developed than its information technology (IT) counterpart. According to a recent report from Takepoint Research and Cyolo, there is a notable lack of confidence in the tools commonly used to secure remote access to industrial environments.
|Figure 1: New research reveals a large gap across industries between the level of concern about security risks and the level of confidence in existing solutions for industrial secure remote access (I-SRA).
The traditional security strategy of industrial environments was isolation – isolation not just from the internet but also from other internal systems. But now, with OT systems opening to the world and cyberthreats surging, the lack of OT-specific security tools has emerged as an urgent problem. In this void, IT solutions are often cobbled together in an attempt to meet OT needs but, as you might expect, the results are usually lackluster.
Security solutions designed for IT environments simply can't satisfy the demands of OT and industrial realities, for several key reasons.
Reason 1: OT prioritizes availability over confidentiality
While IT and OT both seek to ensure confidentiality (the protection of sensitive data and assets), integrity (the fidelity of data over its lifecycle), and availability (the accessibility and responsiveness of resources and infrastructure), they prioritize different pieces of this CIA triad.
- IT's highest priority is confidentiality. IT deals in data, and the stakeholders of IT concern themselves with protecting that data — from trade secrets to the personal information of users and customers.
- OT's highest priority is availability. OT processes operate heavy-duty equipment in the physical realm, and for them, availability means safety. Downtime is simply untenable when shutting off a blast furnace or industrial boiler tank.
For the sake of availability and responsiveness, most OT components weren't built to accommodate security implementations at all.
This marks a fundamental difference in the very DNA of IT and OT environments, which immediately renders IT security tools challenging to implement.
Reason 2: OT systems run on always-up legacy systems
For someone living in the IT world, it may be difficult to imagine an environment that still runs on Windows XP or an eighties-era mainframe, but that's the plain reality of the OT world. Whether for profit or safety, OT systems are always up and running at full capacity. This is why OT components are designed for much longer life cycles.
Almost all IT-based tools require downtime for installation, updates, and patching. These activities are generally a non-starter for industrial environments, no matter how significant a vulnerability may be. Again, downtime for OT systems means putting safety at risk.
In addition, the legacy systems that power the OT world generally cannot communicate with modern security or authentication tools, limiting the effectiveness of these platforms from the very start. Without a security solution like Cyolo, which retrofits legacy applications to support modern security protocols, IT tools will be severely limited in their ability to secure OT systems.
Reason 3: IT tools almost always require a connection
IT security solutions usually require external connection because servers and applications must exchange data with each other (and with users) to perform their essential functionality. OT systems, by contrast, often have specific requirements for how and when they can be connected to the internet (yes, even in our age of digital transformation). IT tools can't always be configured to meet these requirements.
The nuance is that IT and OT systems can interface with each other without forming a permanent connection. This way, OT environments can be positioned to achieve the benefits of automation, production data, and other digital transformation efforts without creating unnecessary access points for malicious actors.
Reason 4: OT systems are highly variable
The IT world has largely standardized around the TCP/IP protocol, but the OT world lacks such consensus. OT systems use a wide variety of communication protocols, which are often determined by the original equipment manufacturer.
For example, if an OT operator purchases programmable logic controllers (PLC) from several different providers, each provider has likely taken a different approach to meeting IEC-61131 standards. Therefore, OT engineers have to learn and maintain as many types of software and protocols as they have vendors.
Even within OT, protocols are frequently incompatible with each other, and they are definitely incompatible with common protocols used in IT-based security tools. It is doubtful that any IT tool will cover the entire spectrum of OT use cases for a given environment.
Reason 5: OT systems are delicate
As a function of their variability and always-on nature, OT systems are easily disrupted by the most basic IT processes and security best practices.
- Even passive scanning can knock fragile OT systems offline, and by the time scanning is scaled down and restricted to offline systems, security coverage shrinks below an acceptable level.
- Logon banners that typically run on endpoints will break the auto-login process for critical OT systems.
Because visibility is harder to achieve in OT environments, it can be difficult to predict the consequences of deploying a new tool. For this reason, OT systems generally require more extensive testing and validation before a new tool is implemented.
OT environments deserve OT solutions
It's often said that strategy precedes tooling — and this is true. IT and security teams working in OT spaces must take the time to understand and embrace OT philosophies and needs, and collaborate with OT stakeholders to define best practices.
That said, the right tools still matter in a big way. The cybersecurity market can be noisy and misleading. Together, IT and OT stakeholders must ask the right questions before committing to a specific tool or vendor.
The OT world deserves the benefits of modern security controls without risking the safety of workers, operations, or bystanders. Not only will the right solutions harden security postures against tomorrow's attacks, they will position security to contribute to innovation rather than stand in its way.
To learn more about the top challenges currently facing OT security professionals, read the complete report from Takepoint Research and Cyolo.