Beware of accidental convergence

Information technology (IT) and operational technology (OT) teams must find common ground to eliminate the substantial risk factors of both planned and accidental IT/OT convergence.

By Michael Rothschild December 17, 2021
Courtesy: Tenable

Modern industrial and critical infrastructure organizations rely on the operational technology (OT) environment to produce their goods and services. Beyond traditional information technology (IT) operations that use servers, routers, PCs and switches, these organizations also rely on OT, such as programmable logic controllers (PLCs), distributed control systems (DCSs) and human-machine interfaces (HMIs) to run physical plants and factories. While OT devices have been in commercial use for more than 50 years, a complete transformation has occurred, changing the way people operate, interact with and secure the OT environment.


Many organizations have opted to converge their IT and OT environments, which can yield many benefits, but these decisions are not without risk. Convergence can produce new attack vectors and attack surfaces, resulting in breaches that start on one side of the converged infrastructure and laterally creep from IT to OT and vice versa.

Threats impacting OT operations are not the same as those that impact IT environments, thus the required security tools and operating policies are different. Deploying the right ones can harness all the benefits of a converged operation without increasing the security exposure profile of the organization. It is important for organizations to establish a carefully planned strategy prior to a convergence initiative, rather than bolting on security as an afterthought.

The air gap argument

What happens when a business makes the strategic decision to not converge their IT and OT operations? Many organizations follow this path for a variety of reasons including strategic, technical and business factors. By keeping IT and OT systems separate, these organizations are implementing an “air gap” security strategy.

Traditionally, air gapping OT operations has been viewed as the gold standard when it comes to industrial and critical infrastructure environments. Operating as a “closed loop” without any interfaces to the outside world, the OT infrastructure is physically sequestered from the external environment. With no data traveling outside the environment, and nothing from outside coming in, this buffer is viewed as the ultimate methodology in securing an organization from security threats.

While the notion of air gapping seems simple enough, it is difficult to maintain. Cutting connections is only part of maintaining a sterile environment. There are many other paths into what is supposedly an isolated infrastructure (see Figure 1). For example, true isolation requires eliminating electromagnetic radiation from the devices in an OT infrastructure. This requires the implementation of a massive faraday cage to eliminate potential leakage vectors.

Over the years, additional attack vectors have been discovered, including FM frequency signals from a computer to a mobile phone, thermal communication channels between air gapped computers, the exploitation of cellular frequencies and near-field communication (NFC) channels. Even LED light pulses among OT equipment have exposed critical systems to malicious activity.

There are many examples of highly-enforced air-gapped facilities that have suffered a breach due to something as simple and innocuous as an external laptop being used as an HMI or a USB thumb drive used for OT purposes. In an average OT environment, upwards of 50% of the infrastructure comprises IT equipment. Organizations with no specific initiatives for IT and OT convergence are among the most at risk because no additional security is implemented beyond air gapping. Securing operations requires more than building a digital moat around the OT infrastructure. Even under the most favorable of circumstances, this isolation is almost impossible to maintain. The introduction of one seemingly harmless variable into a sterile environment can permanently destroy the most stringently enforced air gap. This is known as “accidental convergence.”

While air gapping OT from the “rest of the world” is considered the gold standard in terms of securing OT environments, it is not foolproof. Many organizations are lulled into a false sense of security even though their isolated OT infrastructure is anything but isolated. As a result, it is anything but secure.

Over the last 10 years, increased incidents of attacks have targeted manufacturing and critical infrastructure. Among them are examples of sophisticated attacks that took advantage of “accidental convergence” to infiltrate and gain a foothold within organizations. The accidental convergence of IT and OT environments can occur at any time. Even more concerning is it happens in many organizations without their knowledge and without consequence because of the erroneous belief the air gap is doing the job. After gaining a foothold, these attacks can continue for weeks and even months until a catastrophic failure occurs. The security thought to be in place was an illusion far from the actual reality.

Vigilant planning for cybersecurity ahead

For most industrial organizations, the need for vigilant security is nothing new. Threat vectors and the security forecast is constantly evolving given emerging threats. The convergence of IT and OT operations, whether planned or unplanned, is in almost all cases a reality. Setting the appropriate safeguards will help ensure secured operations for the organization. What should be considered?

Visibility that extends beyond traditional borders

Up until this point, IT security and OT infrastructures inhabited different worlds and the ability to see into either environment was bifurcated along these lines. Modern-day attacks are amorphous and travel across the traditional IT and OT security borders without regard. The ability to track these types of propagation routes requires the de-siloing of traditional visibility parameters. Being able to gain a single view of IT and OT gear, along with the conversations happening between the two worlds, is essential. This “single pane of glass” view can help illuminate potential attack vectors and asset blind spots that may have eluded traditional security strategies.

Deep situational analysis

Whether or not a planned convergence initiative is in the works, it is important to recognize the significant difference in IT and OT lifecycles. While IT infrastructures update regularly, OT infrastructures often persist for years, even decades.

It is not uncommon for an OT infrastructure to be as old as the plant itself. The result is a full inventory of assets, along with maintenance and change management records, may not be current. Therefore, crucial data may be missing, including important details such as model number, location, firmware version, patch level, backplane detail and more. Since it is impossible to secure assets users may not even know exist, having a detailed inventory of OT infrastructure that can be automatically updated as conditions change is essential to protecting industrial operations.

Figure 1: Cutting connections is only part of maintaining a sterile environment. There are many other paths into what is supposedly an isolated infrastructure. Courtesy: Tenable

Figure 1: Cutting connections is only part of maintaining a sterile environment. There are many other paths into what is supposedly an isolated infrastructure. Courtesy: Tenable

Reduction of cyber risk

When it comes to modern OT environments, cyberthreats can originate from anywhere and travel everywhere. It is important to use as many capabilities and methodologies as possible to find and mitigate exposure risk including:

  • Network-based detection that leverages policies for “allow/disallow” capabilities.
  • Anomaly-based detection that can find zero-day and targeted attacks and is predicated on baseline behaviors unique to an organization.
  • Open-source attack databases that centralize threat intelligence from the greater security community. The notion is more eyes on a potential threat yields a significantly better security response.

Since most attacks target devices rather than networks, it is essential to use a solution that queries and provides security at the device level. Because OT device protocols can vary, security and health checks must be unique to the make and model of the device, including the device language. These deep checks should not scan, but rather be precise in query nature and frequency.

In 2020, more than 18,500 new vulnerabilities were disclosed, affecting OT devices as well as traditional IT assets. However, less than half of these vulnerabilities had an available exploit. Gaining a full awareness of the vulnerabilities relevant to the environment, along with a triaged list of exploitable vulnerabilities and critical assets, will enable users to prioritize the threats with the highest risk score, reducing the overall cyber exposure profile.

Security that contributes to the ecosystem of trust

While it is important to identify and leverage the best IT and OT security products for the environment, it is even more important the products work together. The age-old notion of a layered and cooperative security approach, where point products can work together, creates an impermeable layer — the totality of the solution becomes greater than the sum of its parts.

One such example is an OT security solution that feeds valuable details to a security information and event management (SIEM) system or next-generation firewall (NGFW), providing a new and important view of industrial operations to the security ecosystem. This not only enhances security monitoring and response, but it also unlocks greater value and practical utility from existing security investments.

Cybersecurity solutions that scale

The lineage and approach of the legacy IT and OT teams could not be greater opposites. This polarity goes far beyond product lifecycle timelines.

IT teams are often driven by key performance indicators (KPIs) involving availability, integrity and confidentiality, which result in an “always secured” mentality. OT teams monitor metrics revolving around environment, safety and regulation, resulting in an “always on — set it and forget it” approach.

Today’s need to address security across the entire organization — not just IT or OT — requires these different “upbringings” to come together and find common ground to work together. Failure to do so leaves the organization with a gaping cyber exposure hole that could result in severe consequences if left unaddressed.

Accidental convergence, intentional security

IT and OT teams must find common ground to eliminate the substantial risk factors of both planned and accidental IT/OT convergence. But the mission does not end there. OT security solutions that work in conjunction with IT security solutions can be the catalyst that provides the visibility, security and control needed to thwart new cyberthreats. It also brings these once separate teams together to provide security that every manufacturing, critical infrastructure and industrial organization needs to securely fulfill its core mission.

Michael Rothschild
Author Bio: Michael Rothschild is senior director of OT solutions who comes to Tenable by way of the Indegy acquisition. He focuses on Tenable's OT product line, is an advisory board member at Rutgers University and is a past professor of marketing. He also has a number of published works in marketing and healthcare. In his spare time Rothschild is a first aid instructor and volunteers as an EMT.