Handling IT, OT convergence is crucial for cybersecurity

Information technology (IT) and operational technology (OT) have always been on opposite sides, but they need to come together to combat a cybersecurity threat that is becoming easier for anyone to exploit and use.

By Gregory Hale, ISSSource July 19, 2016

With an industry just now becoming aware of the security issues it already has, the added boost of the Industrial Internet of Things (IIoT) means security professionals need help—and quick.

That is where IT-OT convergence comes into play. While the two sides do not get along traditionally, that concept has to go out the window. One side has to cull information gleaned from years of experience working to secure the enterprise, while the other needs to understand you just can’t shut down a control system and reboot.

"Operational technology (OT) will need to work with information technology (IT) to make this happen," said Walt Sikora, cofounder of Industrial Defender, during a webcast with Industrial Safety and Security Source (ISSSource.com). "IT is a very dynamic environment; it is always changing. There are a lot of challenges if you are an IT security person. The security posture is very mature. If we contrast that with OT, that network is relatively small. There is very little change. The systems are not very dynamic. They expect a system to last a long time."

The security posture in the manufacturing environment has improved over the years, but there is still a long way to go, and IT-OT working together will help manufacturers move forward.

"How do I engage with either other from an IT and OT perspective? Each of these teams has a level of expertise. If we can leverage the expertise of both sides, there will be some great advantages," Sikora said. "Once you can understand the perspective of the counterpart within your organization, it is easier to work together."

"You have to think about safety and resilience because we are dealing with the physical cyber space when you deal with things like machinery, valves, actuators and robots. You have to think about the safe reliable use of the equipment you are connecting to the Internet. In the industrial environment there are a lot of safeguards built in to put them in a safe state if something goes wrong," Sikora said. "That thing that is being controlled need to be placed in a state that will not cause harm or damage. That is important when we start thinking about placing these devices on the Internet."

In addition, with various devices on the Internet, and with the sophistication of exploits and attackers increasing, security professionals need all the help they can get.

"Adversaries have moved from the kid in the basement that would look to plug in and do something malicious," Sikora said. "Back in those days, you had to be really computer savvy to figure things out. Plus, one vendor’s operating systems was very closed. There was not much chance where one exploit would work on anything more than one system."

Today’s attacks are at the point where kids could be sitting in the basement searching Google or using Metasploit where some hacker placed a toolkit that has all the attack devices he would need to go after a victim. The attacker doesn’t need to have any advanced computer or system knowledge.

"One example was a Polish tram system where a teenager took a TV remote control and controlled the switching of the tracks," Sikora said. "The bad news is the adversaries have increased their capability and the more bad news is that capability is readily available and there is whole market for these exploits to be traded, bought, used and targeted against industrial control systems (ICSs)."

Cyber kill chain

While that may sound all gloom and doom, that is not the case at all. In fact, there are approaches where defenders can look and find would be attackers encroaching upon their system, and that is the cyber kill chain.

The emphasis behind the cyber kill chain is intelligence-driven defense, Sikora said. That is the only way organizations will be able to get ahead of this daunting task.

The ideas behind intelligence-driven defense are:

  • Getting awareness
  • Understanding the capability of the technology
  • Accountability
  • Empowerment
  • Intelligence.

"It is not about one thing, there is no silver bullet, it is about defense-in-depth," he said.

The cyber kill chain breaks down the various phases of an attack: Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on intent.

"If we can have a process in place that looks at our defenses and measures our defensive posture, then the adversary cannot find out various phases of advanced attack. It presents multiple opportunities to help detect and prevent an attack through effective countermeasures through the intelligence driven defense lifecycle," Sikora said.

The idea is the earlier you break the chain, the easier it is, and it will become more likely the adversary will not accomplish their mission. However, If the adversary gets down to the command and control, they have compromised the network, and it is much more difficult because they have already established a stronghold.

"If I can measure and collect data and derive information from it, I can see what happened in the past and find an indicator of compromise," Sikora said. "That is when I can start to think forward to see what I can do to stop things from happening in the future."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

ISSSource has additional stories about OT security and control system vulnerabilities. See a related story that looks at the problem from an insurer’s perspective.

See additional stories from ISSSource about safety below.

Original content can be found at www.isssource.com.