The IT/OT convergence conundrum
Although a lot is being said about the pros and cons of information technology/operational technology (IT/OT) convergence, there is often little appreciation of what companies at different stages in their evolution may need to do.
What does information technology/operational technology (IT/OT) convergence mean? In the OT/IT cyber workspace, there are two types of companies – those seeking to converge and those that have never diverged. Both must change and both face similar risks. However, their circumstances and means of addressing the risks may be vastly different as the following examples illustrate.
What sort of companies are they?
Company A, which is seeking to converge, is a large company operating multiple sites and with multiple complex manufacturing processes. The network is currently segmented to provide complete segregation between OT and IT – theoretically “air gapped,” or at least with one or more firewalls between OT and IT. Perhaps 20 years ago the company reviewed OT/IT security and decided this was the safest approach. However, that is no longer the case today. For this business model it makes sense to have a complete overview of the chain of manufacturing from order placement for goods-in to order fulfillment.
Company B has never diverged OT and IT, being medium sized, it has embraced technical innovation through greater use of IT, which spills over into use of smarter machines and sensors in the manufacturing environment. For this company it makes sense to connect machines to the IT network to extend control and monitoring to a remote location or to make use of maintenance tools. The company has a flat and undivided network because it grew that way. It has a firewall where its Internet Service Provider (ISP) provides service, so all is good (or so it seems). But it isn’t.
The threat landscape for the companies
The threat landscape has changed so much in recent years that the probability of attack is essentially random and high. That means it is necessary to create as many barriers to attack as possible.
Company B needs to be aware that the firewall at the ISP access point has very limited capabilities and is only fit to protect the IT environment – it has no knowledge of the protocols used by OT equipment. As if that were not bad enough, the defenders need to be aware that if their perimeter defenses are penetrated – due to a phishing e-mail – any malware installed would be free to attack the OT equipment which is generally not robust to attack. Divergence is needed. At least to the extent of getting an extra firewall to separate IT and OT. It would be wise to start monitoring network traffic, too.
Company A has a “convergence” project to migrate much of the IT and OT infrastructure to the cloud, which is fine if done with appropriate safeguards. Those safeguards, for both supplier and user physical assets and management processes, include providing adequate diversity and redundancy, avoiding single points of failure, minimizing pinch points, and wargaming some realistic scenarios. These things should be done before placing contracts. If the service provider – a high-value ransomware target – is attacked and cannot provide service at any level then what is the fallback position?
Although the solutions are different there are some points of common difficulty. What have they got that they actually want to change? It is easy to overlook that a complete, thorough, as built inventory is needed, including all connections (physical and logical) and data flows with the reasons for them. Many organizations struggle with this – it is not a small task. Some of it can be automated. How they do this is a little harder, and the “why” is harder still. There is no shortage of guidance about what a target secured network design should look like for various cases but it doesn’t tell you how to get there from where you are now. The problem is that no one but those intimately involved can define that journey.