For many years the traditional information technology (IT) and operations technology (OT) systems remained distinct domains managed by different corporate resources, but this paradigm is undergoing a radical change as OT systems now are connected to the same networks as IT resources with Internet Protocol (IP) addresses and exposed control or management interfaces.
In a previous time, the OT systems ran on dedicated networks or where serially connected on their own bus, using exotic and not well understood protocols such as DNP and Modbus. Traditional network security devices were unable to “see” nor manage these devices. Now these devices are being connected to the traditional network, or even in some cases, the Internet in order to enable anytime, anywhere access on demand. This convenience, however, is not without substantial risk to both the IT and OT systems.
As we witnessed with STUXNET, Flame and other related malware, the jump from IT to OT is happening in front of our eyes, sometimes with catastrophic outcomes. Much of the OT world has not been trained nor prepared to manage this new set of operational cyber risks and as such is often an easy target for skilled hackers.
Perhaps more alarming, many of these OT systems reside on hospital floors, control rooms, transportation systems and control the electrical grids of many countries. So when attacks occur or the SCADA/Industrial Control Systems are compromised, the hackers may inflict physical damage on a small to mass scale.
While one may argue that remote access and monitoring of these critical systems is important to ensure remote management and data analytics, the risks are real. What makes these OT systems more difficult to secure, is the difference between classical IT resources where “private information” is usually the focus of protection at all layers, from people to firewalls. With OT systems, it’s the integrity of the command sets, logic and access to perform changes to the programmable logic that’s at risk.
Still more concerning is the fact that most companies are still playing catch up on the traditional IT areas such as ISO 27002, PCI-DSS, HIPAA and related security best practices. Preparedness for an OT attack is very limited, if at all existent. Much of the OT infrastructure sits outside the datacenter and may not fall under the umbrella of the CIO or chief information security officer (CISO). It therefore may represent a “shadow” infrastructure, one in which there is limited visibility and potential for significant risk and damage.
With the emergence of the “Internet of Things” (IoT), traditional security vendors are starting to secure this shadow operational IT infrastructure. New firewall technology, intrusion detection and other measures are being developed to address the next generation of the Internet where these devices are part of the fabric.
In a series of follow-on blog posts, we will explore the methods, tools and services being deployed to protect the next generation of Internet where websites co-exist with systems that control critical infrastructure.
In the meantime, feel free to browse our solutions that can help you protect your equipment and systems.