Galina Antova, co-founder and chief business development officer at Claroty discusses how CISOs and security teams can no longer turn their backs on operational technology (OT) and continue to see it as a separate entity in their security strategy.
1. What challenges does the current global situation pose to OT security?
The pandemic has forced organisations of all sizes, and across all industries, to take a hard look at how their business can effectively operate when their employees, customers and partners have become dispersed and confined to their homes. Unlike some sectors, which have been backed into a corner and have had to pause their operations, the world is still dependent on the seamless and fully operational nature of not only critical infrastructure and utilities such water, gas and electric coming into their homes, but also global supply chains and transportation to get key equipment and services to the right place, at the right time. We have all become dependent on secure remote access solutions and seek greater visibility into operations. But how can this be done securely, without compromising on service levels?
Historically, the information technology (IT) and operational technology (OT) teams have operated in siloes, each unaware of what the other was doing and just focussing on the piece of the puzzle for which they were responsible. In our current climate, now more than ever, everyone and everything must work together, especially if the business is going to understand the true risks that are facing them and, more importantly, how they can be mitigated.
Due to the majority of OT running on legacy networks that in the past have been unconnected and standalone entities, there is a major, 25+ year gap between the state of IT and OT security. Pair that with our “new normal” in which the majority of workforces are remote, and organisations have a real challenge on their hands when it comes to cyber-risk.
2. Why is protecting OT networks so important? In other words, why should CISOs care?
OT is vital for the running of many key sectors around the world, including critical national infrastructure, manufacturing, transportation, and energy. A cyberattack against sectors such as these can have serious consequences not only for the victim organisation, but also for the wider population and economy.
The ongoing attacks on Ukraine over the last five years demonstrate the severe impact these types of attacks can have on OT networks, and how a country’s infrastructure can be disrupted. Take NotPetya, for example. While OT networks were not the primary target of this attack, the spill over from IT to OT networks caused many operations of numerous organisations to come to a standstill.
In our new digital age, enterprises are being transformed through digitisation initiatives, causing once-isolated OT networks to become interconnected with the rest of the enterprise. Because of this, organisations can no longer afford to solely focus on threats targeting IT infrastructure – protecting OT networks should be just as much of a priority.
3. Why is there such a gap between IT security and OT security?
Up until about 20 years ago, it was standard for OT networks to be unconnected systems that were separated from traditional networks, meaning that most systems were intrinsically well-secured against cyber-threats as they were naturally protected by air-gapping. The only way to compromise such a system would be to access it physically.
However, in recent years, digitalisation has meant that organisations have begun integrating their OT infrastructure into their wider network to enable them to deliver better efficiency through automation. Unfortunately, this has also led to frequent problems where security teams have attempted to simply transfer IT security controls directly over to OT. But that does not work because the priorities of OT networks are very different, with a greater focus on system uptime rather than protecting data. The system downtime that is standard in IT for activity such as patching, updating and maintaining software is very difficult to achieve for OT.
4. And how do we close that gap?
CISOs, who have traditionally worked on securing their IT infrastructure, want the same outcomes for their OT security, such as risk reduction, asset and vulnerability identifications, and being able to monitor and detect threats – and rightly so! However, the way they do this needs to be very different due to the different constraints and characteristics of OT compared to IT infrastructure.
Like all cybersecurity initiatives, effective OT security fundamentally comes down to implementing controls that reduce risk. Having real-time, granular visibility into OT assets, networks, and processes is critical to identifying and protecting against cyber-threats to an organisation’s industrial environments and reducing that risk.
Nevertheless, while this seems straightforward, one of the basic challenges CISOs face in defending their industrial environments against cyber-threats is that gaining visibility into OT networks is uniquely difficult. As such, we need to take a unique approach.
Basically, before we can reduce the risk to an industrial environment, we must assess it. This assessment process requires a security team to have full visibility into the particular environment’s OT network, which has historically been difficult to achieve due to the prevalence of unfamiliar OT assets, architectures, and protocols. In a perfect world, a CISO and his/her team would leverage unmatched protocol coverage, scanning, segmentation, and secure remote access capabilities to grant complete visibility across all three OT dimensions critical to risk. These dimensions are those I mentioned above – assets, network sessions, and processes.
5. With industry currently having to manage both remote and reduced workforces, how can organisations ensure they are getting the job done without compromising on security?
A largely remote workforce has unique implications when it comes to securing OT networks. However, this is also a broad issue given that every large organisation, no matter its industry or business model, has OT assets.
One implication is that many organisations are making a lot of changes when it comes to monitoring and controlling access to their systems, in way that is secure but also doesn’t interfere with employees doing their jobs. In a time where the word remote is being used more than ever before, the importance of remote access management is really coming to the fore and network administrators of OT networks are finding themselves on the front lines of enablement. Workers who usually access control systems physically in order to carry out their job are now looking for their employers to provide them with online connectivity. However, allowing for various types of users, systems, access levels, and functions is complex.
In times like these, the need for secure remote access has dramatically increased. CISOs and their security teams need to refresh their thinking on best practices for protecting remote access connections, especially when it comes to industrial networks – some of which support the critical national infrastructure that has become all the more critical in the past months. In order to ensure security is up to scratch, any CISO in charge of securing OT networks must focus on three key points: monitoring connections; ensuring granular privileged access control; and authentication, which ensures workflows and processes are secure.
Galina Antova, Co-founder and Chief Business Development Officer, Claroty