Industrial control systems (ICS) security was much simpler before the web. Firewalls and demilitarized zones (DMZs) separating the corporate and plant networks either didn’t exist or weren’t necessary. Organizations were primarily concerned with physically protecting their systems behind gates, fences and other barriers.
For that reason, vendors designed control systems with automation and reliability in mind; all communications technologies were proprietary and lacked compatibility with Ethernet and TCP/IP. But then the Internet came, and with it, the threat of connectivity-enabled attacks that don’t require physical access to plants or their systems.
Industrial Cybersecurity Is Ever-Evolving
Organizations are now dedicating resources to protecting their ICS assets, which include supervisory control and data acquisition (SCADA) programs, against intentional or accidental security threats. Defending these systems is like other industrial safety programs. People and technology must work together to develop policies and processes that they can implement, build upon, enforce, modify and improve.
Even so, ICS security has plenty of challenges. Several of them owe their existence to the ongoing convergence of information technology (IT) and operational technology (OT).
As noted in another State of Security post, IT and OT at one point in time generally did different things. There was some limited collaboration if either IT or OT need to use the other’s technology to complete their jobs. But that was the extent of their cooperation.
Today, a convergence of a logical and physical resources now means a closer relationship between IT and OT. This union makes it difficult to determine who is responsible for protecting ICS systems owned and operated by the organization. Is it IT, which has experience and budget for digital security but lacks direct oversight over the industrial control systems? Or is it OT, which supervises industrial control systems but isn’t chiefly responsible for defending the organization against digital threats? The absence of a clear answer creates confusion, especially given the attackers’ increasing use of generic IT malware like WannaCry, NotPetya and BadRabbit to disrupt industrial environments.
The Complexity of the Industrial Internet of Things (IIoT)
The IT-OT convergence isn’t the only ICS security challenge facing organizations. There’s also the Industrial Internet of Things (IIoT).
“Smart factory” devices do help streamline the operation of industrial control systems. Unfortunately, manufacturers don’t always take the necessary precautions to secure those products. This oversight can make IIoT devices vulnerable to remote exploitation over the web. Attackers could then leverage compromised IIoT products to disrupt the normal operation of industrial equipment. Depending on the functionality of those systems, such disruption could potentially endanger public safety.
Better ICS Cybersecurity with United IT and OT
These questions beg the question: how can organizations best strengthen their ICS security? Acknowledging that question, Tripwire and its parent company Belden published Industrial Cyber Security for Dummies. The resource takes a deeper dive into why many organizations’ ICS products and software aren’t receptive to IT security strategies. It also explores the blurring line separating IT from OT as a convergence of different priorities and strategies.
To demonstrate, IT adheres to the CIA Triad in valuing confidentiality first, then integrity, and lastly availability. As such, IT personnel can easily disable a system to implement a patch or remove malware if it’s in the interest of preserving the confidentiality or integrity of a system. An asset’s unavailability might be inconvenient, but convenience is no reason to threaten the confidentiality and integrity of an IT asset.
That’s not the case with OT. Paramount to OT professionals is availability (and safety), for disabling certain systems could cause others to malfunction in a way that endangers the lives of ordinary people. In OT environments, uptime and the lack thereof have real-world consequences. As a result, OT takes an interest in integrity and confidentiality only after availability is ensured.
Organizations need to understand those differences if they are to unite their IT and OT teams around strengthening the security of their industrial control systems. For more information on how companies can use the IT-OT convergence to their advantage with respect to ICS security, please download Tripwire’s quick and helpful guide: “Defend Industrial Control Systems with Tripwire’s ICS Security Suite.”