Seven in ten global industry leaders have identified Industry 4.0 to be the top priority in McKinsey’s 2018 survey. With the potential to rake in USD 1-3.7 trillion in value by 2025, there’s a lot riding on a key requisite for Industry 4.0 – secure IT/OT convergence.
Secure integration of information technology and operational technology can unlock the true potential of using data generated by IoT devices in addition to the ability to access real-time data.
Operational Technology (OT) comprises hardware and software that control and monitor physical devices. Therefore an attack on an OT system can very well lead to a complete shutdown of critical infrastructure.
Attacks on OT systems caught the world’s attention when Maersk, the world's largest shipping company, suffered a crippling NotPetya attack and lost USD 350 million in its aftermath.
[Note to the reader: A CSO Online feature on how Maersk went back to the drawing board to rebuild after NotPetya walks you through what exactly transpired and how Maersk moved forward]
While the enterprise has secured a fairly good grip on IT security, OT security is turning out to be the weakest link in the chain. A Fortinet report reveals 77 percent of OT leaders acknowledged at least one malware intrusion over the past year.
OT System Architecture diagram supplied by Satish K Sharma of Reliance Power
A typical OT System Architecture
Furthermore, 85 percent of unique threats were targeted at widely used OT systems -- be it OPC Classic, the open platform machine-to-machine communication protocol; BACnet, a common building automation protocol; or Moxa, an industrial networking and computing system.
What makes OT systems highly vulnerable
The obvious reason is increased connectivity – Gomeet Pant, cybersecurity leader at Vedanta, describes this as: “What used to be an island previously is now getting more and more connected to IT systems.”
With a rapidly-increasing surface area, gaining visibility into devices and networks becomes a challenge. A Forrester Consulting report reveals that 82 percent of the respondents acknowledged that they were unable to identify all of the connected devices on their IT and OT networks.
Satish K Sharma at IDG India's CSO100 2019
"CISOs do not fully understand the scope of industrial constraints. They, therefore, run into significant complications when it’s time to launch an ICS cybersecurity project." - Satish K Sharma, HoT IT & CISO, Reliance Power
CIOs and CISOs are just beginning to understand the mechanics of IT/OT convergence, so the concept, at this stage, is still an unknown beast.
Satish K Sharma, HoT IT & CISO at Reliance Power reveals that CISOs find the lack of visibility a major challenge and because of their unfamiliarity with the OT environment, they do not fully understand the scope of industrial constraints. They, therefore, run into significant complications when it’s time to launch an ICS cybersecurity project.
The common practice of physically isolating a computer from unsecured networks, or “air-gapping”, as the industry calls it, is non-existent now owing to IT/OT convergence. Now, this eliminates the option of isolating infected systems from the network.
The low penetration of OT in India is also a reason for high vulnerability, points out Parna Ghosh, VP & Group CIO at UNO Minda Group. He shares that machine-to-machine communication protocols are at a very nascent stage and that most machines we use in India are only Industry 2.0 or Industry 3.0 compliant.
And there's a reason behind this – Ghosh explains that without proper machine-to-machine communication, IoT projects cannot be deployed. Moreover, he shares that IoT projects, at this point in time, are not delivering high productivity or cost-efficiency.
Key CISO takeaways summarized from inputs of the 3 sources
5 Key Takeaways for CISOs to Protect OT Systems
The root cause for OT attacks – dated, vulnerable IT architecture
The quintessential architecture in most organizations is well-equipped to deal with the current threat landscape and IT security, but it’s not ready for IT/OT convergence just yet.
The modus operandi of hackers is to use conventional IT hacking tools and techniques to first achieve sufficient proximity to the ICS component, Sharma reveals. Having achieved this, the hacker then attempts to subvert OT or device control.
Parna Ghosh at IDG India's CIO100 2019 event
"We need mechatronics engineers who understand the language of new-age machines. However, the existing skills gap is a major problem area." -- Parna Ghosh, VP & Group CIO, UNO Minda Group
Highlighting a fundamental flaw in the architecture, Pant explains that most of these setups are well guarded from a physical and network-perimeter security point of view, but they have, more or less, a flat architecture. So if a threat manages to reach within the OT network, it makes the systems highly vulnerable to threats.
Explaining how Industrial Control Systems have not been designed with the perils of cybersecurity, Sharma highlights four key challenges in the present-day IT architecture:
1. ICS components contain many vulnerable areas which makes it very difficult to correct and improve OT equipment without reworking the entire system.
2. Most ICS' rely on devices that implement unsecured proprietary protocols and PLC that have not been equipped with cryptographic systems.
3. ICS' are way too often at risk of DoS (Denial of Service) attacks. The programs do not adequately control incoming data and the slightest irregularity in the network can collapse the whole service
4. Security approaches inherent to the OT world have masked the need to incorporate a cybersecurity approach.
ICS' are thus ill-prepared to face malware intrusions. In addition, the lack of requisite skill set also contributes to the vulnerability of OT systems. "We need mechatronics engineers who understand the language of new-age machines. However, the existing skills gap is a major problem area," says Ghosh.
Gomeet Pant at IDG India's CSO100 2019 event
“Speaking IT language in OT has never worked. CISOs should be able to speak business and OT language to get the message through.” -- Gomeet Pant, Sr. Manager – IT Security & Compliance, Vedanta
How CISOs can combat OT attacks
Pant opines that gaining better visibility into OT systems and setting common security goals with the OT team is a great starting point. “Speaking IT language in OT has never worked. CISOs should be able to speak business and OT language to get the message through,” he says.
He adds that rather than focusing on cybersecurity, the idea of cyber safety should be the centre point of security dialogues as most OT system compromises can lead to critical fatalities.
Basic controls like AV, patching, configuration management, application whitelisting and UAM should be verified. “In due course, visibility technologies like SIEM & NBAD should be deployed on platforms that understand OT protocols,” adds Pant.
Once the basics are in place, OT setup can also be targeted for alignment with NIST 800:82 or ANSI/ISA 62443 standards. Following this, Pant advises that organizations can maintain and gradually augment security management teams with certified resources who understand OT risks.
Sharma adds a word of caution though: He shares that new standards like ISA 99/IEC 62443, NERC CIP, or the NIST cybersecurity framework are often hard to apply to the world of OT, with risk evaluation becoming thorny and documentation often outdated.