Security leaders: Prepare now for the convergence of IT, OT and IoT

Is the way we practice security is dependent on context?

We have physical security teams. We information security and cybersecurity teams. Sometimes we blend the teams together.

As the Internet of Things (IoT) gains steam, we publicly question and even lament the security included there, if at all.

For some, security is a silo. For others, security is blended.

Adi Dar, CEO of Cyberbit, points out that attackers don’t care. Dar led Cyberbit since it was spun off from Elbit Systems, Israel’s largest defense contractor and the #26^th largest in the world (NASDAQ: ESLT). Prior to that, Dar served as CEO of Elop — one of the world’s leading defense electrooptic technology providers and part of the Elbit Group.

Dar noted that attackers adept at finding and slipping through the cracks gain an advantage. Understanding this drives a need for us to develop a more complete and timely picture. It’s a pathway to prepare ourselves and our organizations.

That was the thrust of our conversation, detailed below.  

What should security leaders expect from a blended future of IT, OT, and IoT systems and controls?

Information technology (IT), operational/industrial technology (OT), and the Internet of Things (IoT) are converging.

This is no longer the future; it’s the reality. IT security leaders traditionally saw OT as other people’s problem — the industrial control network managers — but today, banks and other large enterprises all have IoT or OT systems in place. Surveillance systems, thermostats, HVAC or door controls all are connected and vulnerable to cyberattacks. One of the projects Cyberbit is now working on is protecting an intelligent building — a government facility that is entirely connected, their need is to protect everything — from laptops to electric controllers to physical gates. There is no longer a separation.

And on the other side of the network — industrial control network managers realize that IT security is now part of THEIR problem. Take the Stuxnet attack that took down 20 percent of Iran’s unclear centrifuges. This massive OT attack started with a simple windows exploit — can you imagine that?

What do we need to realize about how attackers view this blended situation?

We’ve traditionally been looking at the OT security problem from the vendor’s and customer’s point of view, each side sees part of the problem, which they are familiar with: IT, OT or IoT security. So, security systems are focused on fixing just part of the problem.

But attackers are looking at it in a different way. They don’t care if this is IT, OT or IoT — they are probing for the easiest way in, and then — where can they inflict as much damage as possible. So, vendors and security leaders must start looking at the entire security stack — from IT to IoT to OT — and protect it broadly.

For attackers, there are so many new opportunities: First, the attack surface has grown, so organization have much more that they need to defend. However, defense capabilities have not improved. Second, the ways to do damage have grown tremendously. A few years ago, attackers would aim to bring down a corporate website. Today, their goal would be to shut down the entire 100-story corporate building by simply attacking its elevator. Some of our customers are national power grid companies that are incorporating cybersecurity into the grid to avoid what happened in the Ukraine last year, when cyber attackers took down the grid and left 230,000 people in the dark.

Or take the recent attack on the BART, the San Francisco Metro system, or take the Stuxnet attack — both attacks have paved the way for the new IT/OT attacks. And this will only grow. As we’ve seen in the 2016 Dyn attack, attackers can even turn a network of web-connected cameras into a botnet to launch a DDoS attack. The new cyber attack is multi-vectored or, as we like to call it, full stack: IT is often the best way in, and OT/IoT is where attackers can do damage. In Stuxnet, a USB stick was used to eventually take centrifuges out of service.

What questions do we need to ask to get our heads wrapped around this challenge?

In this new reality, there are several questions to ask:

What do I have? Organizations have to map their entire collection of digital assets and move away from the traditional IT-only approach and look at every connected device, beyond ports and endpoints. Today, this is not part of the traditional IT security review — this has to change. Our customers, especially in the industrial sector, often don’t even know what they have. When we map a SCADA network and show our customers the results, we often hear: “Hey, I did not even know that I have this this critical controller device in my network, and worse — it’s online and connected to the internet so anyone can access it!”

Where are the critical areas in my network? Often these would be the touchpoints where IT — which is typically well protected — touches OT – which is typically not protected well. These are the weakest links attackers are looking for. IT networks are web-connected, and OT managers assume their industrial network is “air gapped” from the IT network, but in fact, you will find touchpoints where IT and OT do connect.

Do I have full-stack visibility? Am I confident in my response process? We are describing a situation where you may be defending different types of networks, numerous types of devices using multiple protocols, and your team is using dozens of security tools — each one to tackle a specific problem. Responding to an attack is tough, and companies are short of cybersecurity talent. Companies need to start thinking — “How do I obtain visibility into IT, OT and IoT from a single pane of glass, and how do I manage the incident response process across all these systems?”

Why is it important to get a “single pane of glass” read on the situation?

We are in a situation where security teams have to defend different types of networks, with numerous types of IT, OT and IoT devices — each one using different protocols. But as I mentioned, security vendors focus on niche problems, so teams are forced to use dozens of security tools — each one to tackle this specific problem. This makes sense because a cybersecurity startup cannot master more than one domain, and integrations are hard.

However, with the growing shortage in cybersecurity talent, there is no way an incident responder can master over 20 tools to manage a multi-vector attack. And they don’t have any visibility and situational awareness — the security operations center (SOC) analyst often needs to watch over 10 screens, each one monitoring a different system or network, or providing some type of data feed or intelligence. It’s impossible to have situational awareness this way.

Companies need to completely change the way of thinking and manage security from a single pane of glass — starting with dashboards that mash up all your IT, OT and IoT data into a single screen and give you visibility and situational awareness and managing incidents from a single location. This is something we at Cyberbit think about every day, for example, in our smart building project where all data feeds into the central SOC.   

How can security leaders influence integration by design?

SCADA and IoT are very similar because they use non-standard protocols and devices, so security vendors and leaders should start looking at them as the same problem. We need to shift our focus to multi-vector attacks and start sharing information to solve these problems together. There are now several information sharing and analysis centers (ISACs) that focus on sharing information between peers to solve complex security problems.

We also have to realize that whatever you do — it does not matter where you were attacked from — you will be attacked, and some of the attacks will make their way into your network. So, organizations should think about obtaining very good detection capabilities that will help them know about the attack as fast as possible — before this becomes a problem.

The time to act is now, so you should start asking these questions and urge for change in the approach and the design of the solutions. Moving in the direction now sets the stage for future success and true full-stack security to address the multi-vector threat landscape.