• United States



Adding the operation focus to OT security

May 25, 20235 mins

istock 1430330223
Credit: RicardoImagen

Much is happening in the OT/ICS world. Industry 4.0 is in full swing, with IT and OT systems becoming more connected, cloud and edge services being explored, and AI making moves to optimize maintenance and productivity. These, and many other developments, leave most organizations in one of two camps: they have either a sense of excitement to enhance and maximize their operations or an increasing fear that, without action, a cyber event is just around the corner. 

This is an exciting time full of opportunities, but the risks also expand, outpacing the current security options and jeopardizing potential gains. A growing number of examples in the last few years have shown that cyber-criminals are increasingly motivated to target OT/ICS operators’ IT and OT systems. In 2021, Darkside’s attack on Colonial Pipeline showed how IT-based attacks could indirectly impact the availability of the OT operation. Then, in 2022, Sandworm showed a renewed Industroyer2 attack targeted directly at a Ukrainian energy provider’s OT/ICS systems. With such varied motivations behind attacks, staying ahead is no simple task. 

Organizations often add to the challenges because of internal friction between business and security. Business leaders are pushing the accelerator to the floor, and the security team is hitting the brakes to catch up. However, the OT evolution introduces a third group: OT operations. Stuck in the middle of the struggle, operations teams are attempting to balance the opposing demands of speed and security with their objectives for stable and safe operations. 

Cyber attacks are not the only threat to operational availability

OT/ICS environments and the devices and Cyber-Physical Systems within them are not just IT systems with a disguise on. Indeed, there are similarities in some parts, but as you go down the Perdue Model levels, the differences become more and more pronounced. The OT operations teams are vital to the conversation as new security plans are developed to protect the expanding OT attack surface.  

From the devices and systems perspective, different vendors produce devices for specific process tasks. Think autonomous assembly robots, remote-controlled valves, and programmable logic controllers (PLCs). With these devices comes a raft of new applications, protocols, and behaviors not seen in IT environments nor understood by most IT security tools. 

As importantly, OT/ICS environments introduce a new threat category – operational threats. This new category focuses on threats to the stability and ongoing availability of the operation itself. Further, they include the physical-world aspects that define an OT environment. IT teams often don’t see or consider these threats, and even if they do, they can be challenging to act on because they go against the IT security best practices they follow. 

An example that ties these points together is the Triton/Trisis malware attack that targeted a Saudi Arabian petrochemical plant in 2017. This attack marked the first time an ICS operation’s safety systems were explicitly targeted, something not seen in IT, deliberately putting human life at risk. Just as attacks targeting IT systems continue to evolve, the sophistication of OT-targeted attacks will also, as seen in more recent discoveries such as Pipedream and Stormous. Coupled with the operations team’s priorities of maintaining OT availability and safety, a new approach is needed to set organizations up for success. 

Support security and operation without sacrifice

Compromise can be a dirty word, especially in the context of security. However, business realities make it necessary to find an acceptable balance when implementing security plans. If too heavy-handed, the business may slow down and lose its edge. Conversely, a cyber attack may lead to the same outcome if not comprehensive enough. The challenge of security teams and the CISO now becomes that much more difficult with the introduction of OT and the addition of the operation’s goals and priorities. 

Approaching this challenge with the wrong plan and tools spells disaster. Instead, security and operations teams should look toward new security capability models that support their combined needs without forcing either team to sacrifice ability or compromise efficiency. For OT/ICS operators, this is Cyber-Physical System Detection and Response (CPSDR).  

Developed around security and operations, CPSDR draws on the objectives of detection and response to cyber threats and adds the new aim of preventing any unexpected changes in the operation’s devices, moving beyond IT EDR’s single focus into a dual focus. Then, a new unified priority that any unexpected change, cyber or operation threats based, poses a risk to stability and must be prevented. Availability is defended by detecting and preventing unexpected changes, and response actions become safe now that mistakes from the pressure of restoring the operation are removed. 

With this new dual focus on security and operations, the shackles of compromise are broken, and the internal three-way struggle is no longer an anchor fighting forward velocity. Move on from the “this is how we’ve always done it” limitations of IT security thinking and take back control of your operation’s evolution. 

Contact TXOne Networks to learn more about CPSDR and how an OT security specialist can support your operation.