Is OT Cybersecurity Better Bolted-On or Designed-In?
Power grid outages driven by malware, dam control system attacks, vehicle onboard system hijacking: recent incidents like these show how critical cybersecurity has become in connected operational technology. But if you think OT is “just IT in an industrial environment,” then think again. The worlds of operational technology and information technology are fundamentally different.
A cybersecurity solution in business IT, often requiring the use of active components and intrusive techniques, may be highly unsuitable for industrial systems and networks. Not only will it fail to recognize specific industrial protocols and interactions, but it can also upset delicate timing mechanisms that are essential for safe industrial operations.
Yet in OT, as in IT, cyberattack prevention is better than cure. Designing cybersecurity in beforehand, instead of trying to bolt it on as an afterthought, is not only more effective, but also less expensive. Accordingly, cyber protection is making its way into OT project lifecycles earlier. New projects offer the chance to specify cybersecurity from the start, even before any software or hardware development occurs.
At the same time, the challenge remains for bringing existing OT devices and installations under the cyber protection umbrella. The term “legacy equipment” in industrial systems and networks extends to setups that sometimes look prehistoric compared to the standard three-year renewal cycle that many business IT departments use.
Two Different Worlds of OT and IT
The OT/IT difference goes way back. Operational technology teams battled with demanding industrial environments and complex combinations of sensors, controllers, and actuators. Business IT engineers grappled with finance, pay, HR, marketing, and sales. While IT evolved with database management and procedural programming languages, OT developed industrial control systems (ICSs) like SCADA (Supervisory Control and Data Acquisition) to operate field devices, production machines, and turbines, among others. Historically, SCADA was used for systems covering long distances, such as power, water, and gas distribution – infrastructure that is designed to last for decades.
Consequently, the installed base of industrial equipment is very large and in some cases very old. OT cybersecurity must play catchup, but without interfering with operations. Visibility is a key issue. Devices can only be protected from attacks if they can be seen by the cybersecurity management system. If standard business IT security procedures were then followed, actions and interactions would be captured from the devices for analysis and identification of suspicious transmissions. Software, firmware, and hardware would be systematically updated to the latest versions. Vendor patches would be applied directly they were available. But OT, as we have already remarked, is not IT.
Why Standard IT Security Does Not Work for OT
There are two fundamental differences between OT and IT that mean that conventional IT security approaches are often unsuitable or unavailable for the OT environment. First, OT and its industrial protocols come from a world in which network connections with the outside have been the exception. Physical “air gap” isolation was often held to be enough for protection. Until recently, speed and reliability have been the priorities rather than security. OT installations may lack the security tools and even the monitoring interfaces that business IT takes for granted.
Second, OT also has a longstanding culture of “If it ain’t broke, don’t fix it.” Installation complexity, timing constraints, and fragile compatibility between components have taught OT teams that they meddle at their peril. This includes putting extra loads on devices to get them to log and report events, or attempting to patch OT software and systems that may have been deployed 10 or 15 years ago without any updates applied since then.
The Drive to Now Connect Industrial Equipment
The industrial world measures its performance with metrics like productivity, time to value, and availability. In other words, machines and devices must maximize their useful output (productivity). The output must balance out initial investments and expenses as quickly as possible (time to value). Finally, downtime whether scheduled or unscheduled must be minimal, preferably zero (availability). When you consider the huge financial outlays required to build or acquire wind turbines or locomotives, it rapidly becomes clear why these metrics are so important.
With the rise of the Internet and digital connectivity, the OT world has seen the potential for enhancing performance across all the metrics above. Improvement comes from collecting and analyzing more data from industrial machines and infrastructure, adjusting operations in real time, and even predicting maintenance requirements before breakdown happens. Also, by enhancing the agility of their systems, OT teams can better respond to the business objectives of their organization. Examples of such objectives might be customized manufacturing to meet individual customer demands, or street light networks that save money by only switching on when passers-by or vehicles are detected.
The Internet of Things (IoT) and more specifically the “Industrial Internet of Things” (IIoT) are two recent developments to help industrial operators connect their equipment to faster, more flexible, more responsive control systems. Industrial data analytics and microservice platforms then expand the possibilities for immediately reacting to external changes and reconfiguring installations. However, as remote field devices and industrial control systems are now increasingly connected to IT infrastructures, the soft security underbelly of legacy OT is being exposed too.
Cybersecurity Bolt-On and Design-In Issues and Challenges
Whether OT cybersecurity is designed into systems before they are built or added afterwards, OT teams will have to face challenges.
The disadvantages of bolt-on solutions include the expense of retrofitting industrial installations with additional hardware or software. In addition, there is the risk of upsetting systems that so far may have worked without problems. Bolt-on solutions may also be applied unevenly, if only because of the total time required to upgrade entire fleets of trucks or thousands of distribution valves in pipeline networks. If any of those installations is done incorrectly or if post-installation testing of OT security is not thorough enough, attackers may be able to exploit vulnerabilities that remain.
The challenges of designing cybersecurity into OT systems include getting the design teams to put security on the agenda from the start. They must also test cybersecurity at the different stages of development, just as they test functionality and interoperability. Remember that cybersecurity is a relatively recent idea in the OT world, compared to business IT that has been battling with hackers and attackers for donkey’s years.
Cybersecurity via Software Defined Networking
If cybersecurity cannot be designed into existing industrial devices and equipment (or even if new projects fail to build in cybersecurity properly), it can still be built into the networks that connect them. The network technology can be chosen to facilitate security, with the flexibility to adapt to new requirements and devices. Software defined networking (SDN) offers these advantages by providing centralized software control above the hardware level of industrial Ethernet switches and other network components. The entire network infrastructure can then be managed, segmented, and secured from one location, according to the devices attached to it and the protection required.
Visibility and Security via the Network, without a Forklift
Even with the praiseworthy goal of improved cybersecurity, forklift upgrades (also known as “rip and replace” upgrades) are often best avoided. As long as SDN-compatible network devices are used, Veracity’s Industrial SDN™ allows existing network topologies and cabling to be leveraged, while providing:
- Visibility of industrial devices by automatically discovering and tracking them, their role, their device type, and their industrial networking protocols over the network.
- Ability to segment the network at will to ensure different industrial devices get the performance and protection they need.
- Reduction of the attack surface for greater resiliency in a “secure by default” network.
- Detection and alerting of cyber events, with a centralized platform to plan and execute responses to attacks, including forensic investigation and recovery.
Embedding OT Cybersecurity at All Levels for the Future
OT connectivity will continue to grow in volume and importance, especially now that leading industrial equipment vendors have shown the way. The floodgates to business advantage through connected industrial installations have been opened permanently. OT teams will therefore need to factor OT cybersecurity into their daily and strategic activities. In parallel, their IT colleagues may have a learning curve to better understand why OT and IT are still such different environments.
Cybersecurity governance, awareness campaigns and data protection policies can set the example top-down, and ensure that cyber protection is always on the agenda for new OT projects. Meanwhile, spanning both new and legacy installations, software defined networking can provide everyday cybersecurity in production through SDN-compatible switches, monitors, and analyzers. Without having to add new software or hardware to legacy systems, an SDN solution can even protect systems that are no longer supported by their original vendors, helping to keep OT secure at all levels.
This article was written by Paul Myer, the Chief Executive Officer at Veracity Industrial Networks, Inc. Mr. Myer is a technology industry veteran who has held management positions with leading technology companies, including NEC Technologies and Compaq Computer Corporation.