Where hardware meets software, attackers can sneak in. More and more, threat actors are targeting Industrial Control Systems (ICS) and Operational Technology (OT). IBM X-Force found that the number of attacks against those types of assets increased by over 2,000% between 2018 and 2019, with the number of ICS and OT attacks in 2019 having eclipsed the total volume of attacks for the preceding three years combined. Many of those IT-OT attacks involved password spraying. Others cover the exploitation of known openings affecting Supervisory Control and Data Acquisition (SCADA) and ICS OT assets.

How the IT-OT Convergence Contributes

This is partially due to the ongoing convergence between OT and information technology (IT).

For years, most entities kept these two teams separate. IT and OT teams worked in their own respective silos. IT workers came to understand the need for access controls, encryption and other security basics in order to defend the enterprise against an emerging array of web-based threats. Meanwhile, OT workers sought to keep their SCADA systems, ICS and other industrial assets running in the name of public safety and national security. There was no need to expose those OT systems to the web. They just needed to make sure those devices continued to function properly.

Side Effects of Digital Growth

Things changed for many entities when they launched into their respective digital transformations. Along the way, they realized that they could improve their industrial processes by bringing their IT and OT devices together. By introducing web-connected sensors, monitors and other Industrial Internet of things (IIoT) devices into their OT landscapes, for instance, they reasoned that they could gain real-time insight into their industrial assets. They could then use that insight to perform preventative maintenance and minimize downtime, thus improving their OT assets’ up-time through IoT cybersecurity.

The issue is that OT systems today lack the right features to withstand modern digital threats. Many of these assets are decades-old systems that can’t receive updates remotely. (That’s because they might not support the protocols that are needed to connect over the web in the first place.) Some might support an on-site update process; in that scenario, you still need to schedule a time for a team to arrive on-site, disable the asset for a short time, implement the fix and bring it back up — a process that costs time and money. Others are so-called ‘legacy’ systems that don’t have a viable means of receiving updates anymore due to their advanced age.

And, the IT-OT convergence risks exposing at-risk OT systems to the web. These connections give malicious actors all they need to conduct a brute-force login attempt or exploit an opening in the software. In some cases, those threat actors could undermine a victim’s industrial processes. In turn, that could threaten public safety and/or national security if that organization works in a Critical National Infrastructure (CNI) sector such as oil and gas, electric, transportation or medical.

A Critical Security Juncture

Entities that have embraced the IT-OT convergence find themselves at a critical juncture. They realize that digital attackers have them within their sights. Over half (51%) of U.S. industrial enterprises told Claroty they were more of a target in 2020 than in previous years, as an example. Two-thirds of survey respondents said they had witnessed digital criminals using new techniques to target them.

But they can only do so much when they have a cultural divide between their IT and OT teams. Professionals on both sides are used to working in their own silo. Therefore, they might not have a frame of reference for where the other side is coming from. They may not know what their security priorities are or what they might need to secure their assets. Without this, you can’t use the IT-OT convergence to align their defenses across all of their systems.

Teamwork as a People Problem

To foster teamwork between IT and OT, first focus on the people aspect of your security program. They need to help their two teams understand one another. They can look to another example of team-building in the tech space: that of bringing developers and operations personnel together into DevOps (or of bringing DevOps together with defense teams into DevSecOps).

Using those examples, the first step is to generate transparency between IT and OT. This will help them learn about each other’s priorities and concerns. A good step toward doing this is holding a meeting or a series of meetings with members of both teams. During those meetings, encourage members to share their roles, priorities and work with one another. They can also lead talks that use common security goals — that is, avoiding a security incident — to emphasize the duties shared by IT and OT.

You can then leverage more meetings as a foundation on which to build ongoing IT-OT teamwork. This is a process, so heed the advice of DEVOPSdigest and start small. For instance, you could begin with a pilot program with a few people in a limited setting. Perhaps they can use a single sensor deployment for their industrial processes as a chance to get things started. They can then have meetings with those members to find out what’s working and what’s not. From there, they can enshrine what they’ve learned into formal policies and processes. With time, those can apply to all of their security employees and environments.

A Collaborative Approach to IT-OT Security

Once your teams are working together, you can focus on how to use that connection to advance their security posture overall. This could involve putting in network segmentation in a way that reflects the organization’s data transaction flows while cutting down on the potential for OT security risks. Or, it could involve using the power of IT to harden OT assets more broadly against digital threats. Whatever the use case, it all starts from the same place: a shared mindset by IT and OT that securing their assets is the core of their work.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read