Where hardware meets software, attackers can sneak in. More and more, threat actors are targeting Industrial Control Systems (ICS) and Operational Technology (OT). IBM X-Force found that the number of attacks against those types of assets increased by over 2,000% between 2018 and 2019, with the number of ICS and OT attacks in 2019 having eclipsed the total volume of attacks for the preceding three years combined. Many of those IT-OT attacks involved password spraying. Others cover the exploitation of known openings affecting Supervisory Control and Data Acquisition (SCADA) and ICS OT assets.

How the IT-OT Convergence Contributes

This is partially due to the ongoing convergence between OT and information technology (IT).

For years, most entities kept these two teams separate. IT and OT teams worked in their own respective silos. IT workers came to understand the need for access controls, encryption and other security basics in order to defend the enterprise against an emerging array of web-based threats. Meanwhile, OT workers sought to keep their SCADA systems, ICS and other industrial assets running in the name of public safety and national security. There was no need to expose those OT systems to the web. They just needed to make sure those devices continued to function properly.

Side Effects of Digital Growth

Things changed for many entities when they launched into their respective digital transformations. Along the way, they realized that they could improve their industrial processes by bringing their IT and OT devices together. By introducing web-connected sensors, monitors and other Industrial Internet of things (IIoT) devices into their OT landscapes, for instance, they reasoned that they could gain real-time insight into their industrial assets. They could then use that insight to perform preventative maintenance and minimize downtime, thus improving their OT assets’ up-time through IoT cybersecurity.

The issue is that OT systems today lack the right features to withstand modern digital threats. Many of these assets are decades-old systems that can’t receive updates remotely. (That’s because they might not support the protocols that are needed to connect over the web in the first place.) Some might support an on-site update process; in that scenario, you still need to schedule a time for a team to arrive on-site, disable the asset for a short time, implement the fix and bring it back up — a process that costs time and money. Others are so-called ‘legacy’ systems that don’t have a viable means of receiving updates anymore due to their advanced age.

And, the IT-OT convergence risks exposing at-risk OT systems to the web. These connections give malicious actors all they need to conduct a brute-force login attempt or exploit an opening in the software. In some cases, those threat actors could undermine a victim’s industrial processes. In turn, that could threaten public safety and/or national security if that organization works in a Critical National Infrastructure (CNI) sector such as oil and gas, electric, transportation or medical.

A Critical Security Juncture

Entities that have embraced the IT-OT convergence find themselves at a critical juncture. They realize that digital attackers have them within their sights. Over half (51%) of U.S. industrial enterprises told Claroty they were more of a target in 2020 than in previous years, as an example. Two-thirds of survey respondents said they had witnessed digital criminals using new techniques to target them.

But they can only do so much when they have a cultural divide between their IT and OT teams. Professionals on both sides are used to working in their own silo. Therefore, they might not have a frame of reference for where the other side is coming from. They may not know what their security priorities are or what they might need to secure their assets. Without this, you can’t use the IT-OT convergence to align their defenses across all of their systems.

Teamwork as a People Problem

To foster teamwork between IT and OT, first focus on the people aspect of your security program. They need to help their two teams understand one another. They can look to another example of team-building in the tech space: that of bringing developers and operations personnel together into DevOps (or of bringing DevOps together with defense teams into DevSecOps).

Using those examples, the first step is to generate transparency between IT and OT. This will help them learn about each other’s priorities and concerns. A good step toward doing this is holding a meeting or a series of meetings with members of both teams. During those meetings, encourage members to share their roles, priorities and work with one another. They can also lead talks that use common security goals — that is, avoiding a security incident — to emphasize the duties shared by IT and OT.

You can then leverage more meetings as a foundation on which to build ongoing IT-OT teamwork. This is a process, so heed the advice of DEVOPSdigest and start small. For instance, you could begin with a pilot program with a few people in a limited setting. Perhaps they can use a single sensor deployment for their industrial processes as a chance to get things started. They can then have meetings with those members to find out what’s working and what’s not. From there, they can enshrine what they’ve learned into formal policies and processes. With time, those can apply to all of their security employees and environments.

A Collaborative Approach to IT-OT Security

Once your teams are working together, you can focus on how to use that connection to advance their security posture overall. This could involve putting in network segmentation in a way that reflects the organization’s data transaction flows while cutting down on the potential for OT security risks. Or, it could involve using the power of IT to harden OT assets more broadly against digital threats. Whatever the use case, it all starts from the same place: a shared mindset by IT and OT that securing their assets is the core of their work.

More from Application Security

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today