Operational technology (OT) encompasses many aspects of our world, including industrial control systems (ICS) that are used to control core operational processes. ICS technologies often control essential services such as water and power supply and are also used to monitor these services to prevent hazardous conditions. Manipulation of these systems and processes could have extreme impacts on the end users of these services as well as workers within operational environments. Therefore, the security of OT environments and ICS technologies should be a top priority for organizations.
However, securing OT environments, assessing them to determine remediation plans and strategies, and gaining visibility into them is challenging and requires different approaches than traditional IT environments. OT cybersecurity incidents have also increased dramatically in recent years: According to the 2020 IBM X-Force Threat Intelligence Index, there was a 2,000 percent increase year-over-year. This, coupled with a lack of combined IT/OT visibility into OT environments, means security issues can happen without anyone knowing, resulting in catastrophic damage to the business in some cases.
Thus, the question that security leaders are increasingly asking is “Why does my security team and security operations center (SOC) only have visibility into our IT environment and not our OT environment?” Let’s discuss how visibility into the OT environment can be accomplished through synergies of a combined OT/IT security operations center.
Defining Operational Technology and Industrial Process Automation
Let’s start from the beginning and define operational technology and industrial process automation. There are many confusing definitions for OT, but the key to providing a full understanding is to first define an industrial process.
A process in this context refers to a specific automated industrial process, which may encompass many other sub-processes. For example, our drinking water is made safe by a process known as chlorination, which involves adding chlorine or chlorine compounds such as sodium hypochlorite to water. This process is automated by various ICS that control the specific amounts of chlorine that are added to water and the validation process to ensure that the water is safe for consumption.
Using this example, OT refers to the entire environment that is used to run the industrial environment, automation and control systems for the production of safe drinking water. The OT environment includes the ICS and IT systems, such as routers, switches, network cabling/wireless and computers. Very simply, it is the complete environment.
The Convergence of OT and IT Security
The integration of OT and IT security processes has created new synergies not previously realized. The connectivity of OT devices allows better visibility into critical processes but also creates a complex security landscape where there is no longer a single perimeter. OT-specific intrusion detection systems (IDS) can extend visibility beyond the already defined “signals list” via deep packet inspection, signatures, protocol analysis, anomaly detection and machine learning. Now, programmable logic controllers (PLCs) and sensor manipulation are new attack vectors for malicious intent.
Cybersecurity Challenges in OT Environments Are Similar to Those in IT
Surprisingly, security challenges in OT environments are very similar to those in IT environments but with added industrial impacts. Just like IT, OT environment challenges include unauthorized access, passwords, remote access, malware and patching.
For example, malware engineered to change water chlorination levels within an OT environment is not that different from a distributed denial-of-service (DDoS) attack on a bank. Both have serious consequences, but the attack in the OT environment also has human life and safety impacts.
Building a Combined OT/IT SOC
Most companies do not have the need for a dedicated OT SOC or a separate security team for their OT environments. This is usually the domain of the critical infrastructure sector, such as large electricity or water utility, nuclear, transportation and other companies that have a specific need for separate visibility into these OT environments.
Thus, the majority of corporations will find synergy and efficiency in combining their OT SOC into their IT SOC. Equally important is gaining visibility into IT security incidents that occur in OT environments.
Attaining visibility into an operational technology environment can be accomplished by the following:
- Direct messages from the process automation technology provider. For example, an industrial automation company sending OT security events directly to your specific security information and event management (SIEM) solution.
- Forwarding logs from IT equipment in OT environments to gain visibility. For example, logs from firewalls, routers, switches, servers, domain controllers, active directory and so on. This is possible today, however, it requires an elaborate design to safely forward logs to a SIEM.
- An industrial IDS placed within or outside the OT environment by means of a non-intrusive switch port analyzer (SPAN). Inline approaches are possible where, similar to an intrusion prevention system (IPS), it can stop communication. However, in general, given the criticality of OT environments, the non-intrusive approach is preferred.
Organizations that do not need a fully dedicated OT SOC should integrate OT security operations with IT operations. To manage the threat life cycle within these environments, security teams should adopt a comprehensive threat management program that can provide proactive, managed and response services for threats specific to OT environments.
IBM offers X-Force Threat Management for OT services to help organizations discover, manage and respond to threats from managed and unmanaged devices across their environments. To learn more, register for the May 18 webinar.
CTO & Partner of MEA Security Practice, IBM