Operational technology (OT) encompasses many aspects of our world, including industrial control systems (ICS) that are used to control core operational processes. ICS technologies often control essential services such as water and power supply and are also used to monitor these services to prevent hazardous conditions. Manipulation of these systems and processes could have extreme impacts on the end users of these services as well as workers within operational environments. Therefore, the security of OT environments and ICS technologies should be a top priority for organizations.

However, securing OT environments, assessing them to determine remediation plans and strategies, and gaining visibility into them is challenging and requires different approaches than traditional IT environments. OT cybersecurity incidents have also increased dramatically in recent years: According to the 2020 IBM X-Force Threat Intelligence Index, there was a 2,000 percent increase year-over-year. This, coupled with a lack of combined IT/OT visibility into OT environments, means security issues can happen without anyone knowing, resulting in catastrophic damage to the business in some cases.

Thus, the question that security leaders are increasingly asking is “Why does my security team and security operations center (SOC) only have visibility into our IT environment and not our OT environment?” Let’s discuss how visibility into the OT environment can be accomplished through synergies of a combined OT/IT security operations center.

Defining Operational Technology and Industrial Process Automation

Let’s start from the beginning and define operational technology and industrial process automation. There are many confusing definitions for OT, but the key to providing a full understanding is to first define an industrial process.

A process in this context refers to a specific automated industrial process, which may encompass many other sub-processes. For example, our drinking water is made safe by a process known as chlorination, which involves adding chlorine or chlorine compounds such as sodium hypochlorite to water. This process is automated by various ICS that control the specific amounts of chlorine that are added to water and the validation process to ensure that the water is safe for consumption.

Using this example, OT refers to the entire environment that is used to run the industrial environment, automation and control systems for the production of safe drinking water. The OT environment includes the ICS and IT systems, such as routers, switches, network cabling/wireless and computers. Very simply, it is the complete environment.

The Convergence of OT and IT Security

The integration of OT and IT security processes has created new synergies not previously realized. The connectivity of OT devices allows better visibility into critical processes but also creates a complex security landscape where there is no longer a single perimeter. OT-specific intrusion detection systems (IDS) can extend visibility beyond the already defined “signals list” via deep packet inspection, signatures, protocol analysis, anomaly detection and machine learning. Now, programmable logic controllers (PLCs) and sensor manipulation are new attack vectors for malicious intent.

Cybersecurity Challenges in OT Environments Are Similar to Those in IT

Surprisingly, security challenges in OT environments are very similar to those in IT environments but with added industrial impacts. Just like IT, OT environment challenges include unauthorized access, passwords, remote access, malware and patching.

For example, malware engineered to change water chlorination levels within an OT environment is not that different from a distributed denial-of-service (DDoS) attack on a bank. Both have serious consequences, but the attack in the OT environment also has human life and safety impacts.

Building a Combined OT/IT SOC

Most companies do not have the need for a dedicated OT SOC or a separate security team for their OT environments. This is usually the domain of the critical infrastructure sector, such as large electricity or water utility, nuclear, transportation and other companies that have a specific need for separate visibility into these OT environments.

Thus, the majority of corporations will find synergy and efficiency in combining their OT SOC into their IT SOC. Equally important is gaining visibility into IT security incidents that occur in OT environments.

Attaining visibility into an operational technology environment can be accomplished by the following:

  1. Direct messages from the process automation technology provider. For example, an industrial automation company sending OT security events directly to your specific security information and event management (SIEM) solution.
  2. Forwarding logs from IT equipment in OT environments to gain visibility. For example, logs from firewalls, routers, switches, servers, domain controllers, active directory and so on. This is possible today, however, it requires an elaborate design to safely forward logs to a SIEM.
  3. An industrial IDS placed within or outside the OT environment by means of a non-intrusive switch port analyzer (SPAN). Inline approaches are possible where, similar to an intrusion prevention system (IPS), it can stop communication. However, in general, given the criticality of OT environments, the non-intrusive approach is preferred.

Organizations that do not need a fully dedicated OT SOC should integrate OT security operations with IT operations. To manage the threat life cycle within these environments, security teams should adopt a comprehensive threat management program that can provide proactive, managed and response services for threats specific to OT environments.

IBM offers X-Force Threat Management for OT services to help organizations discover, manage and respond to threats from managed and unmanaged devices across their environments. To learn more, register for the May 18 webinar.

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today