Operational technology (OT) encompasses many aspects of our world, including industrial control systems (ICS) that are used to control core operational processes. ICS technologies often control essential services such as water and power supply and are also used to monitor these services to prevent hazardous conditions. Manipulation of these systems and processes could have extreme impacts on the end users of these services as well as workers within operational environments. Therefore, the security of OT environments and ICS technologies should be a top priority for organizations.

However, securing OT environments, assessing them to determine remediation plans and strategies, and gaining visibility into them is challenging and requires different approaches than traditional IT environments. OT cybersecurity incidents have also increased dramatically in recent years: According to the 2020 IBM X-Force Threat Intelligence Index, there was a 2,000 percent increase year-over-year. This, coupled with a lack of combined IT/OT visibility into OT environments, means security issues can happen without anyone knowing, resulting in catastrophic damage to the business in some cases.

Thus, the question that security leaders are increasingly asking is “Why does my security team and security operations center (SOC) only have visibility into our IT environment and not our OT environment?” Let’s discuss how visibility into the OT environment can be accomplished through synergies of a combined OT/IT security operations center.

Defining Operational Technology and Industrial Process Automation

Let’s start from the beginning and define operational technology and industrial process automation. There are many confusing definitions for OT, but the key to providing a full understanding is to first define an industrial process.

A process in this context refers to a specific automated industrial process, which may encompass many other sub-processes. For example, our drinking water is made safe by a process known as chlorination, which involves adding chlorine or chlorine compounds such as sodium hypochlorite to water. This process is automated by various ICS that control the specific amounts of chlorine that are added to water and the validation process to ensure that the water is safe for consumption.

Using this example, OT refers to the entire environment that is used to run the industrial environment, automation and control systems for the production of safe drinking water. The OT environment includes the ICS and IT systems, such as routers, switches, network cabling/wireless and computers. Very simply, it is the complete environment.

The Convergence of OT and IT Security

The integration of OT and IT security processes has created new synergies not previously realized. The connectivity of OT devices allows better visibility into critical processes but also creates a complex security landscape where there is no longer a single perimeter. OT-specific intrusion detection systems (IDS) can extend visibility beyond the already defined “signals list” via deep packet inspection, signatures, protocol analysis, anomaly detection and machine learning. Now, programmable logic controllers (PLCs) and sensor manipulation are new attack vectors for malicious intent.

Cybersecurity Challenges in OT Environments Are Similar to Those in IT

Surprisingly, security challenges in OT environments are very similar to those in IT environments but with added industrial impacts. Just like IT, OT environment challenges include unauthorized access, passwords, remote access, malware and patching.

For example, malware engineered to change water chlorination levels within an OT environment is not that different from a distributed denial-of-service (DDoS) attack on a bank. Both have serious consequences, but the attack in the OT environment also has human life and safety impacts.

Building a Combined OT/IT SOC

Most companies do not have the need for a dedicated OT SOC or a separate security team for their OT environments. This is usually the domain of the critical infrastructure sector, such as large electricity or water utility, nuclear, transportation and other companies that have a specific need for separate visibility into these OT environments.

Thus, the majority of corporations will find synergy and efficiency in combining their OT SOC into their IT SOC. Equally important is gaining visibility into IT security incidents that occur in OT environments.

Attaining visibility into an operational technology environment can be accomplished by the following:

  1. Direct messages from the process automation technology provider. For example, an industrial automation company sending OT security events directly to your specific security information and event management (SIEM) solution.
  2. Forwarding logs from IT equipment in OT environments to gain visibility. For example, logs from firewalls, routers, switches, servers, domain controllers, active directory and so on. This is possible today, however, it requires an elaborate design to safely forward logs to a SIEM.
  3. An industrial IDS placed within or outside the OT environment by means of a non-intrusive switch port analyzer (SPAN). Inline approaches are possible where, similar to an intrusion prevention system (IPS), it can stop communication. However, in general, given the criticality of OT environments, the non-intrusive approach is preferred.

Organizations that do not need a fully dedicated OT SOC should integrate OT security operations with IT operations. To manage the threat life cycle within these environments, security teams should adopt a comprehensive threat management program that can provide proactive, managed and response services for threats specific to OT environments.

IBM offers X-Force Threat Management for OT services to help organizations discover, manage and respond to threats from managed and unmanaged devices across their environments. To learn more, register for the May 18 webinar.

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…