Over the past several years, companies that operate industrial environments have taken advantage of digital transformation to help them become more competitive in their respective sectors. From the internet of things (IoT) to the industrial internet of things (IIoT) to Industry 4.0, the next industrial revolution is upon us as companies leverage the ability to connect devices that were previously not connected to the internet.
IT components like servers, databases and even cloud services are being brought into operational technology (OT) environments and can introduce various benefits to industrial processes, such as helping organizations improve uptimes, performance, quality and productivity, maintain safety, and help reduce maintenance costs and risk. All these can result in increased profits for organizations that adopt these solutions.
However, as with any digital transformation, there are some challenges that can arise. As OT environments, especially with legacy systems in place, become increasingly connected, they may inherit risks that were previously the domain of the IT environment. As a result, they can become vulnerable to cybersecurity threats and threat actors that may not have affected them in the past.
Some Definitions First — What Is OT Security?
Operational technology is the use of computerized systems to manage, monitor, and control the physical state of other systems. Gartner defines OT security as the practices and technologies used to protect people, assets and information involved in the monitoring and/or control of physical devices, processes and events.
OT security is fundamentally different from IT security in the sense that IT systems are typically designed around confidentiality, integrity and availability (CIA). But since OT environments are more mission-critical, the objectives in that environment typically follow the priority of availability and integrity, followed by confidentiality, according to the NIST 800-82.
When it comes to OT security, we often refer to securing networks that run industrial environments to help maintain safety and reliability of operations.
The ongoing convergence between the rugged and noisy plant world and the carpeted corporate IT world is forcing both parts of the organization to learn to speak each other’s language, so to speak, and work together to help secure the evolving organization.
However, what can be confusing sometimes, holding teams back, is terminology being used wrongly or interchangeably in that space.
For example, operational technology, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) are often used interchangeably by many in the industry. So, before digging deeper, let us understand what each of these terms means.
Operational Technology (OT)
Operational technology refers to technologies that are used within industrial operations. Equipment like motors and actuators and machines responsible for making things move or producing something are considered operational technology.
Industrial Control Systems (ICS)
ICS is another type of OT that comprises systems that are used to monitor and control industrial processes. For example, checking that a motor is running at the expected speed, ensuring that the pressure within a pipe is indeed correct, checking that the right temperature is maintained, etc. There could be thousands of ICS devices monitoring industrial processes within a given plant or industrial facility.
SCADA and DCS
Industrial control systems are often consolidated into distributed control systems (DCS) and SCADA systems that provide an easier way for engineers to manage various industrial processes.
SCADA systems are often located in the control room where engineers can use them to observe the status of a system or make system adjustments to manage the process under control. For example, in the case where an OT device is malfunctioning and people in the plant could be injured, the sooner operators known about it, the better. That is where SCADA systems can help by alerting plant and system operators about issues to allow timely remediation.
Let’s take, for example, an HVAC system that maintains plant temperature. This system is an example of OT. The individual thermostats used to monitor/control the temperature would be ICS, and the user interface that can help monitor the temperature and perform additional activities in a click would be an example of a SCADA system.
By extension, OT security, ICS security and SCADA security are all too often used interchangeably by organizations even though they are inherently different and subject to distinct vulnerabilities and attack scenarios. That being said, based on IBM X-Force discussions with industry analysts and experts, we believe it is safe to say that OT security is the broader, more recognized umbrella term for securing all these components.
Malware in the Factory
In recent times, attacks on the industrial sector have been increasing, with malware like Triton, Shamoon and various ransomware attacks aiming to disrupt operations for industrial companies across the globe. Some of the affected industries included oil and gas, energy and utilities, healthcare and life sciences, consumer products, and various verticals in the industrial sector, proving that the industrial sector is no longer exempt from threats that can reach its networks and severely impact operations.
X-Force Red is an autonomous team of veteran hackers within IBM Security hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain. According to X-Force Red data collected from our vulnerability database the number of vulnerabilities exposing industrial control systems has increased 83 percent over the past eight years (since 2011).
It therefore stands to reason that organizations transforming their OT environments also need to evolve their security posture to enable innovation and continue to see the benefits of a connected plant, grid or oil rig, to name a few.
Wish to learn more? Join us for a webinar in which industry specialists discuss the challenges and best practices for securing the OT environment.