In June, Honda reported a malware attack that brought customer and financial services operations to a standstill. One of the more dangerous characteristics of the Snake ransomware used in the attack, according to researchers, is that it can easily spread easily from IT to OT networks in companies with converged networks.
Operational technology (OT) – or the IoT on an industrial scale – is critical infrastructure for organizations and society, and a critical target for criminals. With convergence of IT and OT systems increasing, what can organizations do to make the converged landscape look as safe and secure as possible?
"There's been a lot more attacks in the last couple of years, mostly ransomware-based, which have impacted production facilities and environments," says Andrew Tsonchev, director of technology at Darktrace.
In 2019 alone, research indicates attacks on OT targets had skyrocketed by 300%. However, Tsonchev points out that most of the attacks are not coming from the sort of nation-state actors that so many companies fear. Rather, they're coming from garden-variety criminals who now have the tools to take effective aim at OT systems.
And those tools come from the same trend that makes OT so important to modern manufacturing companies: IT-OT convergence.
"There's increased convergence and connectivity between previously isolated [OT] environments and the IT business systems inside organizations," Tsonchev says.
The evolution of IT and OT within organizations has been slow, to a point where they're largely standardized, he adds, but the change in the threat landscape is due to the fact that there's less separation and isolation between the two than there once was.
Tsonchev says a hunger for data, from data-driven manufacturing to the data analysis required for just-in-time manufacturing, is one of the driving forces behind this convergence. But data hunger isn't the sole driver.
The larger motive, he says, is that businesses are using more centralized and cloud-based data analytics to power their manufacturing.
"And to play in that ecosystem, you can't really have a 1990's-style isolated local network," Tsonchev explains.
While organizations are eager to embrace the possibilities unlocked by bringing IT and OT networks together, many don't go far enough to do so safely, he says.
"If you're going to have convergence between different parts of your networked environment, you need to start treating them as one security domain," Tsonchev says, "and you need to be thinking about threat modeling and risks and attack types seamlessly across the two environments."
Of course, syncing two environments into one security domain requires building bridges – bridges across technologies, across system architectures, and across cultures.
The easier obstacles to overcome are the technological ones, says Tsonchev. As he explains, although IT and OT have largely converged, the security ecosystem has not: The tools typically used to defend OT and IT environments are distinct and different. Tsonchev believes that if attackers aren't going to see these systems as separate entities, then security tools shouldn't either.
The bigger challenge, he says, is not in the silicon of servers and networking appliances but in the brains of security professionals.
"The harder problem, I think, is the skills problem, which is that we have very different expertise existing within companies and in the wider security community, between people who are IT security experts and people who are OT security experts," Tsonchev says. "And it's very rare to find one individual where those skills converge."
It's critical that companies looking to solve the converged security problem, whether in technology or technologists, to figure out what the technology and skills need to look like in order to support their business goals. And they need to recognize that the skills to protect both sides of the organization may not reside in a single person, Tsonchev says.
"There's obviously a very deep cultural difference that comes from the nature of the environments characterized by the standard truism that confidentiality is the priority in IT and availability is the priority in OT," he explains.
And that difference in mindset is natural – and to some extent essential – based on the requirements of the job. Where the two can begin to come together, Tsonchev says, is in the evolution away from a protection-based mindset to a way of looking at security based on risk and risk tolerance.
That evolution can come as part of the critical flow of protecting OT and IT together.
"The first and most simple step would be to make sure that everyone who's a stakeholder in security is agreeing on the same picture of reality, that everyone's looking at the same data, everyone's seeing the same tools responding to the same events," Tsonchev says.
The last thing a company needs, he says, is for data and the resulting decisions to have to flow back and forth across organizational boundaries in order to respond to events.
"You absolutely want to make sure that, however you are approaching this, you're not coming at it from a point of view where those boundary areas are your blind spots, because then the way you're trying to prioritize what you're trying to detect is radically out of whack with risk to the business," Tsonchev explains.
And once everyone is looking at the same set of data and agreeing on the same set of priorities, many organizations can focus on the basic similarities between many of the threats and attacks, Tsonchev says. Doing that means they can strip away excess information and get back to the basics where action can be taken to minimize the risk to the company.
"If you always bring it back to what we know is the simple and consistent way in which attackers penetrate these environments, then I think the challenge becomes a lot clearer and a lot more manageable," he says.