Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/28/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Things the Hoodie & the Hard Hat Need to Know About Each Other

Traditionally, the worlds of IT (the hoodie) and OT (the hard hat) have been separate. That must change.

For nearly 30 years, operational technology (OT) in industrial facilities was considered relatively safe from outside hacking risk. The so-called air gap between IT and OT, paired with the heavy use of proprietary industrial control systems, created a mindset of "security via obscurity."

In recent years, there have been multiple, well-publicized cyberattacks on industrial facilities, which are now occurring with greater frequency and sophistication. As a result, industrial operations leaders, IT executives, and the CEOs they report to are taking significant interest in improving OT cybersecurity. One challenge to that effort is the different worlds IT (the hoodie) and OT (the hard hat) practitioners come from. Historically, these two groups have stayed out of each other's areas because of the deep and different complexity of the two domains and the rightful separation of responsibilities. To improve awareness, we've outlined the top five things IT and OT should learn from one another.

1. Operational facilities no longer are — and frankly never were — an island. The air gap between IT and OT systems and networks is no longer valid, if it ever was. IT professionals have understood that a persistent, smart hacker can eventually find a way into your network. It's not a question of if but when you will be breached, and IT leaders design their security strategy based on this premise. It's time for OT to do the same.

The assumptions OT has made regarding security via obscurity are also no longer valid. With the large revenue generated by industrial facilities and hazardous processes/chemicals used, hackers have been taking more interest in distributed control systems (DCSs), programmable logic controllers, safety instrumented systems, and process control networks. These systems appear as complex black boxes to most IT people.

2. IT people don't fully appreciate the meaning of OT reliability. When discussing reliability, IT people use terms like MTTR (mean time to repair) and MTBF (mean time between failure) and, in a cloud-based world, it's common to remove a bad or compromised server and just spin up a new one. That approach doesn't fly in an industrial plant. You can't just shoot a DCS that is managing hundreds of different control valves and monitoring thousands of measurements. That can have a catastrophic impact on the personnel, the environment, and the surrounding community, not just a disruption to production and lost revenue.

Today, most IT people think of servers like cattle, not pets. This has been one of the huge benefits of shared or cloud infrastructure. But this approach cannot apply when you are talking about machines that move molecules and where things can go boom — literally.

3. The concept of defense-in-depth applies to both IT and OT. Enterprise CISOs know reliance on a single solution or silver bullet puts them at risk. This is why we implement multiple firewalls, intrusion-detection tools, antivirus software as well as identity, data, and endpoint security technologies. They create multiple layers of defense, often using multiple vendors within each layer. It's like a moat around your moat backed up by a castle wall with another wall beyond that, and so on. Embracing defense-in-depth from web apps to Level 0 components (e.g., valves, sensors, actuators, robots) that move molecules in a plant is key.

The concept of defense in depth isn't foreign to the OT world, which uses a similar approach called independent protection layers (IPLs). These safety layers protect, monitor, and respond when critical measurements (such as pressure and temperature) exceed predefined boundary limits. These IPLs are also a high-consequence hacking risk. One of the most prominent industrial hacking attacks recently was the inadvertent tripping of a safety instrumented system in a major refinery. This caused the entire industrial sector to take notice.

4. There's no such thing as Patch Tuesday in OT. In an industrial plant, changes must be well planned and coordinated with operations and maintenance groups. In the OT world, you might not be able to introduce changes more often than once a year or longer. Furthermore, many of the control systems have been in place for more than 15 years. We don't replace OT every three to five years like IT does. When managing security vulnerabilities, it's critical to take this into account. You also can't just put a network packet sniffer on a plant control network and build a comprehensive inventory and identify all vulnerabilities. You need much more granularity to see if a vulnerability exists on a specific I/O card or a controller within a DCS, and that requires capturing data from configuration backups.

5. OT needs to understand digital transformation will have a profound effect and it's going to be driven primarily from people who come from outside of OT. Chief digital officers and chief data officers are being appointed every day. The hiring profile rarely includes an understanding of OT. This poses a challenge because these new leaders don't know what they don't know. However, it also presents an opportunity to help them understand how a "digital plant" can drive revenue growth through improved efficiency, expanded operations, and production visibility. It also means ensuring the integrity of industrial operations from both a cybersecurity and a process safety perspective is paramount, and that requires IT and OT to work together.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Building a Cybersecurity Culture: What's Love Got to Do With It?"

Eddie Habibi is the Founder and CEO of PAS Global. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In the past several years, PAS was recognized in CRN's 15 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1093
PUBLISHED: 2020-02-21
The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.
CVE-2012-0828
PUBLISHED: 2020-02-21
Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BM...
CVE-2012-0844
PUBLISHED: 2020-02-21
Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar.
CVE-2013-3587
PUBLISHED: 2020-02-21
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses...
CVE-2012-6277
PUBLISHED: 2020-02-21
Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8....