Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/28/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Things the Hoodie & the Hard Hat Need to Know About Each Other

Traditionally, the worlds of IT (the hoodie) and OT (the hard hat) have been separate. That must change.

For nearly 30 years, operational technology (OT) in industrial facilities was considered relatively safe from outside hacking risk. The so-called air gap between IT and OT, paired with the heavy use of proprietary industrial control systems, created a mindset of "security via obscurity."

In recent years, there have been multiple, well-publicized cyberattacks on industrial facilities, which are now occurring with greater frequency and sophistication. As a result, industrial operations leaders, IT executives, and the CEOs they report to are taking significant interest in improving OT cybersecurity. One challenge to that effort is the different worlds IT (the hoodie) and OT (the hard hat) practitioners come from. Historically, these two groups have stayed out of each other's areas because of the deep and different complexity of the two domains and the rightful separation of responsibilities. To improve awareness, we've outlined the top five things IT and OT should learn from one another.

1. Operational facilities no longer are — and frankly never were — an island. The air gap between IT and OT systems and networks is no longer valid, if it ever was. IT professionals have understood that a persistent, smart hacker can eventually find a way into your network. It's not a question of if but when you will be breached, and IT leaders design their security strategy based on this premise. It's time for OT to do the same.

The assumptions OT has made regarding security via obscurity are also no longer valid. With the large revenue generated by industrial facilities and hazardous processes/chemicals used, hackers have been taking more interest in distributed control systems (DCSs), programmable logic controllers, safety instrumented systems, and process control networks. These systems appear as complex black boxes to most IT people.

2. IT people don't fully appreciate the meaning of OT reliability. When discussing reliability, IT people use terms like MTTR (mean time to repair) and MTBF (mean time between failure) and, in a cloud-based world, it's common to remove a bad or compromised server and just spin up a new one. That approach doesn't fly in an industrial plant. You can't just shoot a DCS that is managing hundreds of different control valves and monitoring thousands of measurements. That can have a catastrophic impact on the personnel, the environment, and the surrounding community, not just a disruption to production and lost revenue.

Today, most IT people think of servers like cattle, not pets. This has been one of the huge benefits of shared or cloud infrastructure. But this approach cannot apply when you are talking about machines that move molecules and where things can go boom — literally.

3. The concept of defense-in-depth applies to both IT and OT. Enterprise CISOs know reliance on a single solution or silver bullet puts them at risk. This is why we implement multiple firewalls, intrusion-detection tools, antivirus software as well as identity, data, and endpoint security technologies. They create multiple layers of defense, often using multiple vendors within each layer. It's like a moat around your moat backed up by a castle wall with another wall beyond that, and so on. Embracing defense-in-depth from web apps to Level 0 components (e.g., valves, sensors, actuators, robots) that move molecules in a plant is key.

The concept of defense in depth isn't foreign to the OT world, which uses a similar approach called independent protection layers (IPLs). These safety layers protect, monitor, and respond when critical measurements (such as pressure and temperature) exceed predefined boundary limits. These IPLs are also a high-consequence hacking risk. One of the most prominent industrial hacking attacks recently was the inadvertent tripping of a safety instrumented system in a major refinery. This caused the entire industrial sector to take notice.

4. There's no such thing as Patch Tuesday in OT. In an industrial plant, changes must be well planned and coordinated with operations and maintenance groups. In the OT world, you might not be able to introduce changes more often than once a year or longer. Furthermore, many of the control systems have been in place for more than 15 years. We don't replace OT every three to five years like IT does. When managing security vulnerabilities, it's critical to take this into account. You also can't just put a network packet sniffer on a plant control network and build a comprehensive inventory and identify all vulnerabilities. You need much more granularity to see if a vulnerability exists on a specific I/O card or a controller within a DCS, and that requires capturing data from configuration backups.

5. OT needs to understand digital transformation will have a profound effect and it's going to be driven primarily from people who come from outside of OT. Chief digital officers and chief data officers are being appointed every day. The hiring profile rarely includes an understanding of OT. This poses a challenge because these new leaders don't know what they don't know. However, it also presents an opportunity to help them understand how a "digital plant" can drive revenue growth through improved efficiency, expanded operations, and production visibility. It also means ensuring the integrity of industrial operations from both a cybersecurity and a process safety perspective is paramount, and that requires IT and OT to work together.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Building a Cybersecurity Culture: What's Love Got to Do With It?"

Eddie Habibi is the Founder and CEO of PAS Global. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In the past several years, PAS was recognized in CRN's 15 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20637
PUBLISHED: 2020-04-08
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connecti...
CVE-2020-11650
PUBLISHED: 2020-04-08
An issue was discovered in iXsystems FreeNAS 11.2 and 11.3 before 11.3-U1. It allows a denial of service.
CVE-2020-11653
PUBLISHED: 2020-04-08
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.
CVE-2020-2732
PUBLISHED: 2020-04-08
A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.
CVE-2020-1627
PUBLISHED: 2020-04-08
A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash. By continuously sending ...