The Industrial Internet of Things (IIoT) — within companies and across the entire global IIoT ecosystem — is an intricately intertwined and negotiated merger of information technology and operational technology, or OT. OT systems are not only business-critical, they can be nation-critical, or life-and-death critical.
Every IIoT customer I speak to wants the strongest possible security. But who inside the customer's organization will execute and own the process? In meeting after meeting with customers building IIoT capabilities, I encounter a natural but sometimes tense uncertainty between IT and OT/line-of-business (LoB) professionals when it comes to IIoT security. That uncertainty is itself a security vulnerability because it delays essential security deployment.
A recent Forrester survey of IT and OT/LoB leaders showed IT and OT managers evenly divided on whether IT or OT is responsible for security. As an alarming result of this standoff, reports Forrester, an unacceptably large number of companies — 59% — are willing to "tolerate medium-to-high risk in relation to IoT security." I believe that's wrong as well as dangerous.
Consider the differences between enterprise IT and OT:
- Availability: IT considers 99% uptime acceptable, while OT requires 99.999% uptime. The difference translates to between 8.76 hours and 5.25 minutes of annual downtime.
- System life: IT systems are refreshed, on average, every three to five years. OT systems, by contrast, last 10 to 15 years.
- Patching: IT patching/updates can be done whenever updates are available, but OT patching/updates risk interrupting strategic, revenue-generating industrial operations.
There are many other differences between IT and OT — such as varying approaches to the cloud — but all differences are subsumed by the universal need for the most resilient IIoT security available.
An approach I favor is helping industrial companies use the hard-won, long-fought lessons of IT to leapfrog to an advanced state of IIoT security, security that is expertly architected and deployed to meet OT's differentiated requirements. If one thinks of OT systems as another form of data center — the heavily protected core of enterprise IT — there are some promising ideas one can adapt from decades of IT experience to provide new levels of IIoT security while honoring the specific needs of OT.
The Patching Conundrum
However, when it comes to patching — a process that aims to update, fix, or improve a software program — a direct port of everyday IT practice to OT is not always feasible. When it comes to patching, IT and OT speak different languages. For that reason, it is essential that leaders of the IIoT industry (IT and OT) join together, think deeply, and work with greater imagination to develop robust cybersecurity techniques that are more agile and effective than reflexive patching.
The bottom line for OT: Patches can create problems and sometimes make things worse, as we're seeing with patches for the Meltdown and Spectre CPU vulnerabilities. Early patches for Meltdown and Spectre affected system performance.
The hard truth is that the soft underbelly of the modern industrial economy is largely old OT machines. In the world of IT, if something is infected, the first instinct is to shut it down fast, and then patch it (or replace it). But in OT, often the opposite is true: keep it up and running. Some crucial OT systems have been on factory floors for 15 to 25 years or more and can't be easily taken down and patched, even if an appropriate patch were available, because those systems may not have enough memory or CPU bandwidth to accept patches.
Finally, there's the issue of the relative complexity and fragility of OT systems compared with IT systems. IT systems can be taken down, patched, and started up again to deliver identical service. IT can run racks loaded with identical servers, and if one goes down or burns out, the next one in line takes over without a hitch. But OT systems are often highly orchestrated combinations of software and hardware that have "personalities." Even when companies can take down machines for patching, when they come back up, results can be unpredictable as it is not the same system because the patch has introduced wild cards that can proliferate through other elements of the system. In OT, unpredictability is not acceptable.
First in a series of articles.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.