Topics in this article
Typically, these systems are designed and built with proprietary and specialized technologies and communications and segmented from IT networks. Thus, oversight typically falls outside of traditional IT (and IT security’s) management purview.
But widespread digital innovation and the desire to connect and automate everything brings a plethora of changes in how these OT systems are designed, built and managed. In the not-so-distant past, a separation and independence of IT and OT systems was understandable and indeed relied upon to distinguish and provide security for the OT network.
As more OT systems connect to the Internet – and the traditional IT networks – IT and OT teams find themselves more digitally connected than ever. So, how they manage and secure these systems must also transform.
How connected OT systems increase risk
Gartner reports that OT environments that were traditionally separated are no longer completely isolated. They now have direct connections for business, OEMs and other third parties i and 15% of survey respondents have experienced a security incident last year that crippled operational or mission-critical systems.ii When you compare that 15% of survey respondents to the select few prominent OT cyber incidents in the news, one can conclude that OT incidents are significantly underreported.
A SANS study further underscores how connectivity is driving risk: connectivity to external systems continues as the overwhelming root cause of incidents, an indication that organizations still fail to follow network segmentation best practices.iii
This reality points to yet another fact: an increasing number of IT and OT systems have been connected to the Internet in a manner not previously expected. Similarly, the means by which employees connect to and manage them has also changed. At the same time, cybercrime and nation-state attacks are on the rise and OT devices are increasingly affected, either as collateral damage or as direct targets designed to disrupt business.
According to Gartner, security incidents in OT and other cyber-physical systems have three main motivations: actual harm, commercial vandalism (reduced output) and reputational vandalism (making a manufacturer untrusted or unreliable.)iv
As more OT networks connect to IT networks, it becomes easier for business transactions and related data to flow between the two environments. But it also makes it easier for malicious actors to discover ways to gain access via a broadened attack surface as more and more devices connect to the network. And as OT networks connect to the Internet, they’re exposed to the outside world, making it easier for trusted actors (employees) and bad actors (cybercriminals) to access them.
Reduce risk by implementing a security control framework
Current OT security tools and resources are insufficient given increasing threats from cybercriminals and the expanding attack surface, as noted earlier. Meanwhile, regulators and supply chain business partners expect organizations to demonstrate regulatory and industry compliance in most sectors. This need is crossing over from IT into OT.
A holistic approach to IT-OT network convergence is necessary for organizations that rely on both environments.
Existing IT security controls, tools, practices and skills sets don’t automatically translate to safe management of industrial equipment, even if it’s physically located ‘near’ the IT components running on the same shop floor or at a worksite in an oilfield.
Creating a framework of collaboration is critical to successfully securing OT. This framework will improve the cybersecurity posture by bringing together line of business experts, OT equipment suppliers and IT and OT security teams. Working together, aligning priorities and defining recovery processes can go a long way to enhancing the organization’s security posture while improving IT-OT network resiliency in a manner that can be demonstrated not only to internal stakeholders but also to external parties seeking this reassurance.
New priorities are reflected in reallocated responsibilities and investments
The stakes are high and require new leadership approaches coupled with technical savviness. Over 90% of OT companies experience some form of cybercrime each year,v and Gartner predicts that the financial impact of cyber-physical attacks will reach over USD50 billion by 2023. In addition, most CEOs will be personally liable for such incidents. Consequently, many businesses are moving to put OT security under the CISO and holding line of business leaders responsible for embedding security within their operations.
Innovative technology consolidation holds many potential benefits. Advocacy from the leadership team is important to ensure that accountability and responsibility are clear and that such consolidation aligns with the organization’s strategic direction.
Organizations leading the convergence of IT and OT can concurrently improve efficiency and lower operational costs over time. For example, companies that embraced IT-OT convergence efforts before the pandemic could better facilitate working from home, adapt network technology and policies to support third-party access to OT devices and recover from incidents more effectively.6
If your organization is establishing or bolstering an IT-OT security framework, reach out to NTT, a leading security services provider that leverages Fortinet’s Security Fabric. Together we can accelerate your security transformation and help you build a robust IT-OT converged network.
i Gartner, Reduce Risk to Human Life by Implementing This OT Security Control Framework, June 17 2021
ii Gartner, Emerging Technologies: Critical Insights for Operational Technology Security, November 10, 2021
iii SANS 2021 Survey: OT/ICS Cybersecurity, August 2021
iv Gartner, Gartner Predicts By 2025 Cyber Attackers Will Have Weaponized Operational Technology Environments to Successfully Harm or Kill Humans, July 2021
v Fortinet 2021 State of Operational Technology and Cybersecurity Report