IT Security and OT Security Converging

The term “information technology” (also known as “IT”) has been with us for more than 60 years now. It was first coined by Harold Leavitt and Thomas Whisler and published in an article in the Harvard Business Review in 1958 (long before the Internet was conceived of). It refers to all those pieces/parts that make up electronic information systems. The term “operational technology” (also known as “OT”) was first coined nearly half a century later in a research paper from Gartner in 2006. It refers to industrial control systems that are controllable from remote locations, especially those that are controllable over an Internet connection. It has spawned another new acronym: “IIoT” (“industrial internet of things”). For the security industry, these terms highlight one of the biggest security problems facing us today; securing industrial controls systems from remote attacks by cybercriminals and hostile nation states.

For most of the Information Age, such terms and considerations were not necessary. Industrial control systems were largely analog and not subject to remote attack. Even after the Internet had been well established, the security of industrial control systems was not seen as a big problem since there was little reward to be had by disrupting such systems to the average hacker. In recent years that has all changed. Industries from infrastructure (i.e. electric grids, pipelines, water systems) to the private sector (i.e. manufacturing, mining, cargo transport) have been, and continue to, embrace the Internet as a medium for controlling and communicating with their industrial controls systems. It increases efficiency and cuts cost for these concerns. It also allows them to decrease the number of personnel needed and to centralize control and monitoring of these systems. A great boon! Unfortunately, security was not well considered or implemented as these processes were put in place. As a result, industrial control systems are now among the easiest to compromise by Internet attack. On top of that, there is now an attack vector that is attracting your average cybercriminal motivated by greed to target industrial control systems: ransomware.

Ransomware allows attackers to make money from almost any business or institution, including industry and infrastructure. Modern ransomware attackers not only threaten to encrypt information and make it unavailable to legitimate users, they threaten to disrupt industrial control systems or reveal private information publicly. One example is the recent Colonial Pipeline debacle. Because of this, it is increasingly important for industrial concerns to solve their Internet security problems. This problem is finally being recognized by the U. S. Government at the highest level. President Biden has recently threatened reprisals for attacks against vital American infrastructure and manufacturing concerns.

In addition, the CISA has recently published a fact sheet detailing their recommendations for protecting these systems against ransomware attacks. These recommendations include:

  • Determining how much your critical OT systems rely on key IT infrastructure.
  • Planning for when you lose access to IT and/or OT environments.
  • Exercising your incident response plans, and testing manual controls if OT networks need to be taken offline.
  • Implementing regular data backup procedures for both OT and IT networks.
  • Requiring multi-factor authentication for both OT and IT networks, and
  • Segmenting IT and OT networks.

These are good suggestions and should be implemented ASAP. However, they are not a panacea. Nobody to date has come up with a true answer to the problem of cyberattacks against industrial control systems. Because of this it is important to remain flexible and to devote adequate resources for fighting this very thorny problem.