03 Jul 2019 Why the shoe doesn’t fit? The essence of the OT security problem
The essence of today’s OT security problem is that the data-centric, IT-class protections are simply not enough or ill-suited for operational security and control system needs. But first, to understand OT security, we must understand something about both industrial systems and good old fashioned IT cyber security.
Where to start? The field of industrial control systems has been around for many years – people were controlling physical processes with dials and gauges before there were computers, and have been using computers to assist dials and gauges almost since the first computers were invented. Industrial control systems are the computers that control critical, complex, and often dangerous physical processes, many of which make up the physical infrastructure of modern societies. These physical processes are powerful tools, and their misuse generally has destructive and even disastrous consequences. Preventing such misuse and protecting correct control is the goal of OT security.
An important trend in operational systems since roughly the mid-1990s is the integration OT “operational technology” networks with external enterprise IT networks. This is an irreversible trend that frequently involves specific expertise from IT security practitioners as the higher levels of industrial control systems (Purdue Model level 3) look a lot like IT systems. They have the same or similar operating systems, base applications, and the same kinds of networks and communications. Though IT/OT integration provides opportunities for greater efficiencies and essential business services, if the perimeter of an OT network is either unprotected or protected only by traditional IT security we are introducing attack opportunities to the most critical control processes of the business.
When the same technology is used on OT networks as is used on IT networks, many of the same cyber attacks that succeed on IT networks now also succeed on OT networks – consequences of which will not be mitigated with data backups.
Continuous, correct & efficient operation
Let’s be clear, traditional IT security is essential to a strong OT security architecture, but IT sec alone is not sufficient for OT networks. Protecting process, safety and correct control requires OT-class protections which go beyond the software-only model. These IT protections were developed to preserve a level of integrity of data – not of physical process. Human lives, environmental disasters and even lost production cannot be “restored from backups” as data can. Perimeter security of any OT network must be prioritized; preventing intrusion and creating a “Fort Knox” is the first call to action. Intrusion detection, for example, is indeed essential to OT security, but is a secondary defensive measure.
Intrusion detection takes time and resources, as does incident response. In the event of an OT compromise, for all of the time it is taking to detect and respond to a threat, an attacker could have unauthorized control of part or all of control system processes. Ask any industrial engineer, they will tell you that such threat, however briefly, is an unacceptable risk.
Control system professionals and engineers care enormously about who is turning the dials and throwing the switches, and care even more that the physical equipment is operated safely and reliably. At industrial sites, the first priority for cyber protection of OT systems is always preventing unauthorized control.
This is the IT/OT integration problem – steadily increasing the use of IT components and connectivity over the last 20 years has increased efficiencies, but has also increased attack risks to physical processes. The numerous benefits realized through this confluence of networks are unfortunately putting safe and continuous operations at risk. The cost of a single cyber outage threatens to dwarf all of our routine budgeting. Safe, continuous, reliable physical operational processes need both IT and OT security.