Interconnectivity between IT, OT, and IoT is increasing rapidly across industry, infrastructure, and smart cities. This is driven in part by the need for digital transformation, which spurs deeper connectivity between automation and enterprise systems in critical industries, like oil & gas, chemicals, and power generation. Connectivity has emerged as an enabler for improved control and reliability of distributed infrastructure assets like pipelines, power distribution networks, and transportation systems.
Smart buildings exemplify the potential benefits. Today’s building managers leverage connectivity of OT and IT systems to reduce operating and maintenance costs. Owners and tenants alike use shared, often wireless, networks to connect a multitude of devices to enhance productivity and security.
While these connectivity-related developments offer significant benefits, they also increase the risks of cyber incidents. Connectivity creates new attack vectors, removes barriers to lateral movement, and enables broader access to information stores and critical control systems that amplifies the potential impact.
These developments create serious challenges for IT cybersecurity teams charged with managing the security of all corporate cyber assets. It may not be possible to use conventional IT cybersecurity solutions and practices in OT systems, particularly those with legacy products and time-sensitive networks. Having little control over the internal security of OT systems and IoT devices, teams also often enable remote support by vendors, adding the risks of compromised connections, corrupted downloads, and potentially insecure vendor support systems.
As a result, organizations need to have the people, processes and technology in place to minimize the impact of the almost inevitable cyber intrusions. These capabilities should include rapid detection of compromised devices and lateral movement attempts, quick isolation of suspicious cyber assets, and timely restoration of systems to minimize disruption to the organization’s operations.
Recently, ARC Advisory Group discussed these challenges with executives at Blackpoint Cyber. This firm offers a proven suite of products and services for dealing with the security threats of blended IT, OT, and IoT systems.
Blended Systems Have a Variety of Cybersecurity Issues
Blended systems integrate a diverse set of systems and devices with varying cybersecurity safeguards. Although many organizations implement some form of cybersecurity, it may not sufficiently align with the unique infrastructure and challenges of blended systems.
IT, OT, and IoT cybersecurity programs have significantly different goals. Protecting the confidentiality, integrity and availability of information is paramount in IT cybersecurity, while OT cybersecurity efforts focus on protecting the availability and operational integrity of automation systems and physical assets. IoT cybersecurity efforts are often limited to secure product development lifecycle processes (SDLC).
The people, processes, and technologies differ as well. Security management within industrial OT systems is subject to a unique set of constraints, like lack of time for updates and restrictions on internet access. IoT device cybersecurity normally involves extensive supplier support. IT cybersecurity teams need to understand and address these differences in the cybersecurity strategies they develop for blended systems.
OT system owners and suppliers generally understand the safety and business continuity risks of cyber incidents. Many have also implemented security programs based upon government and industry guidelines and standards. However, under-secured OT systems are still common. This is due to the prevalence of legacy products with fundamental security weaknesses; the inability of existing assets to support security products and secure messaging protocols; and lack of resources to sustain security hygiene and respond to alerts.
The expected 30- to 40-year lifetime of OT systems compounds these problems. Replacing insecure equipment is rarely an option, so companies often use isolation to compensate for the lack of internal OT system security. Connectivity with IT systems, other OT infrastructures, and the Internet clearly weaken this protection strategy by enabling new attack vectors and opportunities for lateral movement between all connected assets.
Insecure IoT Devices
Discovered in 2016, the infamous Mirai Botnet created global concern about the security of IoT devices. Reports in 2018 of serious vulnerabilities in home and business routers that allow attackers to monitor messages show that device security still merits concern. IoT security frameworks and solutions are emerging but currently offer limited help. Suppliers and users still need to overcome many hurdles. These include certification of secure development lifecycle (SDLC) practices across myriad manufacturers; management of security across incredibly complex product and software supply chains; and, implementation of secure product distribution, installation and provisioning activities.
Despite the security risks, companies are broadly deploying IoT devices in blended IT and OT systems. Security teams need to be prepared for compromised devices. Connectivity ensures that compromises will rapidly propagate to other systems and, as Maersk’s 2017 experience with NotPetya shows, the impact could be devastating.
Blended Systems Require Enhanced Cybersecurity
Existing IT cybersecurity programs are rarely adequate for blended systems. Changes are normally needed in people, processes, and technologies. Monitoring and response capabilities must be enhanced to address the expanded attack surface and opportunities for lateral movement among connected systems and devices.
IoT cyber risks are high, but this is not a new challenge for most IT cybersecurity teams. Many have developed policies to ensure the security of IoT devices directly connected to IT networks. But these policies do not address IoT devices within OT systems nor the associated management constraints of OT environments. Stronger OT cybersecurity and enhanced system monitoring are the only ways to ensure that all systems remain secure from attacks on these devices.
To strengthen OT security, IT teams need to understand what’s required to protect these systems, how connectivity impacts OT cybersecurity, and where unique constraints limit use of conventional IT security solutions and practices. ARC’s Industrial Cybersecurity Maturity Model developed for industrial OT systems can help IT teams address these needs.
ARC’s model structures OT cybersecurity as a series of steps with specific security goals and associated actions. Each step adds an additional layer of defense for critical controllers and devices. The model also shows the kinds of human resources needed to implement and sustain the effectiveness of these technology investments.
While it’s likely that IT cybersecurity professionals are familiar with the concepts and recommendations in ARC’s model, applying these in OT environments presents unique challenges:
- Secure – OT systems can be disrupted by active IT infrastructure fingerprinting. Developing and maintaining accurate inventories requires passive methods or controlled scanning that reflects deep knowledge of OT assets.
- Defend – Many OT assets use proprietary hardware and software that cannot support conventional access control and anti-malware software. Automatic updates and connections with cloud-based systems are also constrained. Compensatory controls like hardware device firewalls are often required to overcome these security gaps.
- Isolate – Insecure devices and network protocols are common in OT systems, making isolation a mainstay of OT cybersecurity. This includes physical security, perimeter firewalls, and internal firewalls that create secure conduits between individual control zones. Loss of isolation needs to be compensated through other measures.
- Monitor – While extremely important, conventional IT solutions are rarely used to monitor OT devices and networks. The time sensitivity of networks generally limits use of intrusion prevention and other active network appliances. Passive monitoring approaches are gaining acceptance, enabling IT teams to strengthen the security of OT systems.
- Manage – Backup management and rapid response capabilities are generally weak for OT systems. Managers of OT systems lack the staff and expertise to properly deal with these critical issues.
Lack of cybersecurity resources, including skilled and well-trained staff, is a significant problem for OT cybersecurity and a major contributor to the limited security management of many OT systems. This issue must be addressed quickly to avoid losing the benefits gained through security strengthening efforts. While training internal IT people in OT technologies is one option, use of external service providers with OT cybersecurity expertise is often more cost effective.
Blackpoint Cyber Addresses Key IT-OT Challenges
Blackpoint Cyber is a US-based company focused on cyber defense. Leveraging the company’s previous experience as US Intelligence cyber operators, Blackpoint built its SNAP-Defense platform to detect and stop cyber threat tradecraft and techniques like those used in numerous high-profile attacks such as Sony Pictures, Saudi Aramco, the various attacks on the Ukraine Power Grid, and the 2018 Winter Olympics. Originally developed to protect traditional IT infrastructure, Blackpoint has enhanced SNAP-Defense’s capabilities to include support for OT and IoT networks, creating one security platform that integrates both IT and OT security. This approach leverages the fact that attacks on OT systems often begin with compromises of the organization’s IT infrastructure, as well as traditional IT equipment used in OT networks. Since IT or OT infrastructure compromises can impact business continuity, this approach enables organizations to minimize all cyber risks with a single solution.
Blackpoint designed the SNAP-Defense security operations and incident response platform to enhance defender effectiveness by reducing the time and effort needed to detect, understand, and block cyber threats. The platform consists of the following components:
- Network Interaction Server (NIS) – continually collects and analyzes data from network and patented endpoint sensors, which focus on detecting network enumeration and lateral spread. It also interfaces with many third-party products, such as anti-virus and vulnerability scanners. Collected information is sent to the SNAP UI.
- SNAP UI – displays information received from NIS components including alerts and infrastructure data. SNAP UI builds a live, auto-updating network map that provides context for alerts and rapid access to the detailed information needed to evaluate the severity of any anomalies. Suspicious devices can also be rapidly contained through a simple point-and-click process. SNAP UI provides real-time and historical reporting, monitors remote access, tracks privileged accounts, integrates third-party alerts, supports real-time response, and maps compliance frameworks.
- NICOS – hardware appliance that extends SNAP-Defense capabilities to include OT and IoT network devices. NICOS, a passive network monitoring solution, connects to the NIS module and collects information on OT networks. The resulting information is fully integrated into the SNAP UI network maps. NICOS monitors OT networks for multiple threats, including enumeration efforts that attackers use to discover network architecture, obfuscated traffic, port scans, dangerous outbound traffic, and remote access. This latter capability is particularly important for monitoring the actions of vendors providing remote support of OT systems and IoT devices.
SNAP-Defense supports both on-premise or cloud deployment. It is also multi-tenant to support managed service and security providers (MSP/MSSPs). According to the company, this multi-tenant capability is particularly beneficial for building owners, geographically distributed organizations, and MSP/MSSPs that support small manufacturers with limited cybersecurity resources. Blackpoint Cyber also uses this capability to support its own 24/7 managed detection and response (MDR) security service. This can help organizations with limited resources and budget afford integrated, advanced cybersecurity protection with round-the-clock-coverage by experienced cyber defenders.
As we learned, Blackpoint Cyber has a variety of customers in the US, Canada, and the Middle East, including small manufacturers and managers of commercial real estate. The company also recently reported $6 million in new funding to support additional product enhancements and business expansion.
Connectivity of IT, OT, and IoT systems is rapidly increasing in many sec-tors. These blended systems create new and challenging cybersecurity concerns for managers. The expanded attack surface increases the risk of interruptions to business operations and connectivity raises the potential impact by enabling rapid lateral movement. Cybersecurity teams need to be prepared to deal with these additional challenges. Solutions, like Blackpoint Cyber’s SNAP-Defense and MDR service, can help these teams protect blended systems effectively and efficiently and should be on every manager’s radar. They help ease defender workloads and provide the integrated visibility necessary to defend OT and IoT networks.
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: OT, IoT, Cyber Security, Threat Detection, Visibility, Vendor Access, ARC Advisory Group.