By Sreenivas Gukal, Head of Products and Co-Founder at Acalvio Technologies
Enterprises and regulated industries are becoming well aware that their risk management strategy must include cybersecurity for OT (Operational Technology) environments and the convergence of IT and OT isn’t just happening, it has happened. When it comes to OT, there’s a combination of high potential impact to safety and core operations paired with the unfortunately limited focus on IT security in industrial environments: which translates into substantial risk. Implementing security controls in such facilities is difficult for several reasons, including concerns that security controls will impact production availability, overall lack of understanding of OT systems and protocols by the IT staff charged with monitoring them, onerous change management restrictions, and the frustrating inability to deploy many types of security solutions on OT systems.
However, just because there’s a lack of symbiosis and a gap in education doesn’t mean that every OT system is a cybersecurity tragedy waiting to happen. When you look a little closer to the way these systems are set up and managed, there are clear solutions to protecting them—and protecting them can’t always wait for two sides to come to an agreement. When an OT device is attacked, it’s more than just critical data at risk. In the past several years, we’ve seen OT attacks at the heart of several critical infrastructure disasters; such as Solar Winds and the Colonial Pipeline attack, to name a few. This scale of attack is simply not acceptable in today’s world, especially when so much is at risk, and there are viable security solutions to prevent them from happening.
A Standalone Discipline – Or Is It?
Though OT and IT have always had standalone protocols that theoretically set them apart from each other, there has never been a world in which OT cybersecurity has existed without IT input. It’s in the name- cybersecurity. Previously, OT devices were assumed protected because of what we now know as the myth of the air gap– meaning the network the OT devices live on is not connected to either the Internet or any other outside network. Of course, air gapped networks do still need a solution to protect against potential insider threats, but those solutions are straightforward and have long been in action.
However: how do you update the software of a device that isn’t connected to a network? Historically, a tech has to physically bring in a USB stick to plug in to the equipment, run the upgrade, disconnect from the device, and hope nothing malicious gets in in the meantime. Another failure of the air gap is believing that the internal device network isn’t connected to anything else, when it in fact is. Especially as remote work has become more common, formerly “air gapped” networks have multiple points of outside entry.
In essence, if you want to have a protected network, you could never have been relying solely on OT expertise. When you bring a network of any kind into play, it requires the aid of someone well versed in IT solutions. With that in mind, what does the continued blending of IT and OT look like now?
OT and IT Security Aren’t Converging- They’re Already Converged
Though IT may have long been aiding OT in the setup of their networked devices, the whole concept of cybersecurity and OT still seems brand new. This is because the systems haven’t even been built until recently, leading to a lack of maturity in the space. In the past, when historically solely OT devices have had to be moved onto an IT network, they’ve been moved in a patchwork fashion utilizing outdated technology, typically because that’s all the organization had available to them. Cybersecurity solutions had to be developed specifically for OT environments because it’s difficult or even impossible to patch over those outdated IT protocols without customization. Even when organizations choose to fully adopt IT methods for their OT space, they might not have the manpower or expertise on their teams to execute cybersecurity solutions in a way that everyone on board can understand. This leaves us with a very specific need: a cybersecurity solution that can operate identically in OT and IT environments without the need for customization, and one that can be easily understood by anyone using it.
This is where deception technology based Active Defense comes in. Deception tech is unique in its ability to operate in OT and IT environments interchangeably, and makes the blending of the two exciting rather than frustrating or even frightening. Because deception technology doesn’t rely on sifting through after-attack reports, but rather “captures” the attacker within the network as soon as the attacker engages with a deception artifact, the rules of engagement are straightforward even for OT experts who aren’t well-versed in the cybersecurity space.
The convergence of IT and OT is not a future prospect, but a reality that demands immediate attention. The vulnerability of OT systems, coupled with the historical neglect of IT security in industrial settings has resulted in a cybersecurity risk to OT environments everywhere. Fortunately, solutions to protect OT environments are attainable, and the potential risk to critical infrastructure environments should supersede the fear of change. By simplifying the rules of engagement and enabling OT experts to navigate the cybersecurity landscape effectively, Active Defense and deception technology paves the way for a harmonious convergence of IT and OT security efforts, mitigating risks and fortifying critical infrastructures in an increasingly interconnected world.
