Cybersecurity has traditionally focused on Information Technology (IT) not Operational Technology (OT) for several reasons. First, unlike IT that is used for administrative operations, OT or the hardware and software that is used to manage industrial operations was not connected to any network. Second, many of the tools were mechanical. Third, those tools with digital controls used closed, proprietary protocols. Fourth, OT commonly and historically is organizationally segregated from IT. However, things have changed, and as a result OT needs to be given the same security consideration as IT.
Most industrial systems now have digital controls and are connected to IT systems and networks to enable remote monitoring, data analysis, and maintenance. The other significant change is that internet-connected sensors that make up part of the Internet of Things (IoT) have moved into office environments (mainly consumer IoT) and industrial control systems (commonly known as Industrial IoT or IIoT) to support what is widely referred to as Smart Manufacturing or Industry 4.0.
This connectivity and use of IIoT devices mean that OT now faces the same cyber threats as IT, particularly in the context of Smart Manufacturing where air-gapping and uni-directional firewalls are disappearing because of the need for bi-directional communications, and because OT typically lacks the defence capabilities and security processes of IT. This is despite the fact that threats to OT have a higher impact than classical IT because OT systems include not only manufacturing systems, but many of the systems that support critical national infrastructure, including hospitals, gas and oil pipelines, water purification plants, power stations, and traffic lights.
IoT has also become an integral part of our daily lives in the office and at home in a wide variety of smart devices, but these “things” share the fact that they are all connected to the public internet and that they often lack the most basic security controls. As a result, consumer IoT products such as internet-connected CCTV cameras have already led to a number of security breaches.
OT and IoT/IIoT security, therefore, is now of paramount importance, and was a key theme at this year’s KuppingerCole Analysts’ Cybersecurity Leadership Summit, which featured presentations on a wide range of related topics, including initiatives to protect the supply chain, building cyber defenses for Industry 4.0, using AI to defend OT systems, and an overview of global IoT security standards.
An OT environment presents a special case for the cybersecurity practitioner. To the degree possible, OT protection should leverage the increasingly powerful controls implemented on the IT infrastructure and, to the degree possible, adopt the zero-trust approach of the organization.
— Graham Williamson, Senior Analyst, KuppingerCole Analysts
Audio/video
Attendees of the Cybersecurity Leadership Summit heard how the German Federal Office for Information Security (BSI) is addressing the threats facing OT, and working on a potential solution for securing the supply chain. To find out more, watch this presentation on Cyberattack Risks for Manufacturing Industries, Operational Technology, Industry 4.0 & Recommended Countermeasures.
Staying on the topic of global standards, have a look at his presentation on the status of IoT Security Policies and Standards - A Global Perspective and this KC Live presentation by the IoT Industry Council of South Africa on Data Securing and IoT Challenges.
Discover more about the threats and risks facing OT and what can be done to counter them by watching this panel discussion entitled: Industry 4.0 - How to Build a Dynamic Cyber Defence, and to find out why the vulnerability of communication and database servers associated with industrial systems should be given highest priority, have a look at this presentation entitled: OT Security - The Weak Point Is the Periphery.
OT environments sometimes lack visibility of the threats they face because many OT systems and IIoT devices can’t run endpoint security software, but all is not lost. Network Detection & Response (NDR) and Distributed Deception Platforms (DDPs) can help. To find out how, have a look at this presentation on Detection, Deception, and Response - The Role of NDR and DDP in Securing OT and ICS.
Artificial Intelligence and machine learning techniques are vital to automating the detection and analysis of cybersecurity and OT system incidents. Find out how AI can be used to precisely identify anomalies in the OT process indicative of equipment failure, a cyberattack, or a system problem by watching this presentation entitled: Using AI to Precisely Detect Anomalies in the OT Process.
OT security was also an area of focus at last year’s CSLS, and for an overview of the status of IT and OT security, some of the main challenges and trends, and some potential solutions, have a look at his presentation on IT-OT Convergence of Security.
If you would like to hear what our analysts have to say on the topics of OT and IoT security, listen to these Analyst Chats on Edge Computing, Protecting OT and ICS, and What (and why) is XDR?.
Security is one of five key pillars to success for an IoT deployment. For an in depth discussion of the importance of security, devices, control, communications, and IT in the context of IoT projects, have a look at this analyst presentation entitled: Meeting Expectations – 5 pillars for IoT project success.
To find out what data IoT devices typically collect, what emerging data types were not previously collected, the risks associated with connected devices, and what can be done to minimize those risks, have a look at this KC Live presentation on the Implications of IoT Security and Data Privacy with Connected Devices.
Providing a secure and user-friendly customer journey is the aim of most organizations using emerging technologies like IoT. To find out more about the essential protocols for doing that as well as the challenges associated with IoT projects, have a look at this EIC 2021 panel discussion on: Digital Identities and IoT - How to Leverage OIDC and OAuth 2.0 for the Best User Experience and Security!
For a wider perspective on IoT, have a look at this presentation on Where AI, Industrial IoT, Consumer IoT, Blockchain, Decentralized Identity, and Edge Computing Meet.
For an analyst’s perspective on the enterprise IT risks caused by consumer IoT devices and potential ways to incorporate them into existing enterprise security and identity infrastructures, have a look at this presentation entitled: The Sorry State of Consumer IoT Security and How Can We Possibly Fix it.
Research
If you would prefer to read more on the topic of OT security, and excellent place to start is with this Insight on: OT, ICS, and SCADA – What Every Cybersecurity Expert Should Know.
IT and OT convergence has brought with it greater security risks, but there are also business benefits. Organizations should plan for both. For recommendations in this regard, have a look at this Leadership Brief entitled: Join the dots: Operational Technology and Informational Technology.
The convergence of IT and OT is inevitable, so it is important that organizations ensure they are paying enough attention to the security implications. For some guidance on this, have a look at this Leadership Brief entitled: How to get a Grip on OT Cybersecurity.
Advisories
Our analysts have written Advisory Notes on a range of topics related to OT and/or IoT security. Review the list below and choose those topics that are most relevant to you and your business:
- Security and the Internet of Everything and Everyone
- Industrial Control Systems: Getting a Grip on OT Cyber Security
- Business Continuity in the age of Cyber Attacks
- Plant Automation Security
Blockchains are a potential means of improving security in the context of IoT security. For more on this topic, have a look at these Advisory Notes:
- Demystifying the Blockchain: What Makes a Blockchain Useful to a Firm?
- The Disruptive Potential of Blockchains in IoT Security
- Blockchains and Cybersecurity: Augmenting Trust with Algorithms
Blogs
If you would prefer to read short, concise perspectives by our analysts on topics related to OT security, choose from the following list of blog posts.
- Smart Manufacturing: Locking the Doors You've Left Open When Connecting Your Factory Floor
- Industrial Internet of Things: New Driver for the Digital Transformation
- Bridging the Gap Between IT, OT and Business in the Digital Transformation Age
- Security and Operational Technology / Smart Manufacturing
- Security is part of the business. Rethink your organization for IoT and Smart Manufacturing
Similarly, choose from the most appropriate titles of the following list of blog posts focusing on IoT security:
- Device Authentication and Identity of Things (IDoT) for the Internet of Things (IoT)
- Industrial Internet of Things: New Driver for the Digital Transformation
- Approaching the Internet of Things Security
- IoT in industrial computer systems (ICS)
- “A Stab in the Back” of IoT Security
Webinars
This webinar entitled Adding Certainty to Your Cyber-Attack Detection Capabilities touches on both OT and IoT security.
For webinars that related specifically to OT, have a look at this webinar on Industrial Control Systems: Understanding the Access Risks and Security Challenges and this one on Industrial Control System Security: Getting a Grip on OT Cyber Security.
For webinars that relate so IT security, have a look at this webinar on Digital Identities in the Internet of Things - Securely Manage Devices at Scale and this one on The Crucial Role of Identity in Securing Industrial IoT.
Tech Investment
Our analysts have written reports on various cybersecurity market segments aimed at helping organizations find the solutions that best meet their needs. The most relevant in terms of dealing with OT and IoT security is the Leadership Compasses on Network Detection & Response (NDR) and the complementary Network Detection & Response (NDR) Buyer’s Compass, which provides questions to ask vendors, criteria to select your vendor, and requirements for successful deployments.
In addition to the Leadership Compass report mentioned above, organizations investing in technologies to address OT and IoT security can have a look at some of the related technology solutions that we have evaluated:
- Cysiv SOCaaS
- Vectra Cognito
- ideiio
- Saviynt Security Manager for Enterprise IGA
- Oracle Identity Governance 2020
- Radiflow SCADA Security Suite 2019
- Exostar Supplier Risk Management 2019
This KC Navigator concludes the series of editions focusing on topics highlighted at this year’s Cyber Security Leadership Summit. It is also the last edition of the KC Navigator for 2021, but please look out for your next edition in early 2022 as we continue to highlight topical issues and provide links to content in the KuppingerCole Analysts archive that provides related support, guidelines, recommendations, and insights to enable your business to be cyber resilient.