The Rapid Digitalization of OT, ICS, and IoT: Opportunities and Security Risks
In many enterprises, Industrial Control Systems (ICS) and Operational Technology (OT) systems were kept isolated from IT environments, both logically and physically. ICS is generally considered a subset of OT. Internet of Things (IoT) devices, however, were designed to be networked, enabling real-time or latent data transmissions to applications to generate insights and to provide remote control capabilities. The connectivity of OT, ICS, and IoT systems to the cloud or corporate networks has increased across many industries, from manufacturing and pharmaceuticals to oil and gas and aerospace.
While this sea change in network connectivity and access policies offers benefits such as predictive maintenance, asset optimization, and enhanced productivity, it also dramatically expands the attack surface. Cyber attacks targeting OT, ICS, and IoT systems are no longer hypothetical. Attacks can have direct and severe consequences, from halting production lines to causing environmental damage or even endangering lives. Cybersecurity in OT and ICS needs to address unique constraints, including:
- Reliability requirements: OT systems often operate on very strict schedules and have uptime requirements that cannot be violated without severe safety and financial consequences. Security updates or patches need to be carefully planned to avoid disrupting critical processes. Allowing real-time patch updates directly from vendors is most often prohibited.
- Legacy systems: Many OT systems run on outdated hardware and software that lack the capacity or compatibility for modern security solutions. This means performing timely security updates may be practically impossible. Other measures may be needed to protect and contain such legacy systems.
- Physical access: In industrial environments, devices and sensors may be spread across large areas or even in distant, isolated locations, which makies physical security, network segmentation, and secure remote access imperative.
To address these limitations, security strategies must be adapted to meet the unique requirements of OT/ICS/IoT, with specific attention paid to the differences from standard IT infrastructure.
Key Differences in Securing OT, ICS, and IoT Environments
Despite the overlap between IT and OT, the two are distinct in their technological requirements, operational demands, and security challenges.
- IT Security: IT security solutions rely on a variety of well-established tool types like firewalls, EPDR, SIEM, SOAR, and IAM to safeguard data integrity and confidentiality. IT environments tend to prioritize agility, which allows more frequent software updates and rapid deployment of new security measures without significant downtime. IT tools use common protocols like HTTPS, SMTP, SMB, LDAP, etc., and for which many security solutions already exist.
- IoT Security: IoT devices can be found in a wide range of environments, from smart homes to warehouses to industrial facilities. They are often resource-constrained, with limited processing power and memory, which can restrict the type and complexity of security protocols they can support. Many IoT devices were simply not designed with security in mind. IoT devices use protocols such as CoAP, MQTT, and XMPP, which are less common in traditional IT and thus, IT security tools are less likely to have out-of-the-box support for. Vendor-provided or third-party IoT security solutions generally focus on ensuring data integrity, communication confidentiality over IoT protocols, protecting against device spoofing, and managing device identities and access.
- OT/ICS Security: OT/ICS systems are generally custom-engineered for specific applications, often running on special or proprietary protocols like ModBus, DNP3, OPC-UA, and S7. Security in OT/ICS environments focuses on maintaining uptime, integrity, and safe operations, with stringent requirements to avoid disruptions. Certain OT protocols lack built-in support for encryption or authentication, requiring additional protective measures. In most ICS and Critical Infrastructure Systems (CIS), safety of workers and the surroundings takes precedence over even computing security.
Security strategies for IT and OT therefore need to account for these differences. IT security focuses more on malware prevention via endpoint protection detection and response (EPDR), identity and access management (IAM), and network segmentation, while OT security demands robust intrusion detection, continuous monitoring, and a deep understanding of OT/ICS/IoT protocols to detect anomalous or malicious behavior.
Navigating the Divide Between OT Engineering and IT Software Engineering
Another difficulty in securing OT, ICS, and IoT environments is the difference in worldviews between OT engineers and IT software engineers. OT engineers prioritize reliability and safety, because failures in OT environments can have immediate and severe consequences. Conversely, software developers tend to prioritize rapid innovation and adding functionality, which can be a higher priority for their IT customers.
This culture clash can lead to friction in implementing security measures for IT and OT systems. Some challenges include:
- Risk tolerance: OT engineers have a low tolerance for change and untested solutions, while IT software developers are accustomed to coding and testing new technologies frequently to keep up with IT customers’ demands.
- Update and patch schedules: Software vendors may push regular software updates to deploy new features and security patches, whereas OT engineers have to schedule patches and updates comparatively infrequently, perhaps just one or two times per year, and see these as potential disruptions to uptime or performance.
Organizations can take two different approaches here. The first is to leverage IT security systems where they make sense: deploying EPDR agents where permitted by OT vendors, using OT/ICS/IoT-aware Network Detection and Response (NDR) solutions to find and stop malicious actors, using SIEM and SOAR systems for collection and analysis of all telemetry and additional response actions. The other approach is to implement dedicated OT/ICS security solutions. These OT/ICS security solutions can cover additional functions such as asset discovery and classification, scanning of USB devices (used for updating firmware) for malware, as well as monitoring and anomaly detection, and are designed to work in these environments with HMIs, PLCs, SCADA, and IoT devices.
Keeping Pace with Digitalization: Adaptive Security Strategies
As OT digitalization accelerates, security measures need to be agile, capable of adapting to emerging threats, and proactive in addressing potential vulnerabilities. Key strategies include:
- Zero Trust Architecture: Zero Trust models work on the principle of “never trust, always verify,” ensuring that every request for access is authenticated and authorized. This approach reduces lateral movement in networks, limiting the scope of damage if a device is compromised. Zero Trust Network Access is particularly important for securing remote access by vendors and contractors into OT/ICS networks.
- Network Segmentation: Network segmentation divides the network into isolated segments or zones. In OT, this means separating different parts of the production floor or critical control systems from non-critical zones, thus limiting the exposure of sensitive systems to potential threats. OT centric security solutions are often designed to enforce separation in accordance with the Purdue Enterprise Reference Architecture.
- Behavioral Analytics and Anomaly Detection: IT and OT systems can benefit from anomaly detection tools that learn regular patterns of behavior and trigger alerts when unusual activity occurs. Since some OT components lack basic security features like authentication, monitoring for deviations in traffic and user behavior can help detect and contain potential threats before they escalate.
Conclusion
Securing OT/ICS/IoT environments in the current era of rapid digitalization is a multifaceted challenge that requires a tailored approach for each organization. Join us at cyberevolution in Frankfurt, Germany on 3-5 December to hear more about OT and ICS security.