In various industries around the world, there’s a major movement towards going digital. You’ve probably heard of the IoT – and now the IIoT, or the Industrial Internet of Things, is bringing digital connectivity to manufacturing floors, commercial buildings and even the electrical grid. And this trend not only has an impact on information technology (IT) but also on operational technology (OT).
How Does the Digital Transformation Impact Cybersecurity?
As technology continues to evolve, organizations are constantly adopting better and more efficient ways of doing business – but this new digital transformation also gives rise to new threats and vulnerabilities. Gone are the days when critical infrastructure relied on air gaps for security alone.
Today, there are more smart devices than ever, and when there’s a business need to connect a component that was not designed for secure connection to a network, you open up a huge vector for possible exploitation. It’s also important to know that external threat actors have evolved over the years and now deploy more sophisticated methods and capabilities to carry out cyberattacks. As a result, companies are swinging into action to protect what matters to them.
What Exactly Are OT Networks?
Aside from regular IT devices, an OT network might include SCADA (supervisory control and data acquisition) systems, building automation systems and DCS (distributed control systems). These systems are used to monitor and control motors, sensors or controllers, and they continuously collect and send relevant data to control rooms and ERP systems. They rely on high-speed communications through fieldbuses and standard ICS (industrial control system) protocols like HART, PROFIBUS, Modbus TCP, BACnet, and so on.
Much like in IT, system reliability is also a top priority in OT. Poor cybersecurity practices could potentially cause harm to critical operations. Companies need to be proactive to improve their cybersecurity policies by focusing on some core principles, such as asset management, training and staff awareness of secure access and configuration.
Is There a Difference Between IT and OT Security?
IT and OT have entirely different priorities when determining and balancing risk. IT uses the CIA model, which stands for confidentiality, integrity and availability, to determine how data and systems are protected, while the orders is reversed – availability, integrity and confidentiality – when making similar decisions in OT. This means that within an IT network, a system can usually be taken offline to apply updates and patches on the fly. But in an OT network, a higher level of planning and change management processes are required to make any modifications to protect operations.
There are several gaps between IT and OT security, from budgets to differences in domain knowledge and the prioritization of cybersecurity goals. IT security teams tend to be proactive, with many security tools at their disposal, enabling them to constantly find and mitigate vulnerabilities. Even though OT security teams may assign a similar priority to cybersecurity, they may not be able to install such tools within the OT network or to take down systems immediately in order to apply security updates and patches.
Recently, greater efforts have been made towards IT and OT convergence, and it’s important to continue this dialogue, so that experts from both fields gain a better understanding of how they can support each other and align on their cybersecurity objectives.
Types of Data Breaches
One example of an IT data breach is the recent Microsoft Exchange server incident, which may have affected over 30,000 organizations in the US. This is significant because it shows how a vulnerability in one type of off-the-shelf software could be exploited across multiple organizations.
Similarly, it was reported that hackers had gained access to the Oldsmar Water Treatment Facility through domain software on a workstation and tried to raise levels of sodium hydroxide, a chemical used to control the acidity of water, by a factor of more than 100. While this could have happened in many different ways, the point is that similar breaches can occur both in IT and OT networks – the question is not if but when. This highlights the importance of taking ownership to protect your assets and people.
Taking a Holistic Approach to OT Security
OT systems are fragile in general. They may be many decades old and have limited or no ability to receive patches or updates and become increasingly vulnerable with each passing day. Organizations need a comprehensive cybersecurity strategy to manage legacy devices, update configurations and regularly apply patches to equipment that supports patching. At the same time, they need to implement an additional layer of protection to safeguard legacy devices that are critical to operations while ensuring the security of new changes being made to their OT network.
There are several OT security solutions out there – which one is right for your business really depends on what you’re looking for. For boundary defense, there is the Cisco ISA firewall as well as Eaton-branded firewalls like MTL Tofino with deep packet inspection for OT protocols. Tempered sells a zero-trust solution with secure remote access, while Tenable OT, Tripwire and Dragos all offer products for monitoring. These are the big players within the market today.
These solutions have similarities but also come with different requirements. Cybersecurity experts typically go for products that integrate properly with the existing system. They will look at the deployment structure, the mode of operation and whether a solution is intrusive or passive to the network, and they’ll also consider the maintenance effort.
Eaton’s Approach to Cybersecurity
Eaton takes a comprehensive approach to cybersecurity, known as the secure development life cycle or SDLC, to ensure that all products and solutions apply a secure-by-design philosophy and comply with a wide range of industry standards and best practices. Our cybersecurity framework also covers vulnerability management and incident response, which are necessary to actively find, address, communicate and fix cybersecurity issues within our products and solutions.
It is also worth noting that UL and IEC have validated a number of Eaton’s intelligent and connected devices against the UL 2900 and IEC 62443 cybersecurity standards. In addition, Eaton offers a range of cybersecurity services to help our customers to design, deploy and maintain their systems. Specifically, our industrial network defense service can be used to secure legacy systems through the application of boundary defenses, hardening and other mechanisms to ensure safe remote access and protect against threats.
What to Consider When Choosing a Cybersecurity Services Vendor
Make sure that vendors have cross-functional experts, not only in cybersecurity generally but with a specific focus on OT and ICS systems. They should understand the criticality and real-time safety and availability requirements of the systems and be able to apply OT cybersecurity practices effectively. As mentioned earlier, ICS and OT cybersecurity are not exactly the same because many IT practices and tools, if applied incorrectly, can damage equipment, trip systems or worse cause physical harm. In order to manage the digital transformation and ensure business continuity, it is therefore of utmost importance to combine aspects of both IT and OT security, rather than privileging one over the other.
Download Eaton’s new whitepaper “Cybersecurity considerations for industrial control systems” to learn more.