Operational Technology (OT) is now a prime target for cyberattacks with more than 80% of events starting with an IT system compromise, according to 2023 research by Rockwell Automation.
This creates a problem for OT-dependent businesses, whether it’s manufacturing, utilities or food production, because IT and OT teams have historically existed in different worlds, culturally as well as technically, creating an uneasy divide that now needs to be bridged.
Security incidents over the last few years include the cyberattack on a US energy operator, an unexplained incident at a car manufacturer that caused it to close its plants for a day, and a suspected ransomware attack that prompted a food company to shut down systems across North America. All highlight how a risk once thought to be theoretical has become a reality, making every kind of OT industry now a target.
Clash of cultures
As IT people look to lock down OT environments, they have to understand who they are dealing with, that what matters to IT will have very little relevance to a team running 24/7 facilities. OT people are chief operating officers, plant managers, process technicians, maintenance technicians and electrical engineers. Automated production processes rely on Programmable Logic Controllers (PLCs) and SCADA systems; industrial ethernet networks provide deterministic and real-time control. Safety, availability and performance are their priorities, with security a lot lower down the list.
When IT security people talk about threats, vectors, exploits and vulnerabilities they might as well be speaking a different language. OT is often run on out-of-date and vulnerable systems. ModBus is a 40-year-old OT communication protocol that is simple and reliable, but it’s not secure. The DNP3 communication protocol used in process automation systems was only recently upgraded to include authentication and still doesn't have encryption.
This is a nightmare for IT. Security is fundamental to their role as they support information and data management and try to align their work with the overarching business strategy. OT is its own island, focussed on the control and automation of physical processes for production outputs in industrial environments.
Depending on who you talk to and their sentiment towards bridging the gap, it’s either a convergence or a collision of very different cultures.
Two worlds meet
Accelerating the convergence (or collision) of IT and OT is what’s become known as Industry 4.0. In manufacturing and production, it’s about more automation and data exchange. Capturing data at the point of production has far-reaching benefits, from cost savings to operational efficiency. Actionable insights taken from key data points can inform predictive maintenance or help identify machinery investments that deliver the best return.
Advances in OT, particularly the growth of IoT (Internet of Things), have quite literally connected the two worlds in ways that never happened before. Industrial IoT has challenged the hierarchical structure for industrial communications, known as the Purdue Model, which has kept computing and networks deterministic by having devices operated at separate layers, from sensors at the bottom to SCADA systems higher up.
The consequence is that a lot of legacy engineering, patched and maintained with very little regard for security, is now part of a wider network and potentially open to the internet. Basically, the threat surface of a company with OT has significantly increased, and all the evidence suggests that cyber criminals, often bad actors in nation states, are more than ready to take advantage.
With BT’s expertise in networks and security, coupled with a customer base that includes some of the world’s largest manufacturing companies, we are one step ahead of competitors when it comes to addressing the IT/OT convergence challenge. Our OT Threat Management Service provides practical steps that will protect a production environment from a breach.
The BT strategy is to devise a proof-of-concept for a holistic solution that addresses the vulnerabilities and creates proper segregation between IT and OT. But first, we workshop our plans with both teams – IT and OT together – because the fix will only work when the two cultures are aligned and singing from the same song sheet.
What could Operational Technology Threat Management do for you? Visit www.btireland.com/security/operational-technology-threat-management to find out more.