Many Operational Technology (OT) projects start with identifying the requirements and then diving straight into the design phase, where common OT security principles were neglected or ignored. Just because it is easy to begin and start designing, doesn't mean that an organization should. It would be a mistake for any organization to simply begin designing the requirement without a strategy. For an organization to be able to implement a secure OT strategy, it is important that they design a comprehensive security architecture.
In fact, OT networks are, as some have observed, like M&M candies—“soft” on the inside, and they’re not particularly “hard” on the outside, either. Once attackers get into an OT network—either via the internet or using stolen credentials to access existing pathways between IT and OT—it’s relatively easy for them to move around to perform cyber-reconnaissance and compromise industrial devices, hence that comprehensive security architecture is not only required but should be mandated to securely design the network inside and out.
Distinguishing between design and architecture is very important for any project. Before it's possible to have a comprehensive architecture, it is important to know the distinction between architecture and design and the pitfalls that organizations experience by not making that distinction.
First, let's focus on the differences and the importance of architecture and design. When developing a secure strategy, an organization must come to terms with a common issue. A problem with technology consultants in general is that when presented with a business opportunity or problem to solve, they typically immediately devise a technology solution.
A technologist or a cybersecurity professional is invited to a meeting featuring a business opportunity or a problem, and because they are accustomed to being pressed for a quick answer, they will typically have a technology solution in mind before the meeting is completed. They leave that meeting and then move quickly to devising a technological solution. The issue gets compounded when there are multiple departments and people that are responsible for solving problems, as each of the individual solutions lack congruity and the ability to seamlessly integrate.
Often, additional solutions are needed for integrating individual solutions. The problem stands from a lack of clarity in the organizational architecture and an impulse to rapidly design solutions without being informed by an overarching architecture.
Proper architecture is a technology-agnostic description of a business requirement that allows an organization to see strategically off into the future beyond the problems and opportunities of a single implementation. While design is important, you must first have a translation of the organization mission goals and the requirements that is represented in the architecture.
Having an architecture first allows the organization to solve technology and service problems in a collaborative manner. The organization is better capable of asking questions related to business requirements that haven't been asked, which leads to the secure strategy required to implement that architecture. Good architecture also highlights the pros and cons of specific technology which business might want to establish in long-term strategy goals. Good architecture also assists an organization in moving away from immature, reactive behavior and being more proactive.
In the end, it has always been assumed that OT networks are secure because they were “air-gapped”—that is, they were physically separated from the internet and from corporate IT networks. However, industrial networks contain a complex mix of specialized protocols, including proprietary protocols developed for specific families of industrial automation devices. This heterogeneous mix complicates security for OT environments. Hence, a good secure architecture will not only improve the security posture of your organization but will also reduce the attack surface by helping the organization for a secure design.