This blog has been repurposed from the August 2022 edition of InTech.
Cybersecurity for OT and IoT is a field of study and practice to prevent the unauthorized access, manipulation, and disruption of operational technologies (OT) and industrial and consumer Internet of Things (IoT) devices and platforms. New emphasis is now being placed on reducing incident severity across sectors that deploy these technologies, tapping into the strong safety culture throughout industrial environments.
The ISA/IEC 62443 series of standards—which focuses exclusively on industrial automation and control systems—succinctly defines the term security as the “condition of system resources being free from unauthorized access and from unauthorized or accidental change, destruction, or loss.”
There has been an increase in cybersecurity incidents, both those that are financially motivated and those primed to cause physical disruption, using both OT- and IoT-specific vectors and malware. Strategies for securing OT and IoT have traditionally deployed defense-in-depth approaches. Defense in depth is a strategy with various methods for introducing stop gaps for security across an organization, layering controls in a way that crosscuts people, technology, and processes and relies on tools and policies that ensure robust and redundant protection. Tools and policies may include endpoint security, access controls, segmentation, network monitoring, anomaly detection, patch management and allow listing, and additional cybersecurity solutions depending on the type and complexity of an organization, its assets, and its networks.
Admittedly, cybersecurity is a large, complicated—and intimidating—subject that is further complicated by its many interactions with adjacent subjects. Visualizations of what the subject includes take many forms. One particularly popular mind map was developed by Henry Jiang and improved over four years. Another popular graphic from Momentum Cyber categorizes the hundreds of tools that target various security needs and specialties, such as data, endpoint or application security, risk and compliance, and incident response. Interestingly, only a fraction of those tools—probably less than 10 percent—focus on OT and industrial control systems today.
At its roots, OT and IoT cybersecurity is an accidental by-product of Industry 4.0. The fourth industrial revolution, characterized by the real-time optimization benefits that connected systems provide to a business, has driven IT/OT convergence and exposed vulnerable OT and IoT systems. As technologies that help businesses realize the benefits of connectivity mature, so does the increase in risk. Put another way, the more important digital factories become, the more important OT and IoT cybersecurity becomes; the two are married.
In fact, cyber risk has been increasing so quickly that the federal government, insurers, cybersecurity professionals, and asset owners alike are struggling to keep up. On 7 May 2021 the U.S. suffered the largest attack to date on its critical infrastructure: the Colonial Pipeline ransomware attack, which shut down its pipeline system for five days—the first time it had done so in its 57-year history. The very day operations resumed, President Biden issued an executive order specifically referencing operational technology security, elevating the topic’s attention internationally.
From a legal perspective, courts are evaluating responsibility for cybersecurity incident liabilities. When Merck was affected by the 2017 malware attack known as NotPetya—which was deployed by Russia with Ukrainian companies as its primary target—Merck’s insurers famously declined the insurance claim by citing a policy exclusion for acts of war. However, in January 2022, a New Jersey Superior Court judge ruled that the exclusion cannot be used. This ruling will certainly cause actuarial calculations to change, further accelerating the already increasing premiums for cybersecurity insurance policies.
The Colonial Pipeline attack and major shifts in legal and liability rulings are just two examples showing that there has never been a moment of more rapid change within the OT and IoT cybersecurity space than today. And from an asset owner’s perspective, the business risks associated with OT and IoT cybersecurity have never been higher.
In OT and IoT, different systems are responsible for performing functions, controlling functions, monitoring functions, and analyzing functions, traditionally designed with mission state and continuity in mind. The evolution of the technologies we care about in OT began with on-premise connectivity between systems, often using Ethernet, to connecting multiple sites and often remote locations, to the expansion of supervisory control and data acquisition architectures. They are increasingly adopting cloud technologies. These systems are deployed and configured without visibility into the communications and data patterns that power their operating status, resulting in limited information to investigate and understand the root cause of a cybersecurity incident or data management accident.
The Industry 4.0 push for intelligence and the crunching of more data has led to the development of IoT solutions that require massive amounts of asset intelligence and data that few spend the resources to understand and maintain from a security perspective. With this landscape, the continued overlap of IT and OT, and the rapid expansion of smart devices for industrial and consumer use, asset owners are often left in the dark about how to address security concerns and mitigate risks.
It is clear that the technology available and the activities required to secure computer systems are enormous, but what may not be clear is how OT and IoT cybersecurity relates to cybersecurity generally. Is OT and IoT cybersecurity a subset of a broader cybersecurity space as some suggest, or is it entirely different?
The answer: OT and IoT cybersecurity is the practice of cybersecurity applied to OT and IoT systems. In some areas, securing OT and IoT systems is the same as traditional IT systems. Identical tools and processes can be leveraged. In other areas, they are entirely different, requiring specialized tools, protocol expertise, and tailored methodologies.
Trends in OT and IoT cybersecurity
On 24 February 2022, Russia began its invasion of Ukraine, which has affected international markets, foreign policy, and cybersecurity. The Cybersecurity & Infrastructure Security Agency (CISA) issued a “Shields Up” advisory as a direct response to the increased cyber risk. New strains of destructive malware—which leave devices permanently destroyed with no means to recover—have been detected in Ukraine, including WhisperGate, HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper. Worse, it has been reported that the malware has been detected on U.S. building automation system networks, a clear example of the risks to third-party OT/IoT asset owners when distant warring nations engage in cyberattacks.
There has been a full realization that operations that tolerate little to no physical downtime are lucrative targets. Threat actors are doing their homework and learning more about the purpose-built nature of OT and industrial IoT operations, meaning that unauthorized access is more dangerous than ever. Recent attacks have focused on three relevant trends:
- targeting centralized control and management capabilities as a single point of failure
- achieving longer dwell times, i.e., doing extra work to go undetected for longer periods
- increased understanding of OT and IoT operations to disguise manipulations as legitimate activity.
Within the technology space, OT-specific security tools continue to grow and gain popularity. OT cybersecurity pundit Dale Peterson recently posted a blog article stating that “the first OT security product segment to have a company, actually multiple companies, valued over $1 billion is OT detection.”
History demonstrates that the cybersecurity vendor market is extremely dynamic; over the past year, FireEye (products) and Mandiant (services) split, followed by an acquisition of Mandiant by Google for $5.4 billion. Such major merger and acquisition activity is part of a larger trend in surging merger and acquisition volume. We can expect this to continue, with OT and IoT cybersecurity software tools changing corporate ownership and growing in complexity and company valuation.
From a technical perspective, providers and asset owners are increasingly adopting cloud hosting as a part of their strategies. Nozomi Networks, for example, released Vantage, a cloud-based software as a service platform for OT and IoT security monitoring in 2020. Other tools, including Armis, MediGate, and many IT-oriented cybersecurity tools, also use a cloud-centric platform for security monitoring. As asset owners demand greater scalability and advanced analytics of enterprise-wide security data for insights, cloud platforms will continue to gain in popularity across all OT and IoT verticals.
Securing smart factories
Factories are historically data-rich but information-poor ecosystems. As the benefits of a smart factory drive more and more connectivity and intelligence drives innovation, the reality is that cybersecurity risks will grow. All smart factory initiatives must include a strategy for appropriately managing the risk to the business to a tolerable level, plain and simple.
To do this, organizations are increasingly investing in a security operations center (SOC) that monitors logs and events within their IT environments and OT environments in one location. Security information and event management (SIEM) and security orchestration, automation, and response (SOAR) tools are typically used to do this.
In effect, logs and events are aggregated from OT, IoT, and IT security tools into a single location, where analysts can continually monitor for suspicious activity. Or, after an incident has occurred, logs can be correlated, and a narrative can be built to understand how the incident occurred.
In the case of a SOAR, the tool may be enabled to automatically take preventive action when certain logs and events are seen. In some cases, additional software platforms are included in the mix, such as threat intelligence platforms to keep the team informed of the latest threat signatures and malicious activity occurring throughout the world.
Unfortunately, the investment required to deploy an SOC is massive. It is further complicated by the shortage of cybersecurity talent globally as well as by the realization that a security operation center alone is not sufficient. Instead, asset owners small and large are turning to managed security service providers (MSSPs) that integrate tools deployed within the asset owner’s environment into the MSSP’s SOC. In fact, Forbes published that the MSSP market is expected to reach $40.97 billion this year, based on Allied Market Research’s 10-year report. The trend toward SOCs, and outsourcing to MSSPs, is here to say.
Beyond traditional security monitoring, the OT and IoT environment is unique in that the underlying control systems are controlling a physical process. OT monitoring tools take advantage of this by not only alerting on known malicious signatures, but also by monitoring the process variables themselves and alerting on anomalies.
For example, if a process variable goes significantly outside its typical range or if a process variable stops updating, OT security monitoring tools can alert on that change without any manual configuration. Process variable anomaly detection is a hotly discussed topic, with pundits theorizing on how process variable anomaly detection may mature going forward.
Stay tuned for how this marriage between smart factories and cybersecurity responses continues to evolve.
About the Authors
Jacob Chapman has a background in automation engineering, project management, account management, industrial networking, and ICS cybersecurity. He is solutions architect, BD and Alliances, for Nozomi Networks. Chapman also maintains involvement and leadership positions in international societies and standard bodies, including as the Cybersecurity Committee chair of the ISA’s Smart Manufacturing & IIoT Division, a registered U.S. expert to TC65 of the IEC, and a member of the ISA99 standards development committee.
Danielle Jablanski is president of the North Texas Section of ISA, OT cybersecurity strategist for Nozomi Networks, and a nonresident fellow at the Cyber Statecraft Initiative of the Atlantic Council’s Scowcroft Center for Strategy and Security. Jablanski is staff and advisory board member of the nonprofit organization Building Cyber Security. She holds a master’s degree in international security from the Josef Korbel School of International Studies at the University of Denver and a bachelor’s degree in political science from the University of Missouri – Columbia.