COMMENTARY

In the realm of cybersecurity risk, the obscure dark corner of the room is operational technology (OT). This is the space where computers and physical function come together, opening and closing valves, flipping breakers, stamping metal, and changing the temperature in your home from an app on your phone. This is also a place that most IT professionals and cybersecurity practitioners shy away from and look to as “that stuff over there we don’t really understand.”

The Lack of Attention on Operation Technology Attacks

The cyberattacks that make the headlines often impact consumers significantly. Historically, these targeted financial systems, hospitals, credit agencies, and occasionally government entities. What is less common to see is public acknowledgment of a cyberattack against true critical infrastructure. Stuxnet was one of the very first, but there was so much shrouded in the mystery of espionage that it did not have a major mental impact on most of the world’s population. In contrast, the 2021 Colonial Pipeline attack caused widespread gasoline shortages, highlighting the severe potential impacts of such attacks. Yet, only three years later, it has faded from public memory. Similarly, attacks on small water utilities in Pennsylvania and Texas received little public attention.

Why are people not more focused on securing operational technology, then? Perhaps it’s a lack of understanding and a bit of awe as to how much control computers can have; however, the OT space isn’t new tech. Many of the components in an OT environment can be decades old. Even still, seasoned network engineers and IT administrators alike may not fully understand OT communications protocols, making cyberattacks in this space more possible and simultaneously less discussed.

Reimagining OT Security 

How do we manage risk and protect the often-ignored underbelly of IT, which includes the infrastructure that keeps the lights on, water clean, medication available, and manufactured products flowing — all driven by OT?

Protecting this infrastructure isn’t overly complex. Here’s what’s needed:

  1. A solid risk management plan

  2. Visibility into what’s happening in those environments

  3. The ability to understand what’s normal so we can tell when something is not

  4. Documentation of what is supposed to communicate in OT environments and how and where that communication should happen

  5. The ability to have some protective mechanisms that will work in the environment

  6. A solid patch and vulnerability management program

  7. Secure and monitored remote access

  8. Vendor risk management 

If it’s that simple, why has protecting this infrastructure been so challenging globally? The primary issue is that available tools are either tailored for IT systems or designed for OT systems but lack necessary integrations for IT staff monitoring. SIEM tools, crucial for monitoring network communications and rogue activity, need to interface with cloud services — something OT environments avoid. Consequently, protective tools like CrowdStrike can’t be fully utilized. Even with partnerships with Claroty or Dragos, they still involve a proxy connection to the Internet.

Proposing Solutions, Highlighting Roadblocks

There are a few strategies that can be utilized successfully to manage risk in these environments.

The first is to have a thorough understanding of what information needs to flow and in which directions, and what portion of it needs to get to the outside world. Time and again we encounter scenarios in which there’s technical documentation about the operational side of the design but not up-to-date information about what data is flowing where and how it’s being utilized. The second is that most of the tools that are utilized for visibility in this space require specific network configurations.

These tools rely on network traffic analysis because it’s not typically possible to install traditional antivirus or endpoint protection software on the devices that exist in the OT space. That means there must be a mechanism to route the traffic to the inspection points. Most of these networks were designed for resilience and uptime, not for cybersecurity, so reconfiguration is often necessary to be able to route traffic in a direction that allows for inspection. These network resegmentation projects take a lot of time, tend to be expensive, and run the risk of operational downtime, which is something that no OT environment can typically tolerate.

The First of Many Bottom Lines

The urgency to secure our critical infrastructure cannot be overstated. Our critical systems can be protected from looming threats by embracing a proactive approach, investing in education, and fostering collaboration between IT and OT professionals. The cost of inaction is too high — our water, power, and safety depend on our ability to safeguard these essential technologies.

Is our water safe to drink? The answer lies in our commitment to securing the unseen, often ignored underbelly of our technological world. Only through vigilance and dedicated effort can we ensure the safety and reliability of our critical infrastructure for the future.

Source: www.darkreading.com