IT and Operational Technology (OT) continue to converge, offering benefits such as greater efficiency and effectiveness in monitoring critical processes. This convergence enables organizations to effectively use data from a variety of sources, including industrial applications (including robotics), medical devices, and connected sensors (collectively known as the Industrial Internet of Things, or IIoT) to improve OT efficiency and safety, realize dramatic cost savings related to resource usage, and increase employee productivity. However, risks abound as IT and OT departments and their respective support systems converge.
Absent an effective OT security plan, OT enterprise and their integrated ICS/SCADA systems are left vulnerable to cyberattacks that could result in financial loss, reputational damage, diminished consumer confidence, and even threaten the safety of citizens—and in the case of critical infrastructures, also threaten national security.
ICS/SCADA Systems Face New Threats
It’s critical to safeguard integrated ICS/SCADA systems within an OT enterprise. There is an absolute dependence on safe and sustained operations that span everything from manufacturing to energy and utilities to transportation infrastructures – these OT vertical sectors comprise and deliver a range of services that citizens around the globe rely on daily. The advent of executive-level commitment to a digital transformation strategy and proportional operational efficiency gains has generated a significant range of cybersecurity concerns as these historically air-gapped systems are now exposed to cyber risks and a broader attack surface. As a result, as organizations pursue greater efficiency in their OT systems, the need to increase OT security rises as well.
But owing to the age, sensitivity, and complexities of many OT environments, it is becoming more difficult than ever for organizations to adequately protect their high-value cyber-physical assets. With this in mind, Fortinet and Forrester recently surveyed industry leaders who manage and maintain OT infrastructure – with the intent to identify and illuminate emerging security trends and practices affecting operations. This survey yielded three important findings.
1. A High Number of OT Breaches
Among survey respondents, only 10% reported that they had never experienced this type of threat. In contrast, 58% of organizations surveyed experienced a breach in the past 12 months, and as a result, more than three-quarters expect regulatory pressure to increase over the next two years. In fact, if the period of consideration is expanded to 24 months, the breach rate rises to 80%, illustrating that OT systems are indeed targets of primary interest. Consequently, it makes sense that the effort to commit more resources toward security has also been robust: 78% plan to increase their ICS/SCADA security budgets this year.
2. IT-OT Convergence is Progressing
Since OT systems have historically depended on software and hardware that was not connected to the internet, there was a natural reliance on the safety of an “air gap” between internal and external systems. Naturally, one significant by-product of converging IT and OT networks is the dramatic expansion of the attack surface, enabling access to an environment where vulnerabilities exist. Indeed, it is the very pursuit of operational efficiency through IT/OT convergence that has produced this broad connectivity and increased exposure to more traditional IT threats. This connectivity not only carries added risk, but opens the door wider for cybercriminals looking to target an organization, and in a way that was not possible when these systems were isolated.
The survey also found that organizations are concerned about how complicated it is to converge IT/OT systems. Almost all respondents (96%) foresee challenges as they move toward convergence, resulting in deliberate, careful movements that center on concerns around security. Among all respondents, more than one-third reported worrying about the following OT security issues:
- Connected smart devices may cause breaches
- Third parties lack the security expertise needed to help with converged technology and the Internet of Things (IoT)
- Keeping up to date on the latest security tactics and protocols
- An inability to perform isolation or containment tactics when a breach occurs
- Greater regulatory pressures for ICS/SCADA systems
- Confidential or sensitive data being compromised
- Lack of expertise by internal security teams to secure converged technology and IoT
Regulation compliance is a consistent concern. Seven in ten respondents report experiencing mounting compliance pressures over the past year, and 78% feel this trend will continue for the next two years. According to the report, the regulations making the most significant impact are International Society (ISA) Standards, the EU Data Protection Directive ( GDPR ), and the Federal Information Security Management Act (FISMA).
3. The Importance of Partner Access
For all their utility and necessity, business partners create an additional dimension of risk. While granting essential privileged access to appropriate personnel is critically important, being prudent to minimize controlled access equally vital. Organizations that were most successful at securing their environments were also 129% more likely to severely limit or even deny access to their business partners. The most successful organizations also granted only moderate access to their systems. And finally, these top-tier organizations were 45% more likely to execute critical security functions in-house as opposed to outsourcing such responsibility.
Converesely, they were more likely to have outsourced network analysis and visibility. Indeed, partner relationships are in many instances important, and on occasion even essential. That said, a careful approach to granting appropriate access, making the best outsourcing decisions, and identifying situationally ready partners are vital to securing OT systems amid digital transformation.
Planning ahead
Enterprise security hardening via the air gap is primarily a thing of the past now that OT and IT convergence is widely practiced. Among the many challenges this convergence introduces, IIoT creates significant security risks that must be addressed. The adoption of convergence also introduces some complexity and OT organizations must take precautions to prevent data leakage and the consequence of a cybersecurity event. The challenge is that OT breach rates are already currently high, and confusion over the right level of partner access only compounds the matter. To begin addressing these and similar challenges, organizations making this transition must stay updated on the latest threat intelligence to ensure critical OT asset protection, both now and well into the future.
