Guest blog by Tom Le, Executive Director, Cyber, GE Digital Wurldtech – he looks at securing connected environments.
The Internet of Things (IoT) and the Industrial Internet of Things (IIoT) have transformed global communications and businesses operations. To be competitive, organizations must be connected. Gartner forecasts that 6.4 billion connected devices will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, Gartner expects 5.5 million new devices will be connected every day.
The IoT and IIoT improve operational efficiency, but they also introduce thousands of new gateways to IT (information technology) and OT (operational technology) environments. And while both are vulnerable to attacks, the entry points and security risks for these sides of the business differ significantly.
The primary goal in IT security is to protect data, yet OT security strives to protect physical equipment and keep processes running. Whether from outside threats, like hackers or state sponsored actors, or insider threats, such as a disgruntled employee or human error, unplanned downtime in critical IT and OT environments is not acceptable. This is especially true for industries such as oil and gas, utilities, healthcare and transportation, in which even a couple minutes of downtime can yield tens of thousands of dollars lost or risk to personnel. Every new sensor added to an IT or OT system is a potential vulnerability. When thousands of sensors are added, the potential attack surface increases significantly.
The more you are connected, the more you must control and secure
OT security needs to be a top priority for workers across all divisions of an organization. The interconnectedness of OT, IT and physical security systems, as well as the commitment from security and non-security professionals to be vigilant in the protection of critical infrastructure is extremely important. Organizations that talk about taking advantage of IoT strategies should be concerned about guarding the control systems that run their plants, machines and equipment. Nonetheless, based on a 2015 Ponemon report commissioned by Raytheon (Raytheon and the Ponemon Institute), 66 percent of organizations are not ready to address these security issues. Organizations are putting their most critical assets at risk in an environment not equipped to protect them.
Many organisations wrongly assume that intruders can’t get into their critical infrastructure to create havoc because their OT systems are air-gapped or significantly isolated. This is a legacy technique that too many cyber security professionals still count on. They believe that their operational infrastructure is truly and physically isolated from such unsecured networks such as the public Internet or unsecured local area networks. They don’t appreciate that air-gapping, which may have been safe several years ago, no longer does the job that cyber security professionals can rely upon.
Today, there can be a false sense of security when protecting a network that lacks an active, unsecured connection. There are two major reasons why this feeling is misguided:
1. Just because a system is operating in isolation doesn’t mean it can’t be connected. An employee simply accessing an email with his keyboard can breach the gap
2. In today’s world, to raise productivity, a system must be connected. Somewhere along the connectivity chain, the system is going to become attached – either willfully or through a mistake. In fact, most CISO’s are more concerned over accidental activities by authorized users versus threats by external adversaries
The role of physical security manufacturers, integrators and installers
Until recently, security was rarely taken into account as part of product design. As a result, end-users of legacy equipment and applications have to be diligent in updating security patches and stay aware of how changes to systems impact the overall environment. Beyond product design, there needs to be a cultural shift toward security within organizations. Many purchasers of new, more secure solutions often fail to change default passwords, leaving smart devices vulnerable to cyber attacks. It takes both smart design and smart users to enhance security.
To improve security, we must be cognizant of default codes and connected devices that need to be directly accessible over the Internet should be segmented into their own network and have network access restricted. The network segment should then be monitored to identify unusual traffic and flag any problems for corrective action. With the great number of connected devices, automated systems are required to conduct effective monitoring.
Why IT security solutions don’t work in critical infrastructure security
The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. Patch management is a particularly painful operation in an OT system; many organizations don’t have the infrastructure for qualifying patches to ensure they don’t interrupt software running on their system. For this reason, they depend on vendors to test and validate new patches will not impact control of their processes.
Further, applying a patch to an OT system usually means the system’s operation must be shut down, which is not an ideal remedy when minutes of downtime can impose costs upon a business. To eliminate downtime when patching, patches must be delivered to a security solution that resides directly in front of the control unit so that the patch can be delivered in a hot mode.
Avoiding the OT security blind spot
The exploding number of connected devices increases the risks of cyber attacks. To protect both OT and IT environments, organizations must have dedicated security policies in place, particularly as they moved to increasingly interconnected environments. While many organizations have mature IT security practices, the visibility into the risks affecting the OT environment can be limited. To address this blind spot, visibility is required of what assets and control systems are reside on the OT network.
Further, all connectivity to and from these assets have to be analyzed for potential attack vectors. Deploying an ever increasing number of connected devices without first removing the OT blind spot can result in adding uncertain cyber risk that can ultimately impact the safety and availability of OT operations.