Guest post by Evan Birkhead.
5 Take-Aways from EMA’s new Industrial IoT Research
As reported by Reuters last year, Marty Edwards, who runs the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (known as ICS-CERT), warned that his organization observed a significant year-over-year increase in attacks targeting industrial control systems. Edwards said ICS systems are vulnerable because they are exposed to the Internet.
“We see more and more that are gaining access to the control system layer,” he explained. “I am very dismayed at the accessibility of some of these networks… they are just hanging right off the tubes.”
Director Edwards’ comments underscore the paradox of the Industrial Internet: The convergence of IT and Operational Technology (OT) enables the analytics of massive amounts of industrial data. On one hand, IT/OT convergence yields streamlined operations, improved safety, predictive maintenance and optimized processes. On the other hand, it is creating easily penetrable apertures that present enormous risks with potentially catastrophic outcomes.
EMA, the IT and data management research organization, has published a new study entitled “The Promise and Risk of the Industrial Internet” that tackles this paradox head-on. Convergence is occurring in an environment that wasn’t designed to be accessible from the outside world. Unfortunately, the problem is compounded by what EMA describes as a “tangled web of both cultural nuances and differing security standards and focus” between IT and OT.
So what can we do about it?
Fortunately, EMA purports that successful Industrial IoT strategies will balance the needs of IT to provide protection from hackers, while simultaneously ensuring OT operators’ equipment will be reliable and safe.
Here are 5 take-aways from this seminal report that can help us get over the roadblocks:
- You can’t shoehorn IT security policies into OT.
The security strategy for OT was developed decades ago, under the assumption that restricting physical access to industrial control systems and networks was enough to protect them. Even the protocols used to operate and secure OT systems were developed long before TCP/IP existed. IT/OT convergence opens ICS systems to threats they were never designed to be exposed to, let alone prevent or otherwise defend against.
IT cannot manage OT with traditional security technologies, and the inconvenient truth is that IT organizations need to make the effort to learn how they are different. OT requires a completely different and distinctly separate approach to cybersecurity. As the report explains, “IT needs to understand that administration standards and SLAs that work for enterprise software do not necessarily work for OT.”
- Hacks into OT are potentially more catastrophic than those in IT.
While IT attacks typically focus on personal data (such as finances), hacks into OT can be life-threatening and can result in incalculable damage to critical infrastructure or bread-and-butter revenue-generating processes. The well-known German steel mill attack caused massive damage. A successful hack into an electrical grid can place millions of people without power for an extended period of time. Access to a city’s water supply can impact access to many crucial resources.
Further, according to the report, “While an hour of downtime may be acceptable to patch a CRM system, it is simply not possible for OT systems that manage critical infrastructure or transportation to be down for even a few minutes.” These are important considerations to make when weighing OT cybersecurity challenges.
- Attacks on OT are no longer “if” but “when.”
EMA cites the accelerated pace of recent attacks, such as the state-sponsored attacks on the Ukrainian power grid. It describes a new world where it’s not hard to imagine how quickly attacks on critical assets can escalate to serious and even catastrophic consequences for millions of people.
With the convergence of networked applications, controls, and sensors for ICS, ensuring the security of physical assets and the safety of people who operate and rely on them is crucial for our very quality of life. Today’s technologists need to seriously consider the urgency of architecting a workable OT cybersecurity plan.
- The right technology can bridge the gap.
As described in the report, common IT firewalls are designed for IT perimeter security. They interrogate standard IP protocols and applications, blocking attacks based on standard Internet parameters. On the flip side, industrial cyberattacks are based on granular machine instructions that alter systems controls and sensor parameters, and cannot be caught by traditional firewall technology. Fortunately, the report concludes that the cybersecurity industry is making strides. Bayshore Networks IT/OT Gateway technology, for example, was designed from the ground up to address converged IT/OT security environments.
Specifically, the report recognizes the work of the Industrial Internet Consortium, which recently issued a landmark document called the Industrial Internet Security Framework, which establishes best practices for Industrial IOT cyber security. The framework emphasizes the importance of five Industrial IOT characteristics of safety, reliability, resilience, security, and privacy.
- The right partner can clear cultural roadblocks.
While the convergence of IT and OT has seemingly compounded the complexity of technology management overnight, the report encourages IT organizations to seek out partners with specific expertise in the area.
EMA concludes that successful Industrial IoT strategies will balance the needs of IT to provide protection from hackers while simultaneously ensuring OT operators’ equipment will be reliable and safe: “With the right technology partner and a champion that can help clear cultural roadblocks, organizations can ensure robust security with IT/OT convergence efforts, lending a foundation for greater cost and process efficiencies, as well as the competitive advantages that will come from harnessing the power of the industrial Internet of Things.”