August 28, 2020

Why OT cybersecurity is the Achilles’ heel for many organisations

By Richard Orange

Digitalisation now has a grip on every single industry, from agriculture to construction to healthcare. While this presents many opportunities, it also brings a subset of challenges and threats, meaning cybersecurity should be placed firmly at the top of any business’ priority list. Despite this, it could be argued that very few comprehend the full scope of protection needed to achieve full cyber resilience.

There are a few factors at play here that may explain this. Firstly, many organisations believe they are not a target for cyberattackers because they are “just a small company”. While this may be true in some cases, smaller companies can also present a gateway for an attacker to gain access to a larger network. It’s also a chance to test their assault tactics, as smaller companies tend to have fewer network controls in place to overcome.

By now it is obvious to most businesses that computers and Wi-Fi networks need to be protected. But securing a smart fridge or Wi-Fi-enabled coffee mug is unlikely to be at the front of most people’s mind. The complexity of the internet of things (IoT) ecosystem is still growing and, to make matters even more challenging, it now also encapsulates operational technology (OT). An OT device is a piece or collection of hardware and software that monitors and controls how physical devices perform at an industrial scale.

OT security: A unique fault line

OT such as building access systems or programmable logic controllers on large manufacturing lines are often overlooked when assessing a company’s cybersecurity posture: they may not appear to be ‘devices’ on the surface but do in fact house many singular connected components. Often, these devices were never intended to be connected to the internet.

Old expensive machinery and control systems, for example, present a unique fault line – they perform a business-critical role, but often cannot be patched and provided with adequate protection and are hugely expensive to replace, meaning businesses continue to use them even with the knowledge that they present a cyber risk.

And so, when you consider these two sticking points around effective cybersecurity – in tandem with the fact that small firms are suffering close to 10,000 cyberattacks daily and OT attacks increased by 2000% in 2019 – then business leaders would do well to reconsider what an ‘effective’ approach looks like within the context of OT.

Redefining people and processes for attack prevention

The first point to consider is that many organisations have a fragmented approach when it comes to deploying cybersecurity solutions, particularly now that the worlds of IT and OT are converging. This convergence is not just about technologies, but also about the teams and ways of working. Business leaders need to clearly define – and in some cases, redefine – what roles and responsibilities each team member has over the IT network to ensure there are no blind spots.

For example, what used to be the sole responsibility of one team member may now be jointly shared with another on the other side of the business, and these two people need to be in strong communication with each other to ensure that all responsibilities are being met. To prevent attacks and limit persistent threats further, there needs to be a greater focus on achieving device visibility and control across the entire network. After all, you can’t protect what you can’t see. And if you can’t see it, there is no way to manage it in order to prevent it from falling into the wrong hands. It may sound simple, but comprehensive visibility is actually pretty challenging; that’s because non-traditional IT devices, such as those that fall within the definition of operational technology, often lack – or in many cases simply don’t accept – functioning and up-to-date ‘agents’ that many security software solutions rely on in order to discover them.

All too often companies deploy security controls with a domain level scope in mind. For example, the shiny new security tool only covers the campus network, neglecting mission-critical environments such as the OT domain. With this in mind, an agentless approach to visibility is advisable, whereby the security software dynamically identifies and evaluates network endpoints and applications the instant they connect to the network, no matter what domain they reside in.

Once full visibility has been achieved, the management layer of these devices should undoubtedly include assessing the cybersecurity posture of each device and assigning it specific network controls. Having insight into which devices are communicating with each other in the existing network and what counts as legitimate traffic is paramount for security. In an ideal world, every device on the network will only have access to the part of the network they actually need to be able to reach and no further in order to prevent the spread of an attack should the worst happen. This level of control is referred to as network segmentation and ensures criminals are not able to infiltrate a weak point in the system and move laterally through the network and cause widespread damage.

Not all technology is created equal

Taking all of the above into consideration, what is ultimately important to remember about a cyberattack that takes advantage of weak OT security is that the difference between a piece of critical machinery being hacked – compared to an office’s printer or an employee’s laptop – is potentially enormous. Not only can data be compromised through lateral movement through the network, but crucial services and operations can be taken offline through the most unsophisticated of attacks.

For many businesses, data breaches are thought of as a case of ‘it won’t happen to me’ until it inevitably does. By recognising and mitigating this additional threat vector of operational technology, as well as achieving full visibility and control over the entire network, business leaders can ensure that cyber resilience is at its highest as digitisation continues.

Richard Orange is regional VP UK&I at Forescout, a cybersecurity company that specialises in OT cybersecurity and the ‘enterprise of things’. 


Read more: Three OT security misconceptions that make critical systems vulnerable


 

Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: