April 23, 2020

Three OT security misconceptions that make critical systems vulnerable

By Galina Antova

Operational technology (OT) is vital for the running of many key sectors including critical national infrastructure, manufacturing and heavy industries. A cyberattack against these sectors can have serious consequences not only for the concerned organisation but also the wider population and economy. 

However, common misconceptions around how to secure OT are making these systems vulnerable to threat actors. By understanding what these mistaken beliefs are, OT companies can take proactive steps to mitigate them and better protect these essential networks.

Misconception 1: OT can be protected in the same way as IT

The IT security market has been around for several decades now, so it is very mature and sophisticated with more than 3,500 companies providing different technologies.

Conversely, the OT security market is in a completely different state. 20 years ago, OT networks were unconnected systems that worked in isolation, meaning that there was little threat from remote attacks. Then organisations started digitalisation projects in an attempt to drive efficiencies that saw OT networks becoming increasingly interconnected with IT systems.

This has led to the misconception that the methodologies and technologies developed over the past 30 years to protect IT can transfer across to OT. This approach does not work for a number of reasons.

For starters, the priorities of OT networks are completely different to IT as they are more concerned about the uptime of their systems rather than the confidentiality of data. This means that they cannot afford downtime for patching, updating and maintenance.

OT hardware has also been built to last, with some of it being more than 30 years old. However, as the cyber risk to these systems is a much more recent development, those organisations running OT systems are having to play catch up. The competing paradigms of technology that is rarely changed and a threat landscape that is continuously evolving are now colliding with each other.

There are also specific limitations of OT software that need to be considered, such as those around engineering stations and human-machine interfaces (HMIs). These usually have a refresh cycle of around five to 10 years, meaning the underlying OS tends to be fairly dated too. Further, Programmable Logic Controllers (PLCs), which are specialised computers used specifically on OT networks, are incompatible with Endpoint Detection and Response (EDR) technologies. All of this means that the systems that work in IT will not work in OT.

Both IT and OT security professionals want the same outcomes such as risk reduction, asset and vulnerability identification, and being able to monitor and detect threats. However, the way they do this needs to be very different due to the constraints and the different characteristics.

Misconception 2: Due to the differences, OT security needs to be rebuilt from scratch

There is the belief that in order to protect OT networks there needs to be a separate governance programme, a different SOC and that all the processes and controls need to be recreated from IT networks to the OT networks. However, this doesn’t scale or provide maximum risk reduction. Organisations need an extension of the OT management to become part of the IT processes that are already running.

Businesses will already have a SOC that is running technology to supply metrics and telemetry from the IT network. Therefore, they need a solution that can plug into the OT networks and give the SOC the same measurements about outcomes, threats and alerts. The alerts will feed into the same SIEM solution and orchestration tools as the IT network, extending the visibility and reach into the OT networks. Having a unified approach means that the same team will be able to manage processes and govern the security policies across the OT and IT networks. Everything needs to tie into the same governance and security posture model.

What also needs to be considered is that data from an OT network can look significantly different to that coming from an IT network. As such, to be truly effective, the OT security information needs to be presented in a way that an IT security specialist will understand with minimal training. This includes leveraging the technology to give as much context as possible in a form that an IT security specialist will recognise and can act upon.

Misconception 3: The difficulty of patching and updating OT software means OT systems can’t be protected

The testing and validation of OT apps is done when they are released, which means they have to keep using the same operating system for which they were designed. If not these apps and systems are likely to cease functioning and will be out of warranty. As these can be five to 10 years old that means an OT operator could be running Windows XP or even Windows 2000.

The consequences are that the operating systems are vulnerable to attacks such as the NotPetya ransomware. Even though Microsoft created patches for older versions of Windows, organisations are reluctant to patch their systems due to the amount of downtime and the resulting disruption to operations. Some only run maintenance windows once every six months while others avoid them altogether and run systems until something breaks.

As such, many organisations had not installed the patch before NotPetya hit. The result was these workstations were locked down and could not be monitored, which meant that the process had to be shut down causing severe disruption. Seen through the eyes of an IT specialist these are issues that can be easily fixed, yet as we have seen the practical realities of what happens on the ground means that this is not so simple.

Organisations are therefore looking for solutions that are able to protect the OT network with all its unique qualities without impacting upon the business priorities, such as uptime and availability.

Given the known vulnerabilities of these systems, visibility into them and being able to quantify the risks is vital. Security teams need to have complete oversight of both their IT and OT networks to ensure that they are aware of every single asset and connection, as well as to be able to detect any unusual activity and act upon it.

Protecting an OT network presents its own unique challenges, but by overcoming the misconceptions and employing effective security measures the truth is that OT can be as securely defended as IT.

Galina Antova, chief business development officer and co-founder of Claroty, a security firm that bridges the industrial cybersecurity gap between information technology and operational technology environments. 

Read more: Ten-year Chinese hacking operation targets Linux servers