Risk Management
IT & OT security: How to Bridge the Gap
Connecting IT and OT environments can give industrial organisations powerful efficiencies, but it also introduces cybersecurity challenges. A new Trend Micro/SANS Institute report gets at the heart of those IT and OT security issues—and how to address them.
Eliminating the traditional barriers between IT and operational technology (OT) environments can extend the benefits of digital transformation across an entire industrial organisation. “As digital capabilities become more strategic, and complex work-arounds become less and less feasible, more companies are getting serious about breaking down these silos,” says McKinsey.
But greater IT/OT connectedness comes at a security cost, exposing traditionally walled-off OT networks to more threats and generally expanding the enterprise attack surface. While it’s logical to consider applying proven IT security concepts and approaches to the OT security domain, it’s not a one-to-one swap.
There are a few reasons for this. First, OT environments have unique constraints that need to be considered. As well, not every OT technology can support IT-style security solutions—and when they can, the OT environment often isn’t set up to provide the data security operations teams need.
To better understand these IT/OT security challenges, Trend Micro and the SANS Institute surveyed nearly 350 industrial organisations and have published a joint findings report, identifying a number of complex challenges related to people, processes, and technology.
A recognised need for OT security
Many organisations seem to understand the value of bringing IT security practises over into the OT environment. Just about half of all survey respondents said their enterprise security operations centre (SOC) has some level of OT visibility, and 37% said they had an OT-specific SOC. The majority (67%) of those without either said they plan to expand their SOC to include OT capabilities.
When asked where they face the greatest difficulty bridging the two together and overcoming the silos between IT and OT, more than half of all respondents (51.2%) said “people”—well ahead of processes (28.4%) and technology (18.6%).
People and IT/OT security
A big reason people challenges dominate is that OT security incidents require a combination of IT and OT expertise. Relatively few IT personnel have both, yet in 40% of cases, they’re the ones handling OT cybersecurity incidents.
Compounding the issue, 54% of respondents said training IT staff in OT security is their number-one barrier to expanding security operations. (Communication silos, recruitment and retention of staff who understand cybersecurity, and training OT staff in IT round out the top four.)
Part of what makes it hard to cross-train IT staff in OT security (and vice-versa) is that the two are founded on different principles. In IT, protecting data and assets from harm—and keeping private information private—is the name of the game. In OT, availability and safety take precedence.
Helping staff appreciate those differences is key and should be at the foundation of any training programme. Then they can learn about specific OT equipment and the technologies needed to protect it. One way to help IT and OT teams understand to the “other side” is by rotating them through the two work environments, giving them exposure to both.
The importance of process to IT/OT security
The need for incident response plans, priorities, and procedures is also well understood in both the IT and OT domains. Only 6% of respondents said their organisation had no OT-specific incident response plan. But here again the unique requirements of OT environments matter. For example, operations and engineering need to be much more active participants in OT incident response, and this should be reflected in any plan.
The U.S. Department of Homeland Security points out that “standard cyber incident remediation actions... may result in ineffective and even disastrous results” when used to respond to OT events, so customisation and adaptation are key. Quarantining or deleting files in an infected OT asset, for instance, could affect key industrial processes. The operational and safety impacts need to be thoroughly understood.
Standardising incident response processes—supported by automation where possible—also helps streamline them. This is highly valuable because both containing and eradicating cyber incidents are seen as amongst the most labour-intensive OT security activities.
Technology challenges for IT/OT security
To respond to cybersecurity incidents, an organisation needs to be able to detect them, and nearly half (45.7%) of respondents said their cyber event detection capabilities were less mature for OT than for IT security.
This is partly due to a lack of data. Where respondents said they have more expansive SOCs, only about half (53%) of their OT environments provide the data needed to detect cyber threats. This is surely related to the fact that endpoint detection and response (EDR) capabilities are deployed on a minority of OT systems and devices.
OT environments also have different legacy technologies and devices than IT environments, and those legacy technologies are perceived as a major barrier to making all critical OT systems visible to cybersecurity monitoring. Endpoint detection and response (EDR) systems often can’t support older OT technologies.
The upshot is that organisations wanting to make OT security risks more visible may need to assign dedicated resources, mature the organisation’s cybersecurity capabilities, and deploy purpose-built security solutions that can collect data to understand anomalies. Where these capabilities can’t be installed on a given device because it’s unable to run them, they can often still be deployed around the device to reduce blind spots in the environment.
What’s the way forward?
Given the increased networking of IT and OT environments, 63% of respondents said they favour establishing a shared capability to detect cyber events across the two. That requires a platform approach to cybersecurity—one that makes threats more visible across the whole enterprise. Extended detection and response (XDR) is really the only solution that can provide this today, monitoring the whole environment (if not every device) and centralising data for analysis, correlation, and faster identification of cyber threats.
A platform will also make overall security operations more efficient and effective, especially where automation can alleviate labour-intense security activities, reduce human error, and augment small or under-resourced teams.
With the right mindset and understanding of the inherent differences between IT and OT, and with the right tools in place, organisations can overcome their people, process, and technology challenges and benefit from closely networked IT and OT environments.
Next steps
For more thought leadership on IT/OT security, check out these other Trend Micro resources: