Cybersecurity Punch List for CISOs Securing Converged IT/OT Environments

CISOs understand IT. Client-server architectures, patching servers, updating endpoints are all done by rote in today’s modern enterprise. Converged IT/OT systems, however, have introduced a new universe of proprietary operational technologies that must be managed securely to ensure automation processes remain stable, safe and available. 

As it turns out, every enterprise runs OT in some fashion, whether it’s a factory assembly line, elevators bringing patients to the operating room, or HVAC systems keeping vaccines viable. Connecting oversight of those critical systems and services to the internet has not only linked to them business leaders seeking efficiencies but also security leaders who must now understand these once air-gapped systems and manage new risks introduced by this exposure to the outside world. 

Every security leader newly introduced to OT should have a punch list of things to familiarize themselves with before challenges become overwhelming and insurmountable. Here are a few to consider:

OT Product Lifecycles are Longggg

Industrial devices and control systems are built for the long haul within automation environments. They operate under different mandates and constraints than IT gear, where from a cybersecurity perspective, confidentiality, integrity, and availability are the mantra. Within OT and industrial IoT, reliability, safety, and availability are paramount; an automation process that’s been tampered with by a threat actor can put lives at risk, for example, or impede the delivery of critical services. 

Product development, for decades, has proceeded in accordance. Critical legacy, production systems were designed for continuous uptime, and are meant to be in place a decade or more. Also, there’s often an intolerance for downtime within automation because of the criticality of the service being delivered, making regular patching and updates infrequent, and windows of exposure remaining ajar for much longer periods of time. 

This requires a rethink for CISOs who must figure out the best way to extend their IT controls to the OT environment. Practices such as strong authentication, encryption, network segmentation and secure remote access technologies introduce resilience to attacks against the IT infrastructure that may impede enterprise networks, and won’t bleed over into control systems and affect processes. 

Incident Response Hits Differently with OT/IIoT

Since the risks associated with OT can vary greatly from IT, incident response must be tailored differently. Automation systems, for example, govern physical processes such as actuators, sensors, pumps, robotics, and more on factory floors, water treatment facilities, and utilities. Often, especially in critical infrastructure sectors, field devices are scattered geographically and in different time zones. A cyberattack against a facility can do more than crash servers; an incident can threaten lives or the surrounding environment. Downtime, meanwhile, can costs a company tens of thousands of dollars per hour, putting an imperative on coordinated response activities that are refined and tested regularly as threats—and the business—change. 

CISOs must be ready—as in IT incidents—to not only preserve forensic data, but also must do so without impacting systems that cannot be shut down. Response teams must understand these very different dynamics, from the proprietary protocols that may blind forensics tools, to constructing OT IR teams and plans that include engineers who have baselined systems, can recognize anomalies, and respond without impacting safety or availability. 

It’s also important to note the eventual need for dedicated OT cybersecurity expertise within the security operations center. Security information and event management systems (SIEMs) are already overloaded with alerts that must be triaged and prioritized. A converged IT/OT SOC requires specialized expertise that understands the often-proprietary nature of OT systems and network communications, and can adequately inform response activities.

Reality Check: Ransomware and Attacks on OT

Criminal and state-sponsored actors have effectively used ransomware to disrupt businesses worldwide for more than a decade. 

Criminals interested in profit use it as part of extortion schemes against high-value targets. The 2023 ransomware playbook goes something like this: Attackers penetrate networks, steal data, then plant ransomware with the threat of leaking stolen data if ransom demands are not met. 

State actors, meanwhile, may use it as a distraction to disguise larger espionage operations, or to inflict real damage on systems; the NotPetya attack, for example, was in reality a wiper attack disguised as ransomware that destroyed the hard disks of computers worldwide in the costliest supply-chain cyberattack on record. 

Ransomware remains a scourge, and 99.99% of the time targets IT systems of organizations such as hospitals or local governments that the attacker believes would meet a ransom demand. In some victimized automation companies, OT operations were temporarily halted while infections were eradicated, with organizations afraid of impacts to connected OT systems from these attacks. 

Response must be swift in critical environments, and CISOs must understand where these crucial OT crossover points may be; some include Windows-based engineering workstations or human-machine interfaces (HMIs) that could be victimized by opportunistic attackers. The good news is that existing response plans should be a snug fit: impacted systems must be isolated or disconnected to halt the spread of ransomware on a compromised network, critical systems must be identified and prioritized as things come back online either from backups or from a restoration to factory settings. 

CISOs may also be faced with the decision of whether paying an attacker’s ransom demands is a viable option. Working closely with law enforcement and cybersecurity experts in order to properly inform this decision.