Written by Daniel Kwong, Field Chief Information Security Officer (CISO) for South East Asia and the Hong Kong region
Managing the Risks of IT-OT Convergence
Cyberattacks are a growing concern for businesses of all sizes. Since the early days of the commercial internet, companies have been trying to find ways to improve security. It used to be that, security involved installing basic firewalls and intrusion detection systems. However, as networks and the Internet have become more complex and businesses have become more reliant on technology, keeping networks and systems secure has become more challenging.
Until recently, OT networks functioned as isolated, air-gapped environments. In critical infrastructure and production environments, availability has always been a higher priority than cybersecurity. But the emergence and growth of IT applications that analyze and manage real-time industrial environments have led to the convergence of OT and IT networks. This convergence exposes OT to the same cybersecurity threats that IT has dealt with for decades.
The advantage of this convergence of IT and OT networks is that machines and devices can connect and share data. But the disadvantage is the increasing threats to critical infrastructure. By better understanding the implications of convergence, you can do the following to help protect your business from cyberattacks.
5 Steps to Help Protect from Cyber Risk from OT and IT Convergence
1. Network Segmentation of IT and OT Infrastructure
Modern business is data-driven, and businesses can gain a competitive advantage simply through the quality of their data and their ability to make informed decisions based on it. To effectively use data, it is important to understand how the data flows between IT and OT. Organizations should put a data classification and data process framework to provide visibility into data flow. Data also must be classified according to its level of sensitivity. Only data with a high level of sensitivity should be accessible to those with a need to know. The data classification process must be documented, and the policy must be enforced.
With technology, organizations can intelligently segment network and infrastructure assets regardless of their location, whether on-premises or on multiple clouds. Once data is classified, network access control solutions can be used to create logical network segments by grouping applications and like data together to limit access to a specific group of users and devices. Dynamic and granular access control is established by continuously monitoring the trust level and adapting the security policy accordingly.
A next-generation firewall can then be used for internal segmentation to isolate critical IT assets to ensure quick detection and prevention of threats using analytics and automation. Internal segmentation provides end-to-end segmentation that extends networks and geographical boundaries.
2. Encryption of Data During Transmission
Because data transmission is susceptible to interception by unauthorized third parties, encryption is a vital security measure. Sensitive data must be protected during transmission, and encryption ensures that data is not readable by anyone other than the intended recipient as it moves between IT and OT environments.
3. Built-in Security and Risk Assessment
To ensure that the company data and systems are safe, security should be designed in from the beginning, and proper risk assessment should be done regularly. Security by design means that security is built into the system rather than as an afterthought. Security should be considered during the design phase of any new system and should be implemented cost-effectively and efficiently. Risk assessment is the process of identifying, quantifying, and mitigating risks to ensure that the company is as safe as possible. Risks can come from various sources, including internal and external threats.
By embedding native application security into development processes, organizations can better understand the security risks that may lurk in web apps, including source code, open-source components, and runtime attack vectors.
4. Component-level Security
Component-level security is a critical issue for software supply chains. Software vulnerabilities can be introduced at any stage of the software supply chain, from original design to post-deployment patching. For example, the recent Log4Shell breach was traced to a vulnerability in the Java Log4j Library, which was present in the Open-Source software supply chain used by millions of devices.
The adoption of cloud-native technologies includes the use of containers in microservices architectures. Containers have streamlined the way applications are built, tested, deployed, and redeployed, but their use has also led to a new attack surface. Container security requires visibility and protection during all stages of a container lifecycle. Organizations need solutions that can provide visibility into the security posture of container-based workloads across multi-cloud environments.
5. Cybersecurity Governance
A well-defined cybersecurity governance framework is critical for an organization to protect its critical information assets from unauthorized access, use, disclosure, alteration, or destruction. Without this type of framework in place, organizations are susceptible to a wide range of cyber threats.
Various cybersecurity metrics can be used to measure an organization’s security posture. These metrics can be used to track the effectiveness of security controls and identify areas that need improvement. Fortunately, a tremendous amount of progress has been made in security analytics and machine learning over the last few years, so businesses can gain more insight into their security situation and make improvements.
New Benefits Come with New Risks
Today, the digitization of operational processes has led to productivity, efficiency, responsiveness, and overall profitability gains. But even though technological and organizational convergences between IT and OT have dramatically impacted organizations, access to newly connected systems has opened new threat vectors. Given the unique challenges of OT systems and devices, organizations need new solutions designed to span their IT and OT networks and meet the operational needs of both sides of the organization.
