Home Interviews “Melding IT and OT Systems Can Create New Attack Vectors and Surfaces”

“Melding IT and OT Systems Can Create New Attack Vectors and Surfaces”

Every time you add an IoT device to the network, it increases the threat surface as it provides an additional vector for attack. Richard Bussiere, Technical Director for APAC, Tenable, discusses the fundamentals of IT and OT and security challenges posed by the IT-OT convergence.

IT and OT

The world is more connected than ever. Rapid digitalization has created enormous potential for enterprises, given the connectedness of billions of IoT devices. The priorities of the cybersecurity C-suite have also seen a shift, with CISOs and CIOs strategizing separate security programs for information technology (IT) and operational technology (OT). The IT and OT integration trend is not new; it streamlines the processes and increases efficiency. However, the IT-OT confluence also widens risk and leaves systems vulnerable to cyberattacks.

In an exclusive interview with Pooja Tikekar, Sub Editor, CISO MAG, Richard Bussiere, Technical Director for APAC at Tenable, discusses the fundamentals of IT and OT and the security challenges posed by the IT-OT convergence.

Bussiere is the Technical Director for APAC at Tenable. Based in Singapore, he is responsible for evangelizing the criticality of cyber hygiene and vulnerability management as a continuous process to enhance an organization’s security posture.

Bussiere is also responsible for Tenable’s operational technology offering in the region, consulting with operators of critical infrastructure to bolster their defensive position.

Bussiere holds five patents related to networking and network security. He is also an active participant in the Institute of Electrical and Electronics Engineers and Internet Engineering Task Force working groups.

Edited excerpts of the interview follow:

In the last couple of years, disruptive technologies in the realm of information technology have seen rapid growth. IoT is among the most-hyped technologies that could reshape the way companies operate, especially after COVID-19 and with the increased adoption of 5G networks. What is the layer of complexity that active IoT adoption adds to cybersecurity threats? How does it broaden the attack surface for organizations?

Every single added device increases the threat surface as it provides an additional vector for attack. Couple this with the fact that many IoT devices are designed to a low-cost point, meaning that the processing power and level of testing from a security perspective is frequently not up to the mark. Finally, the internal components of IoT devices often are derived as “white box” solutions from a single vendor; hence they will have the same security vulnerabilities. We saw exactly this with the Mirai botnet in 2016.

The second issue is 5G, which brings “more and faster” – more things connected at higher bandwidths. So, we have the fact that we are increasing the value of the networks by making them faster and adding more things to it, which increases the “value” of the network to an attacker. The confluence of 5G and wide use of IoT naturally leads to a large population of vulnerable devices.  Managing this enhanced risk will become a challenge.

Intelligent devices are now being indirectly connected to critical infrastructure and controlled/monitored through secure remote access. These intelligent devices serve as the eyes and glue by which future smart city initiatives will be linked together. Information from these intelligent devices will be fed to the cloud for processing and analysis, or fed to entities such as utilities directly for real-time decision-making. This means that malicious manipulation of vulnerable IoT devices may lead to incorrect information being fed to users and decision-makers of critical infrastructure, creating an indirect attack vector. Furthermore, this introduces new portals for an attack due to the convergence of IT and OT operations.

While IT manages data or the flow of digital information, operation technology (OT) is responsible for managing the operation of machines or physical processes. Could you explain the IT-OT concept in detail?

Let’s first establish a differentiating fact between IT and OT. In IT, the data is the product. In OT, the data itself is of little value – it is a means to control a physical process, the end result of the physical process being the product.

The convergence of the data side of the business with the operational technology side has revolutionized our critical infrastructure. This connectivity can remove the need for a physical person to be on-site to manually make changes, and instead use remote access to adjust settings whenever and wherever necessary. Beyond this, when we consider initiatives such as Industry 4.0, we introduce more real-time interaction between the machinery of production (OT) and external entities such as suppliers, customers, logistics, etc. Supporting such initiatives requires real-time information from the OT environment. Essentially IT-OT convergence improves efficiency, enables predictive maintenance, and reduces downtime. Unfortunately, the downside of this penetration of IT into OT environments exposes the OT world to more risks than in the past by introducing additional attack vectors.

In IT, data must be protected at all costs, whereas, for OT, the most critical aspect is to protect the operations of the business. Do you think incident detection and response in an OT environment is different from an IT environment?

The primary objective of IT security is to ensure that the confidentiality, integrity, and availability of data are preserved. Whereas in OT, the primary focus is the safety of life, limb and property, the availability of the process, and the quality of the output of the process. That said, the concepts of cybersecurity practiced within IT can have great value within the OT world. Consider the fact that OT environments are not only composed of programmable logic controllers (PLCs), but up to 50% of these environments consist of IT devices such as Windows and Linux computers that host Digital Control Systems (DCS) and an ever-growing inventory of Internet of Things. When deployed inside the plant, these devices can expose operations to the same threats and vulnerabilities that would be seen outside the plant. The reality in today’s converged IT-OT environment is that OT operators must learn and apply fundamental cybersecurity practices to improve and maintain their KPIs of Safety, Availability, and Quality.

Industry 4.0 is revolutionizing the global manufacturing landscape. However, the pandemic is telling of the fact that the manufacturing sector faces supply chain disruptions. How can the IT-OT merger counter supply chain attacks?

Maintain visibility across the board but understand how an attack against a partner or supplier could impact your organization. The solution to gaining this understanding is to have continuous monitoring and threat intelligence relating to the full supply chain and risk-based vulnerability management.

Prioritize inventory management by knowing whether suppliers maintain optimal cyber hygiene. This plays a vital role in identifying the threat landscape but given the huge number of suppliers, starting early on in a relationship is key.

Having an environmental baseline that includes accurate asset inventory, and an understanding of business processes, traffic flows and dependency mappings is essential to establishing where trust relationships exist and where a zero-trust model should be implemented. In doing so, business leaders can use zero-trust to ensure communications within supply chains are secure and from approved and trusted users.

It is important to identify who has access to privileged accounts and ensure the appropriate level of privilege is decided for each role within the organization. Implementing identity access management and encrypting all internal data can make it difficult for cybercriminals to establish backdoors to infiltrate during a supply-chain attack.

The manufacturing sector in India grew by 49.6% in Q1 2021, compared to a 36% drop in Q1 2020, indicating that it is one of the most attractive sectors for cybercriminals. How can manufacturers in India bridge the knowledge gaps arising out of IT-OT convergence? And how can the C-suite ensure the successful implementation of industrial cybersecurity?

The most significant thing that would help IT and OT teams work together effectively is education and mutual understanding. IT personnel must understand some fundamentals of operational technology, and similarly, OT personnel need to learn IT security essentials. These enablement exercises, in conjunction with cohesive and comprehensive business-driven security policies, will go a long way towards facilitating the necessary level of protection for business-critical production-oriented assets.

Business-level oversight and C-suite leadership enable both sides to collaborate effectively. Increasingly, organizations are taking senior, experienced engineers from OT business units and assigning them to support incident response within the security teams. This creates an environment where both IT and OT teams can collaborate effectively.

What are some of the security challenges posed due to the integration of IT-OT?

Melding IT and OT systems can create new attack vectors and surfaces. Since IT and OT environments are often interconnected, an attack originating from an IT network can move laterally to the OT environment and vice versa.

One of the biggest challenges that arise from convergence is that OT environments frequently have relatively obsolete and unpatched software present. This is an artifact of how OT needs to work. If a given system is functioning properly, then the tendency would be to leave it alone rather than take the risk that implementing the patch will cause an unanticipated malfunction. So, as IT and OT continue to converge, the legacy OT devices are exposed to risks that they were not exposed to in the past.

Apart from IT-OT, tell us your top three cybersecurity predictions for 2022.

  • 5G will increase our dependence on digital infrastructure

5G rollouts in APAC will bring with them an exponential increase in our ability to interconnect intelligent devices reliably and at high speed. This will lead to a rapid acceleration of e-commerce and the emergence of intelligent cities and infrastructures. We also see intelligent devices being connected to utilities – for example, solar cells reporting to the operator how much power they are injecting into the grid. The benefits are very tangible, as are the enhanced risks. 5G increases our dependence on our digital infrastructures, amplifying the negative impact on society when this infrastructure malfunctions or is the victim of a cyberattack. As we embrace 5G, we must also carefully consider the resilience and security of the systems that will utilize this game-changing technology.

  • The future of shift-left security is infrastructure-as-code

Now that cloud adoption has rapidly increased and organizations embrace the flexibility that cloud-native provides, it is vital to find and fix every bug before deployment. By the time software reaches run-time, it is already too late. That is why detection will move from reactive to proactive in 2022, as CISOs increasingly recognize that security teams do not have to wait for infrastructure to be created to discover and mitigate vulnerabilities in code.

  • Colonial Pipeline set the table for improvement

Attacks like Colonial Pipeline made security tangible for non-security professionals. Every board of directors is now interested in knowing the cyber risk to their company. Stakeholders are more invested than ever, and Congress/policymakers are no exception. If the government and private sector acknowledge their shared priorities and work together toward a more secure world, 2022 will bring a promising climate for improvement.

About the Author

Pooja Tikekar is the Sub Editor at CISO MAG, primarily responsible for quality control. She also presents C-suite interviews and writes news features on cybersecurity trends.

More from the author.