by Earl Perkins | December 29, 2014
2014 has been a very active year for cyber attacks and breaches in the industrial automation and control systems areas (what Gartner calls operational technology, or OT). There is no reason to believe that 2015 will be any different. In fact, there’s every reason to believe the number, scale and sophistication of attacks will continue to increase. In the past I’ve attempted in my posts to moderate some of the hysteria involved in the reporting of such incidents. I still believe that a pragmatic approach to cyber attacks on OT systems is necessary to ensure that we are able to use such reports and other information in making the right decisions about countering such attacks. Part of that approach is understanding why cyber attacks are succeeding against industries and infrastructure that have been to this point one of the most reliable in history.
OT systems are delivered by a relatively small number of major vendors and service providers globally. Those vendors have delivered over the decades “fit-for-purpose” systems engineered to perform reliability and safely the tasks to which they were designed, whether delivering electric power, moving oil and gas, running assembly lines or any other major industrial task. However, over those same decades two events related to cybersecurity have occurred. First, these proprietary systems have become less proprietary and have adopted more general-purpose IT system and network platforms for many of their functions. Second, these proprietary systems have become better known to threat actors globally, particularly in terms of networking protocols and system platforms. These events have occurred gradually over the past 15 years or so, but in the last 5 years the pace of both events has accelerated.
In general architectural terms and for the purposes of this discussion, you can think of a ‘typical’ organization that has OT assets as having three major infrastructure technology areas. First, there is the traditional IT infrastructure of networks, systems, applications and endpoints serving corporate information systems needs. Second there is a boundary area that consists predominantly of IT infrastructure but services OT assets primarily for management purposes, consisting of such systems as SCADA management and human-machine-interface (HMI) systems serving engineering and operations needs. Third, there is the control area itself made up of programmable logic controllers (PLCs), sensor and actuator networks and related endpoints and gateways, also part of the engineering and production operations of the organization. In a sense, hackers have three different targets to choose from in IT/OT organizations. But there is something you should know about the vast majority of the attacks and breaches to date in such organizations.
If you read the published reports and findings related to most OT attacks, you’ll find that almost all of them are perpetrated through either the corporate IT areas or (less often) through the boundary area I describe above. There have been very few attacks that directly impact the control area itself. This may change over time (and I believe it will as more general-purpose IT architecture is adopted by companies that build control infrastructure and hackers become more familiar with proprietary control infrastructure), but for now you are seeing a ‘cascade’ effect from the use of IT architecture in OT. There is also something else I find interesting as well about the attacks to date. Most IT/OT organizations place great emphasis on either ‘air-gaps’ between corporate IT and OT networks to protect OT from IT-related breaches or tightly controlled segmentation of IT/OT networks. The fact is that as more OT decision-makers adopt IT technology for the boundary area, they increasingly link the boundary area (and even some control areas) with the Internet or with external vendors and service providers that maintain their OT infrastructure. In reality it isn’t so much the organizations’ IT infrastructure that affects the boundary and control areas of OT– they are doing it to themselves by exposing their OT networks to their supply chain partners.
So what does all of this mean to you? For 2015 and the years ahead, we must have IT/OT security governance, strategy and planning as an integrated activity. I don’t advocate merging the IT and OT security practice together immediately, but I do believe that if you don’t coordinate your decisions around such areas as technology procurement, supply chain security, segmenting and protecting networks, implementing privileged user management practices, and working out a data protection plan as an integrated organization, you’re going to continue to be exposed to those more frequent and more sophisticated attacks in the future. This is something that can’t wait, and frankly there isn’t much that can be done for you until and unless you take these early steps to create a coordinated cybersecurity strategy NOW. The choice is yours.