February 17, 2021
IT/OT convergence is the integration of information technology (IT) systems with operational technology (OT) systems. IT systems are used for data-centric computing and OT systems are used to monitor events, processes and devices, and make adjustments in enterprise and industrial operations. In the past, it was not common to put industrial devices on company networks but due to the growing need to link and integrate IT and OT systems for real-time information and integrating platforms, it’s time to understand the risks and start planning to secure your environments.
As Industry 4.0, or digital transformation, continues to grow exponentially, there is a growing need to link and integrate business systems with manufacturing systems. Manufacturing Execution Systems (MES), for example, provide a means to track and document the transformation of raw materials into finished goods to help understand how current conditions can be optimized and to quickly make decisions that improve delivery schedules. However, when they are coupled with Manufacturing Resource Planning (MRP) systems which are IT systems, demands, material transfers, and backflush operations, and other processes, for example, can be automated to remove errors and faster processing of information. And hey, who doesn’t want to link their Quality and Maintenance programs to their MES or OEE (Overall Equipment Effectiveness), or even their MRP system?
It is critical to note that this convergence between IT and OT carries risk because Industrial Control Systems (ICS), which are used in almost every machine or infrastructure – handling physical processes – are often unpatched and do not play nice with anti-virus software so they are highly susceptible to attacks. Malware that has been specifically designed to attack ICS and SCADA (Supervisory Control and Data Acquisition) has been increasing over the last decade becoming an increasing threat to organizations. For OT organizations responsible for critical infrastructure, any hint of compromise needs to be taken very seriously. This is why it is time to get down to business to start planning to secure your environments.
While IT systems have mostly been standardized, TCP/IP, OT systems use a wide array of protocols, many of which are specific to either functions or industries or even geography. As IIoT devices become more common, external partner products present significant challenges to creating secure environments: there is even more of a challenge to secure legacy systems. In effect, digital transformation efforts generate these structural problems, and these problems become exacerbated by poor IT security hygiene practices within OT environments. This is largely due to the insecure deployment of IIoT devices, a lack of visibility of the devices, or the interface of them through networks to business systems.
So now you know that the enormous presence of unprotected IIoT devices is providing opportunities for threat actors. The terrifying part is that most of these devices are plug-and-play without the need for passwords or configurations which essentially makes security optional. Many of these types of devices are shipped with commonly known default passwords to provide easy access to configuration panels. So you might be able to imagine that it is not so difficult for hackers to create botnets to trigger distributed denial-of-service (DDoS) which freezes or disables systems. From a technical point of view, these attacks have elaborate mechanisms that are difficult to detect because they are encrypted and designed to profile processes. These attacks can enter your poorly secured OT environments into your business systems to exfiltrate organizational data and threaten to leak it or steal proprietary information. Also, these attacks are of course ransomware for financial gain.
So we know that the devices are not secure and pose threats to organizations, but there are a few additional concerns regarding IT/OT convergence that need to be mentioned. The first is the accidental insider who is on a quest to create greater efficiencies and productivity but may lack security awareness; they may accidentally introduce conditions that make environments more susceptible through ill-advised changes in configurations. The second is external actors, as most organizations need help from external partners to set up these new shiny things, accidents can happen. The third is a malicious insider, a trusted person with technical knowledge and access who manipulates systems. The fourth, a malicious outsider, whether an external partner or a hacker (or hacktivist), the lack of security controls puts organizations at unnecessary risk.
If all these points are starting to alarm you, then you are starting to understand that you should not be taking these risks. So what do you do? The best answer is planning a physical separation of devices and networks. For example, you should not colocate IT applications and OT applications on the same physical infrastructure. Although it is often more economical to have centralized (or cloud) infrastructure for IT apps, OT infrastructure, at least, the lower-level device connections and controls, should be located on-premise. This way those lower-level devices will not have access to the internet and you can control who has access to those devices using the local OT infrastructure in the middle. Secondly, have separate physical firewalls between IT and OT, this way the firewalls can act to prevent OT devices from going through the IT firewall, and vice versa. Thirdly, segregate internal networks: IT systems should access separate VLANs to OT systems; this way, individual switch ports can be configured to that VLAN.
Now you might be thinking, great, there is a way to fix it. Well yes, in many cases but there are a lot of considerations to plan for. Many solution providers are using PCs as managers for their systems and quite frankly, they are far less secure than a physical server and so that device has to be placed into the lower level and accessed through a Jump Host. There are also considerations on the number of VLANs depending on configuration and applications, failover devices, clusters versus high availability, methods and devices to scan OT environments, and the big one – Support Processes. So do yourself a favor and create a detailed process flow map that can lead to architecture discussion, which will lead to system needs.
Christopher Nichols is Director of IT/OT Resiliency & Support at Stanley Black & Decker, Inc. He has been employed by the Fortune 500 manufacturer, Stanley Black & Decker for over seven years, and is currently Director of IT/OT Resiliency & Support. In this role, he is responsible for deploying Level 2/3 system architectures and connecting all other level systems to level2/3, while supporting them. Additionally, he manages remediation with Edge components, and deploys servers and connectivity for all OT-Related systems, plus Level 1 support of all OT-Related SW applications.
Christopher is presenting at the virtual Manufacturing X.0 event, co-located with Supply Chain X.0. Register here if you are currently working in a manufacturing or supply chain role.