OT, meet IT (please)
As the world becomes more networked, industrial control systems have become an area of increasing concern for cybersecurity. Just recently, for example, the Homeland Security Department issued an alert concerning reported flaws in Siemens equipment that could allow hackers to attack critical systems such as power plants.
It wasn't the first such alert, and it won't be the last.
On one hand, these operational technology systems — or OT, as opposed to IT systems — are using more off-the-shelf software, which opens them to a growing number of exploits delivered via the Internet. On the other hand, they remain different enough that they often require a different set of management tools and expertise.
Although securing industrial control networks often is a problem for private-sector operators of industry and infrastructure, government too is not immune. “OT networks are not the majority of networks that government has to deal with, but they do have them,” said Jacob Kitchel, senior manager of security and compliance at Industrial Defender, which provides services for control system security.
Just about any building, base or campus contains physical plant control systems, and distribution and logistics operations have inventory and fleet management systems to manage. The systems that do these jobs often are mission-critical for the owner, but they traditionally fall under the eye of engineering staffs and physical security rather than IT security.
This distinction is becoming less viable, however.
Industrial control and Supervisory Control and Data Acquisition, or SCADA, systems are increasingly becoming standardized, using commercial operating systems such as Microsoft Windows. This makes it easier to develop applications for them and to take advantage of IP networking to manage them and gather data remotely. At the same time such systems expose the apps to a host of vulnerabilities that hackers and criminals are intimately familiar with. Administrators are finding it is becoming increasingly difficult to isolate any IP network from the Internet. One unplanned or incautious connection to a switch or access point can open it to exploration and exploit.
Their missions remain different from traditional IT networks, however. “They are starting to look more alike, but only from a limited view,” Kitchel said. The barrier to intrusion is being lowered, but security tools often are not adequate for monitoring, controlling access and managing change on production networks. “Traditional tools can do some of it, but in many areas they fall short,” he said.
Despite these differences, industrial OT networks can be effectively secured, Kitchel said. Skills learned by researchers and managers on the enterprise IT side can be successfully applied to industrial software, but this expertise often is lacking among those who manage the OT systems. They have good engineering backgrounds but little professional IT experience.
A key to securing industrial control networks can be breaking down the silos between IT and OT, giving the OT shop access to the expertise of the IT pros, and letting the IT shop understand the needs of the industrial side. In bringing IT security to industrial networks, it pays to start with the basics, Kitchel said.
“It's easy to be concerned about the big events, but the basics often get lost,” he said. Focusing on baseline security such as identity and access control, asset management and change management are essential regardless of the type of network. “Doing these things well," he added, "will allow you to do a lot of other things.”