The current state of the cyber ecosystem is a precarious one. The perimeters have become blurred, and as the capabilities and connectivity of cyber devices have grown exponentially, so have cyber intrusions from sophisticated malware to both Information Technology (IT) and Operational Technology (OT) Industrial Control Systems (ICS), and SCADA networks. The threat is even more amplified as those networks are converging.
According to PMMI Business Intelligence’s “2021 Cybersecurity: Assess Your Risk,” report from, Information Technology (IT) attacks “specifically target the enterprise IT systems at a manufacturer, seeking to gain entry through vectors such as email, a CRM system, or an ERP program, which can span across an operation.” Operational Technology (OT) attacks “are designed to exploit the systems that are directly on the plant floor. An OT attack can originate through vectors such as individual sensors on the production line, SCADA/HMI panels, or even unsecured PLCs.” Cybersecurity 101: The Difference Between IT and OT Attacks | OEM Magazine
But in our increasingly hyper-connected internet environments, most physical security systems have become tethered to IT networks and evolving cloud infrastructure. The trend of integration of Industrial hardware and software combined with growing networked IT sensors is redefining the surface attack opportunities for hackers across all digital infrastructures.
The IT OT Convergence Supply Chain
Protecting the fusion of IT/OT networks from cyber-attacks is an urgent challenge that requires orchestration. They all have unique operational frameworks, access points, and a variety of legacy systems and are intertwined with varying regulation and compliance protocols. And a lack of trained skilled workforce is a continual issue in IT, OT and ISC cybersecurity.
From a cyber-threat perspective, things are getting worse and there is no rest for weary security operators in either IT or OT. Criminal hackers are now using artificial intelligence to probe for vulnerabilities and code misconfigurations in IT networks.
On the physical or hardware side they will often seek out unsecured ports or devices connected to industrial systems connected to the internet. Most ominous is the convergence of IT/OT/ICS supply chains as they can be particularly vulnerable as they cross-pollinate and offer attackers many points of entry especially via older Legacy OT systems that were not designed to protect against cyber-attacks. The complex nature of supply chain attacks gets further exacerbated by the potentially long delay between the introduction of a vulnerability and its potential exploitation.
Supply chain cyber-attacks can be perpetrated by nation-state adversaries, espionage operators, criminals, or hacktivists. Their goals are to breach contractors, systems, companies, and suppliers via the weakest links in the chain. This is often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks.
A special concern for the supply chain is third-party risk and their partners’ visibility in the chain. While some security flaws may be known, but unpatched, there may be other security loopholes that are unknown and undiscovered until an adversary breaches these systems.
Internet of Things
When looking at the security aspects of the physical connected to the digital, The Internet of Things (IoT) must be considered. The Internet of Things (IoT) broadly refers to devices and equipment that are readable, recognizable, locatable, addressable, and/or controllable via the Internet.
The cyber-attack surface has grown exponentially larger in recent years with the meshing of OT and IT systems, and the greater connectivity brought by IoT. It is comprised of an ever-expanding mesh of networks and devices connected to systems and networks. IoT incorporates physical objects communicating with each other, including machine-to-machine and machine-to-people. It encompasses everything from edge computing devices to home appliances, from wearable technology to cars. IoT represents the melding of the physical world and the digital world. According to the McKinsey Global Institute, 127 new devices connect to the internet every second.
A cybersecurity challenge of IoT is the lack of visibility and the lack of ability to determine if a device has been compromised and not performing as intended. The increased integration of endpoints combined with a rapidly growing and poorly controlled attack surface poses a significant threat to the Internet of Things. Having visibility and being able to protect the connected devices of IoT is quite a challenge. The United States Government Accountability Office issued an assessment of the status and security issues surrounding the Internet of Things. The GAO identified the following types of attacks as primary threats to IoT: Denial of Service, Malware, Passive Wiretapping, Structured query language injection, Wardriving, and Zero-day exploits.
Protecting such an enormous attack surface is no easy task, especially when there are so many varying types and security standards on the devices. It will only worsen as connectivity, for example in robotics, continues to grow.
Visibility for IT/OT
A cyber-breach is not a static threat to both IT and OT systems and is always evolving in tactics and capabilities. A successful security strategy necessitates building agile systems with operational capabilities and situational awareness to be able to monitor, recognize and respond to emerging threats. The good news is that there are common denominators that can be applied toward fortifying security.
Attaining visibility is the first step in an IT/OT convergence security strategy. For any CISO or CIO, it is critical to know what lives in your company or organization’s networks and have an inventory of everything and everyone that may have access. That concept of visibility, knowing what assets you must manage and protect, described by the memo is a fundamental aspect of any cybersecurity strategy, especially regarding critical infrastructure where the costs of a breach may have devastating implications.
The fact is that many companies and organizations do not even know when and how an attack has occurred. It is not always their fault as they are dealing with low budgets, antiquated technologies, and a lack of skilled workers. However, the consequences of a breach can be too risky to ignore. For this reason, identifying what digital and physical assets are in your network is the first basic tenet of The NIST Framework that integrates industry standards to mitigate cybersecurity risks.
Visibility is also a central theme of the U.S. government-mandated Zero Trust policies for agencies. On May 12, 2021, the White House issued Executive Order 14028, “Improving the Nation’s Cybersecurity” focused on requiring agencies to adopt Zero Trust frameworks and architectures for better protecting their gaps. The basic elements of a Zero Trust architecture are to assume everything in the network is potentially hostile, do not base trust on the location of the network, and authenticate and authorize devices, users, and applications attempting to get access to the network.
The crux of a Zero Trust model is to reach and maintain the highest achievable level of segmentation and fortification and best prepared and fortified to minimize the odds of experiencing a breach and reduce the potential damage of such a breach to a strict minimum by preventing escalation and lateral movement.
The North American Electric Reliability Corporation (NERC) provides a good example of the need to prioritize visibility in a security strategy to mitigate threats. NERC is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the critical infrastructure of the grid. NERC promotes visibility to its members in protecting their industrial cyber assets. Those assets include electronic access control or monitoring systems – intrusion detection systems, electronic access points, and authentication servers, physical access control systems – card access systems and authentication servers and Protected Cyber Assets – networked printers, file servers and LAN switches.
Cybersecurity visibility efforts can be enhanced by employing innovative technologies that monitor, alert, and analyze activities in the network. Emerging technologies such as artificial intelligence and machine learning tools can help provide visibility and predictive analytics for both physical and digital assets.
Critical Infrastructure a Top Target
DHS’s Cybersecurity & Infrastructure Security Agency (CISA) describes critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” The threats to critical infrastructure are growing and include phishing scams, bots, ransomware, and polymorphic malware.
In the U.S., most (approximately 85%) of the cybersecurity critical infrastructure including defense, oil, and gas, electric power grids, healthcare, utilities, communications, transportation, banking, and finance is owned by the private sector and regulated by the public sector. The health sector and education sector have been highly targeted by ransomware attacks in recent years. Manufacturing is also in the sights of criminal hackers. The energy sector stands out as being particularly vulnerable. This ecosystem of insecurity includes power plants, utilities, nuclear plants, and The Grid.
A key reason why the sector has become more vulnerable is that hackers have gained a deeper knowledge of control systems and how they can be attacked and can employ weaponized malware against power stations and other energy-related critical infrastructure assets.
The vulnerability of IT/OT attacks on energy infrastructure was illustrated clearly with the Colonial Pipeline ransomware attack, and the threat still remains high. There are many examples of such attacks primarily initiated via IT networks with a threat of cascading into OT networks. Another example of this type of attack was evidenced by the Dragonfly group which targeted the energy sector in the United States, Switzerland, and Turkey across the layers of the IT and OT environments via traditional IT attack vectors.
Critical Infrastructure is a high-profile target for both geopolitical and economic considerations for criminal hackers and adversarial nation-states. Critical infrastructure includes defense, oil and gas, electric power grids, health care, utilities, communications, transportation, education, banking and finance.
In 2023, the scale and frequency of attacks on critical infrastructure are certainly alarming. Adversaries have gained a deeper knowledge of control systems and how they can be attacked with weaponized malware. Some of those examples are being witnessed in the current Russian-Ukrainian conflict where Russia has combined digital attacks with kinetic attacks on the Ukrainian government and civilian infrastructures.
Ransomware Threat
The 2022 Dragos ICS/OT Cybersecurity Year in Review noted that in 2022,” breakthrough evolution in the development of malware targeting industrial control systems (ICS), scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape.” The Dragos study also noted that “ransomware represents a top cyber risk to industrial organizations, particularly those without a Defensible Architecture. OT security strategies often start with hardening the environment—removing extraneous OT network access points and maintaining strong policy control at IT/OT interface points. Dragos service engagements included a finding about improper network segmentation in 50 percent of cases and a finding of external connections from OEMs, IT networks, or the Internet to the OT network in 53%, showing there is still a long way to go to defend against ransomware risks.” 2022 ICS/OT Cybersecurity Year in Review Is Now Available | Dragos
Operators of critical infrastructure will need to be more proactive going forward when it comes to IT/OT convergence. The analyst firm Gartner Inc., projected deaths due to a cybersecurity threat weaponizing industrial facilities by 2025. The firm sees the cost of attacks that cause fatalities reaching $50 billion per year. DHS Secretary: “Killware,” Malware Designed to Do Real-World Harm, Poised to Be World’s Next Breakout Cybersecurity Threat - CPO Magazine
IT/OT Convergence Security Strategies
Cyber risk management is the nexus for helping best secure cyberspace, especially in OT/ICS operating environments. IT and OT teams will need to work closely together, and this will require creating a cyber-resilience framework that will assess situational awareness, adhere to compliance mandates, align policies and training, optimize technology integration, promote information sharing, establish mitigation capabilities and maintain cyber resilience in the event of incidents.
To help ameliorate threats, security operators should apply a comprehensive risk framework to address vulnerabilities to OT/IT convergence. It is especially important for the public and private sectors to coordinate and apply and enforce industry security protocols.
An IT/OT Cybersecurity Strategy & Framework to Defense Against Cyber-Attacks
The consulting firm McKinsey & Company notes that “enhancing operational technology (OT) cybersecurity is challenging, as it presents barriers in multiple areas: technical (such as legacy and remote solutions), operational (such as the decisions on which parts of the process the IT and OT teams own), and investment (such as a shortage of the trained skill sets). Enhancing Operational Technology (OT) cybersecurity | McKinsey
An IT/OT cybersecurity strategy to meet those growing challenges needs to be both comprehensive and adaptive. As in physical security, cybersecurity relies on the same security elements for protection as physical security: layered vigilance, readiness, and resilience. Meeting the challenges also requires public/private cooperation in sharing threat information, best practices, incident response, and emerging technology solutions to help mitigate attacks.
Defined by the most basic elements in a cybersecurity strategy and framework for cybersecurity OT/IT networks should constitute:
- Security by Design: OT, ISC, SCADA networks and IT networks need to be designed, updated, and hardened to meet growing cybersecurity threats. This requires a security-by-design approach that builds agile systems with operational cyber-fusion to be able to monitor, recognize, and respond to emerging threats. Segmenting of vulnerable networks and remote connectivity should be a priority. Security by design can also identify system and operational dependencies upfront of the process to remove risk. This should be accompanied by an Identity Access Management (IAM) policy that only allows access to networks and data by delegated users who are monitored. A comprehensive resource for OT security operations can be found at NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems | CISA *
- Layered Vigilance and Defense in Depth: vulnerability assessments need to be instilled up front in the security process. This should include mapping of the control systems, and communication flows, and all connected devices in the network should be prioritized. Encryption of data flowing from sensors and segmentation of OT and IT should be included in a layer. The vigilance should incorporate best practices for industry cybersecurity standards and processes, including NIST, IEC 62443, ISO 2700, and the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for Industrial Controls Systems (ICS) framework, and others according to verticals. Also, identity access management and control tools are vital considerations. And innovations in networks, payloads, endpoints, firewalls, antivirus software, and encryption can also harden critical assets against attacks. Also, automated network monitoring and enforcement tools can be used to detect threats and to enforce segmentation rules that can be forwarded to SIEM/SOAR systems.
- Situational Awareness: there is a need to continually surveil, analyze and game the critical infrastructure cyberthreat landscape. There is no substitute for good intelligence. Real-time on-the-scene intelligence and operational alarms to relay critical information to the appropriate response personnel are an essential part of that response matrix. This also includes monitoring gap areas such as insecure web interface, insufficient authentication and authorization, lack of transport encryption, insecure cloud Interface, insecure mobile interface, and vulnerable hardware, software, and firmware. In OT operations, Secure Operations Technology (SEC-OT) is the methodology used to manage attack information flows. With SEC-OT protections, such as removable media controls, and removable device controls IT IT-initiated cyber-attacks cannot reach the industrial control systems.
- Cyber Hygiene: the requirement for basic cyber-hygiene never diminishes and the industrial sectors must take extra heed of that reality because of the stakes involved. Those who seek to infiltrate critical infrastructure and exfiltrate data will always explore the easiest way first. Unfortunately, most of the time that approach works. IT/OT cybersecurity preparedness needs to follow basic cyber-hygiene that includes strong passwords and multi-authentication by employees.
- Information Sharing: The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency. Cooperation within industries and with government (Public/Private /Partnerships) are a proven model to follow. Preparation and commitment from both government and industry leadership is critical to help thwart threats. Subscription to threat intelligence services can also provide timely OT and IoT threat intelligence.
- Incident Response and Readiness: protecting industrial control systems used by utilities from both physical and cybersecurity threats is a component of the dynamic threat environment and response matrix that constitutes their security environments. There are many available CI readiness monitoring tools to assess and validate in a SOC visual command center. The ability to disconnect CI from the internet and continue to operate should be a part of any incident response.
-
What works in Cybersecurity IT may pose risks to OT cybersecurity where patching may not be an option. A breach can have catastrophic consequences for both OT and IT networks and is essential that security measures require speed to mission to mitigate threats. This speed is required for monitoring ports and services, security patch management, malicious software identification, and especially rapid incident response.
-
Also, it is prudent for security risk strategies to consider automating vulnerability assessments with machine learning and artificial intelligence, and by filling other operational gaps with tools such as data loss prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
-
- Training and Resilience: A risk management strategy should prioritize continual training (table-top exercises) for preparing a coordinated response in the event of a breach, and a plan for communicating and enabling recovery. Management, legal, and public affairs need to be prepared. Assigned roles and training on how to respond to a breach need to be incorporated into incident response planning for resilience.
- Because of the changing digital landscape, and the consequences of being breached, creating a cybersecurity framework that encompasses resiliency is a top priority for mitigating both current and future threats.
-
Cyber-resilience is defined as being able to recover and go forward and continue to operate in the event of an incident. Sometimes that is easier said than done, especially with the morphing of threats. Cyber resilience is an area that must be continually developed both in processes and technologies in a changing digital landscape because no matter what, breaches will happen.
Conclusion
The worlds of Information Technology (IT) and operational technology (OT) are converging, the rapidly expanding attack surfaces are exposing vulnerabilities and creating detection and orchestration challenges. Companies and Organizations should focus on understanding what assets are vulnerable in their meshed IT/OT and update risk management and mitigation strategies.
Protecting operations and data in any security approach needs to be dynamic. As the sophistication of hackers and the intertwined IT/OT attack surface grows, the cyber threats will continue to evolve. Hopefully, we can help mitigate those old and new threats with a risk management strategy that includes stronger IT/OT collaboration and increased preparation and resiliency.
Chuck Brooks serves as President of Brooks Consulting International and is a globally recognized thought leader and subject matter expert in Cybersecurity and Emerging Technologies. Chuck is also an Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Risk Management Programs. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated. He is a contributor to securityinfowatch.com and is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, an Expert for Executive Mosaic/GovCon, and a Contributor to FORBES.