OT and IT Cybersecurity
Why existing security paradigms fall short
2021 was the year in which cyber attacks on industrial targets and critical infrastructures became mainstream. From the attack on the Colonial Pipeline to the recent Transnet hack, it was the year when the public – not to mention senior executives – learned the difference between IT and OT networks. And everyone has learned that vulnerabilities in the OT-cyber security-can have consequences that affect personal everyday life.
According to OTORIO, the year 2022 will pose at least as great a challenge for manufacturers and utilities with critical infrastructure. Given these prospects, it is more important than ever to understand the differences between OT and IT cyber security – and to understand why the existing OT cybersecurity paradigms are still insufficient.
IT cybersecurity specializes in securing bits and bytes that are critical to the management of any business. OT cybersecurity, on the other hand, focuses on securing data and physical systems. In 2021, those responsible for OT networks have learned the importance of choosing a cyber defense approach that is specifically tailored to the requirements of the OT environment. This is an approach designed from the ground up for the OT challenges.
In a recently published study on OT Cybersecurity 2022, OTORIO asked 200 CISOs from leading industrial companies whether they feel they are getting the best benefit from their existing cybersecurity solutions. Many of the respondents agreed that this is not the case. Why do the existing OT security paradigms not keep what they promise?
The top Five Reasons for the failure of Existing OT Cybersecurity Paradigms
According to survey participants, the five most important reasons why their existing OT cybersecurity solutions do not bring the desired benefits are the following: “lack of skills for operation” (57 percent), “remedial measures are not feasible” (49 percent), “leads to great alarm fatigue” (44 percent), “too complicated to use” (33 percent) and “effective only for detection after a network intrusion” (27 percent). But what do these answers mean in practice?
1: Lack of skills for operation
According to OTORIO’s study, in 31 percent of companies, the head of the manufacturing/engineering department is responsible for OT cybersecurity – and not a cybersecurity specialist. However, the first-generation OT cybersecurity solutions were designed for the IT environment (i.e. for enterprises) and retrofitted for OT. As such, they require special skills that are available in the IT SOC (Security Operations Center), but almost not at all in the OT area. The result: OT cybersecurity tools are often implemented or operated incorrectly and therefore offer suboptimal protection.
2: Remedial measures are not feasible
While many solutions detect potential threats, they only provide theoretical or vague guidance on how to mitigate these threats. Others provide detailed playbooks, but they are not relevant to the OT.
An example is patching. The security patching in OT is very different from that in IT. This is because patching OT components requires a complete shutdown of production, so that providers who operate OT networks rarely or not at all patch their components. Any damage control plan in the OT that provides for patches is almost always not feasible.
In addition, specialists in industrial or critical infrastructure often work on site without a full-fledged team of security engineers or analysts. You must therefore take very detailed, clear and specially tailored remedial measures to the respective environment in order to enable a quick and effective implementation.
3: Provides great alarm fatigue
Today’s OT solutions are mainly based on the detection of potential security breaches and then alerting the security officers. However, even the best detection tools deliberately give out a lot of warnings, as they prefer to play it safe. To make matters worse, most OT security paradigms rely on several different solutions – each with its own warning threshold. It is not uncommon for a number of different solutions to send alarms from different parts of the network related to a single event. The resulting alarm fatigue can lead to attackers remaining undetected for a relatively long time. It prevents security teams from focusing only on actual critical risks instead of false-positive reports.
4: Too complicated to use
As already mentioned, many OT cybersecurity solutions are actually retrofitted IT solutions. They are not really synchronized with OT-specific processes or procedures and require their operators to have a deep understanding of both OT and IT in order to use them “meaningfully”. Unfortunately, there is a shortage of skilled workers in the OT sector, which makes many old OT solutions unusable.
5: Effective only for detection after network intrusion
Most existing OT security solutions are based on reactive detection after an intrusion into the network. Although the detection and mitigation of attacks is an important part of the overall cybersecurity mix in retrospect, the response after an attack is usually more costly and less effective than attack prevention.
In OT environments – unlike in corporate IT – there is no tolerance for downtime. It can take days or even weeks for a production area to come back online after a shutdown, resulting in large financial losses. The costs are not only monetary, because successful security breaches can seriously endanger health – and sometimes even life. And last but not least, they can damage the reputation of the operator, which, as a rule, has a long-lasting effect.
The Solution: Simplify OT cybersecurity
Specific platforms have now been developed for use in OT-native real-world ecosystems. With a user-friendly interface that is easy to use by both IT professionals and operations managers, these dashboards offer help even laymen to understand exactly why and where the alarms are coming from. To improve speed and efficiency, modern solutions offer simple, easy-to-understand remedies tailored to each individual operations department. Such a platform also helps to overcome alarm fatigue. A modern solution consolidates and orchestrates thousands of suspicious events across the IT-OT-IoT network into a handful of meaningful, prioritized insights with simplified and proactive playbooks for mitigation.
The most important finding from this part of the OT Cybersecurity Study 2022 is clear: OT requires specific, intuitive solutions that meet the specifics of the environment and are tailored to human users.