How has digital transformation changed how we secure critical functions connected to operational technology (OT) systems?

In June 2022, Forescout research uncovered 56 vulnerabilities affecting devices from 10 OT vendors that could be exploited by threat actors, highlighting the prevalence of ‘insecure-by-design’ vulnerabilities in OT products that could have severe repercussions on unprepared organizations.

CybersecAsia discussed the impact of digital transformation and IT-OT convergence on security for organizations in Asia Pacific with Dave Patnaik, Head of Asia Pacific & Japan, Forescout.

In the digital economy we’re in today, is there a need to differentiate between OT and IT? If so, why?

Dave Patnaik, Head of Asia Pacific & Japan, Forescout

Dave Patnaik (DP): Operational Technology (OT) and Information Technology (IT) have traditionally functioned independently. The line between the two are becoming blurred as organizations increasingly connect their OT systems to IT networks in the pursuit of higher operating efficiencies.

While cybersecurity is today recognized as a key requirement in corporate boardrooms worldwide, the focus is generally placed on protecting IT networks. Many organizations today still have inadequate OT security frameworks in place that lack features common in IT cybersecurity, impacting their ability to adequately protect critical functions governed by these OT systems.

IT-OT convergence can bring increased security risks to facilities and operations. Threat actors can leverage IT networks to access and exploit vulnerabilities of previously isolated OT systems, potentially leading to costly real-world consequences.

It is essential to note that IT-OT convergence is not merely an integration of technologies, but also teams and processes. Effective security means that IT security teams must incorporate the nuances of industrial environments as a key consideration. For instance, the scale, complexity, and mission critical nature of OT such as water treatment plants often means that it is not possible to take them offline to patch or configure vulnerabilities.

As organizations move towards IT-OT convergence, it will be critical to ensure that new vulnerabilities are not introduced during the integration process. Specific actions have to be taken to ensure that highly vulnerable OT and industrial control system (ICS) networks must be maintained and protected within modern, heterogeneous network environments.

Understanding how IT and OT interoperates, and carefully segmenting these networks will be important to prevent breaches from spreading laterally. This can help organizations holistically and effectively manage risks to their OT infrastructure, and will be increasingly vital to help minimize the potential for disruption. 

Just recently, Forescout research uncovered 56 vulnerabilities affecting devices from 10 OT vendors that could be exploited by threat actors. With OT infrastructure being exposed to an increasing number of threats today, what are the key challenges encountered in detecting and mitigating these threats?

DP: By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors. The reality is that the failure of an ICS network controlling critical infrastructure like an electricity grid, oil rig, or emergency response services could have catastrophic results.

We have observed 4 unique challenges that the IT-OT convergence is creating for critical infrastructure companies in the digital-first reality:

1. New attacks built specifically to target OT

Threat actors are constantly adapting their attacks, and the IT-OT convergence has seen the rise of attack methods aimed at shutting down critical OT networks, termed disruptionware. As evidenced by the Colonial Pipeline attack, disruptionware typically originates in an IT network. The goal of disruptionware is specifically to suspend essential operations or undermine safety by disrupting key processes of critical infrastructure services.

2. Explosive growth of Industrial IoT (IIoT) devices

Asia Pacific’s IIoT market is projected to reach US$46bn by 2030, growing at a CAGR of 8% between 2022 to 2030. Vulnerabilities arising from unmanaged and misconfigured IoT devices create a significant visibility gap for security teams, and can serve as entry points or attack vectors for threat actors. As the scale and diversity of IoT technology expands, enhancing the ability to effectively monitoring and control all connected devices should become a critical focus of an organization’s cybersecurity strategy.

3. Increased workloads amid cybersecurity talent crunch

Security teams that once primarily monitored IT systems are now also responsible for overseeing OT security. With Asia Pacific experiencing a shortage in skilled cybersecurity talent, this can be challenging for already overloaded security teams. Analyzing data arising from thousands of devices, potential areas of risk like changes in communication behavior and insecure protocol communications, and new vulnerabilities affecting OT device is incredibly time-consuming, increasing the challenges for today’s security teams.

4. Regulatory compliance

Maintaining compliance with regulatory standards is more important than ever as standards become more stringent, evidenced by major economies such as Singapore adapting national cybersecurity policies to include an emphasis on OT

The vulnerabilities and associated issues disclosed in Forescout’s research report range from persistent insecure-by-design practices in security-certified products to inadequate attempts to fix them. Moving ahead, it will be crucial for asset owners to understand how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them, and the often-false sense of security offered by certifications complicate OT risk management efforts. 

In addition to developing talent, how can organizations and governments best secure their OT networks? Why are cybersecurity capabilities related to visibility and automation becoming mission-critical?

DP: The management of OT infrastructure often involves the use of thousands of interconnected devices to monitor and control operations that were once manual. To secure them all, organizations invest heavily into multiple point solutions that don’t necessarily work together. Each disparate solution may also need to be individually configured and updated, a highly time-consuming process.

The complexity involved in monitoring extensive OT networks can be greatly reduced by automating and orchestrating security operations across all assets on a single platform. These can ensure:
    • Existing security products are installed, running and up to date
    • Sharing rich device, user and network context between different IT and security products
    • Automating system-wide policy enforcement across disparate solutions
    • Accelerating response actions to contain threats and mitigate risks

To secure OT and ICS, organizations need to maximize visibility into their OT environments, tightening security across the entire enterprise. With proper visibility, segmentation, and orchestration of point solutions across the entire threat landscape, organizations can effectively identify and rebuff cyber-attacks on their networks, and carry on operations with confidence.

From a regulatory standpoint, initiatives such as Singapore’s Cybersecurity Labelling Scheme (CLS) can enable users to identify IoT devices with better cybersecurity provisions, and incentivize manufacturers to develop more secure products.

While OT standards in Asia Pacific remain a work in progress, global regulations like the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards and the European NIS Directive require comprehensive asset visibility and management as a foundation. This is underscored by the US$10m fine issued by NERC CIP this year, the largest public fine in its history.