27 Dec The Right Way to Manage Your OT/IT Convergence
What it is and what happens when you improperly converge…
There is actually a right way to manage your OT/IT convergence; that is separating your IT from your OT. Because if you don’t… well, you might just be in for a world of hurt.
And by “you”, I mean you, your company, the environment, and unsuspecting bystanders (sometimes callously aka “collateral damage”). Here’s what you need to know in a nutshell without the geek-speak:
Commonly referred to as the “Business Side of the House,” IT (Information Technology) is responsible for many things. Mostly, ensuring the networks, databases, web servers, email, and computers used for business decisions are secure and working efficiently. IT is responsible for tasks such as forecasting, budgeting, and reporting.
The “operations side of the house,” or OT (Operational Technology) is responsible for everything revolving around the operations and delivery of the product. This includes operating valves and powering-on pumps, often referred to as the “Process Control Network”.
Because IT is concerned with running the business, and OT is concerned with product and process – traditionally, each stays within its own lane.
So, what exactly happens when IT and OT are allowed to play freely in the same sandbox without a chaperone?
Read on to find out how you can prevent a tragedy like the one with Colonial Pipeline in May of 2021. IT and OT should NOT be dependent on each other. Because Colonial Pipeline’s IT and OT were dependent on each other, a compromised IT network made it impossible for pipeline operations (OT) to continue. We need to decouple these dependencies, so that the compromise of one does not impact the other.
Why is this important to IT/OT Convergence?
Because even if hackers managed to gain access to IT, they wouldn’t be able to shut down operations. Gone is their ability to bring things to a screeching halt.
As a result, IT has restricted access to OT for things such as inventories, line fills, meter tickets, etc. (for reporting purposes). Additionally, IT should not, under any circumstances, have the ability to control anything within OT.
So, is OT/IT Convergence ever a Good Idea?
With the rise of the Cloud and the introduction of the Internet of Things (IoT), vendors are pushing connected devices across industries. Vendors are pitching IoT devices such as vibration analytics, equipment monitoring, production forecasting, and downtime optimization. These connected devices allow operators of connected plants to simultaneously control and analyze for performance.
This rising trend connects IT/OT departments and personnel together for efficient business decisions. Big data analytics, machine learning and artificial intelligence that wasn’t previously available has made this all possible.
In this new world, OT professionals are working closely with IT professionals to educate them about how factories and plants work. As these professionals work together, they can safely connect the departments. And likewise, IT professionals are working with maintenance and operations people to learn how field equipment works.
IT/OT Convergence allows leadership to have better visibility of data across the entire business for faster business decisions and monitoring of asset performance. A great example of this is predictive maintenance. This allows companies to get ahead of failures to make real-time decisions on maintenance and planned shutdowns. Many companies have already undergone aspects of this digital transformation, especially after the COVID-19 pandemic, where employees had to work remotely.
The traditional Purdue model for IT/OT security, and how IOT couples IT and OT, causing risk for security.
While this interconnectivity sounds great for companies looking to optimize their operations, it also helps to bridge the gap between IT and OT.
TAKE NOTE: Improper implementation of IoT leaves vulnerabilities for hackers to gain access to the operations side of your business.
So, how catastrophic was the OT/IT Convergence Issue with Colonial Pipeline?
Colonial Pipeline Cyber Incident | Department of Energy
Colonial Pipeline (CP) is a company that operates more than 5,500 miles (about 8851 km) of oil pipeline from the Gulf of Mexico to New York. CP supplies an estimated 45% of the fuel to the East Coast. That’s a big meatball!
Is it any wonder hackers took advantage of CP’s weaknesses?
GET THIS: Colonial Pipeline broke the IT/OT threshold because they tied their financial accounting systems (IT) into their business and operations process (OT).
Because of this, the pipeline could no longer move product due to lack of scheduling, shipper/inventory management, and billing systems.
Hackers quickly identified this mistake and took full advantage. While they were not able to get into the OT networks, they did access the IT network, and because they were so tightly integrated, they brought the pipeline giant to a grinding halt.
The saddest twist of all: The group of hackers, otherwise known as DarkSide, gained access to Colonial Pipeline’s network via an exposed/compromised password for a dormant/unused VPN account.
The hackers gained access on May 6th, pulled out around 100 GB of data, and lurked in CP’s system analyzing other vulnerabilities. They actually launched their full-scale cyber attack on May 7th. These hackers shut down the pipeline for six days causing fuel shortages for millions of people along the U.S. East Coast in May 2021.
Colonial Pipeline System Map
Compromised Passwords: Not Just for the Computer Illiterate…
How inconceivable is it that an enterprise company employed staff that thought this was acceptable practice?
A compromised password, one that had been used at a different website or access point inside or outside Colonial Pipeline, is what started the chaos across the U.S. East Coast.
Companies like Colonial Pipeline are employing various IoT-enabling services, all bridging the IT/OT divide, all with varying levels of security. Sadly, as the IoT trend continues, few companies offer system-wide solutions with high levels of security. Hackers know this, and they’re using every opportunity to capitalize on passwords and other new means across the various IoT platforms.
Companies like Colonial are bringing in IoT companies that help track productivity, reduce costs, improve maintenance and reporting.
Why?
All because they don’t want to hire and develop people internally for these tasks. Most third-party IoT vendors differ in cost and value-add, so companies pick and choose who to contract.
This means that company personnel have accounts and passwords with VARIOUS VENDORS that all have varying security standards; all having access to aspects of IT and OT networks. This is a huge concern for critical infrastructure companies, and huge opportunities for malicious actors, including nation state actors and those hacking purely for monetary gains, such as Darkside, as well as hacktivists.
Seeing a trend yet?
The Bigger Cyber Problem of OT/IT Convergence that will Devastate Companies
Most initial SCADA implementations took place decades ago. Every few years, new components are added to the SCADA framework: new SCADA software and control center architectures, upgraded security features, panels, PLCs, and controllers are iteratively retrofitted into the system.
As OT experts retire and younger engineers are promoted to those positions at a rate of only 5:1, inherent knowledge of SCADA architecture is gradually lost. As the knowledge gap widens between retiring OT experts and fresh administrators, companies can become exposed to cybersecurity and efficiency vulnerabilities.
Eager to retain security, companies PATCH their OT networks like worn-out jeans with extra security features that aren’t optimized for the existing SCADA system. Few within the organization understand every aspect of their OT system in detail. This is a piecemeal pattern for disaster.
Segmentation of knowledge, paired with haphazard upgrades exposes the organization to cyber threats. Companies must retain awareness of the operation and security of their OT networks. They must perform vulnerability assessments at a minimum once every year.
Solutions to Blocking a Threat Actor
Components of a vulnerability assessment: physical As-Is Assessment, Network Mapping, and Firmware Scanning of existing infrastructure
In order to adequately audit an organization’s OT environment, IT or OT communications departments catalogue every component of their architecture. Management must reference and trace each communication network, valve, pump, PLC, firewall, etc… from the field level to the control room to ensure purpose and effectiveness. For an EFFECTIVE audit, a deep understanding of each facility and its interconnectivity to the home office or control room is essential. Personnel must regularly update and verify P&IDs (Piping and Instrumentation Diagrams) to ensure documentation remains true to Total Asset Awareness.
Furthermore, technical and corporate communications groups and integrators must develop a detailed understanding of interconnectivity. They must know which devices are connected to which network and through which firewall. For any installed third-party IoT devices across an organization – the security of communication is imperative for administrators, including any logins and passwords. Periodically, management must evaluate the communication protocol through which signals travel and then the accuracy of those data packets. Lastly, ICS administrators must ensure that the firmware is evaluated for code-level vulnerabilities and updates.
Corporate leadership can only make educated decisions to fortify critical infrastructure AFTER seeing the results of regular vulnerability assessments and OT documentation.
Zero Trust Networks Protect Your Assets when Managing Your OT/IT Convergence the Right Way
CTOs and CIOs can securely implement IoT in industrial environments. This is nothing new. They must take adequate consideration to ensure the resiliency of their OT networks. CTOs and CIOs know that the best practice in keeping OT systems secure is to institute Zero-Trust capabilities into the industrial network architecture. The Zero-Trust method protects networks by focusing on three main areas:
- Companies must identify who will be using the network, and what devices they will use to access it. These users and devices must prove who they are through unique password-protected accounts with multi-factor authentication.
- Once OT Integrators identify users and devices, they then use microsegmentation to limit access to data that is relevant only to that user or device.
- Key personnel actively monitoring the behavior of the user or device is important to ensure that there are no vulnerabilities in the network.
Implementing a zero-trust method into your network is the ONLY way to ensure protection from cyber terrorism. User and device network access segmentation means that even if hackers gain access, they will only do so within the borders of the isolated network segment.
Many firms (that are not considered major operators) will not have large technical and corporate communications departments. Their departments are not capable of handling all aspects of their OT security and underlying software and communications infrastructure. Instead, those companies turn to UTSI to fill that important knowledge gap.
With over 40 years of experience in the latest best practices, and implementation of full-scale Operational Technologies for critical infrastructure systems, the team at UTSI are your in-house experts to set your company on the path to continued operational success.
Are you ready to assess your company’s Critical Infrastructure for Vulnerabilities from threat actors and inefficiencies?
📲 Give us a call or email if you’re ready to take control of your Operational Technology and Critical Infrastructure. Looking forward to your no-obligation consultation.