Managing The Information Security Risks In The Age Of Connected Production Systems
Ravikiran possesses 20 years of rich experience in Information Technology Industry across Risk & Compliance, Managing IT Infrastructure, Application Support, Information Security, and Governance
The proliferation of connected devices is well-known and documented with the potential of crossing 20 billion connected things by the time this article is written. The umbrella of connected devices is spanning across virtually all industries covering any imaginable use case. It’s a bit of a surprise that enormous growth of connected devices enveloped with minimal regulation supplying users with misleading information owing to their incorrect programming.
Considering the landscape for cybersecurity is turbulent, System owners are struggling to protect the systems that were never intended to be connected. In addition to this, cybersecurity is more IT-focused than Operational Technology (OT).
Convergence of IT & OT
No wonder, the convergence of information technology (IT) and operational technology (OT) has become a business imperative. To better protect critical systems, IT and OT need to work together to harmonize processes, governance, systems and people in fact, a robust cybersecurity program in an ICS environment must include people, process and technology.
Traditionally, IT and OT have been two separate units. OT is concentrated on the automation of machines, processes and systems inside a plant, and IT focuses on the IT Continuity and operations to support the business.
Uncommon business objectives, separation of system - physically and logically, and employees having different roles leads to different approach to and tolerance of risk for both IT and OT
Further to this the following are the pondering thoughts: (i) growing Business Demand for Real time access to operational data and enhancing industrial systems Productivity, (ii) to Enable real time Data requirement Newer OT Infrastructure are built on IT-standard technologies resulting in exposure to malware attacks, hacktivism, employee sabotage and other security risks that previously affected only corporate Information Technology (IT), (iii) as the lines between IT and Operational Technology (OT) is distorted, we need to we
provide appropriate access to control and production data while inhibiting cyber security proceedings that could cause stoppages, Security threats and progression interruptions and(iv) many manufacturers still see strong resistance to bringing information and operational technologies together, with mistrust coming from both sides.
The objective of the use case is to provide real time feedback on quality with the aim to defect outflow prevention to subsequent processes. The traditional physical segregation between IT systems and OT systems has been replaced by an integrated approach.
IT & OT Alignment
By working together as a cross functional unit IT and OT systems can leverage common standards, risk and governance approaches. In-built security points can be configured within the system development ensuring reduced potential enterprise risk and adequately protecting both sides of enterprise systems. IT development should align with enterprise needs and ensure a compliance approach is factored in from the outset. This can help address a wide array of important questions, including each of the following:
Factors to be considered
Access Management how access is controlled, is it through domain/active directory or a separate workgroup?
Asset Management are all production assets tracked and maintained & reconciled to financial records?
AntiVirus/Patch Management is the no of assets equivalent in asset register equivalent to number of systems connected?
Entry Level Control are the tools/systems which are coming into the company checked?
USB Access is USB(Stuxnet is a powerful reminder of the damage these devices can do) permission controlled?
Below are the points, addressing which can be a potential strategy harmonizing the two traditionally separate areas: (i) Understand the concerns (like flat network issues, inefficient patch management, resource constraints, and independent Mini Data Centers) (ii) Evaluate and Classify the risk of blending IT and OT (remember that risk is not static and risk Mitigation should be on the classification of Risks), and (iii) Consider major IIoT security viewpoints (like evaluation of difference between IT and OT, security risks in OT are different than IT, and improved focus on patching cycles(iv)Consider the devices; OT normally comprises the systems that handle the monitoring and automation through SCADA systems attached to distributed control systems (DCS), programmable logic controllers(PLCs) remote terminal units(RTUs) and field devices, and it also needs a step-by-step approach towards asset management and visibility(v) Consider the gateway (separation of IT and OT Networks, and SOC & Centralized Monitoring).
There are many benefits to making and supporting cross-functional teams. Both ICS and IT cyber security specialists bring appreciated and unique viewpoints to the table.