Quick Links
Get started
Resources
PAM360 Literature
PAM Thought Leadership
Compare
The 21st century is characterized as the time that initiated a technological boom, witnessed the pervasive rise of IT, and delivered information at our fingertips. This technological surge has ingrained itself in all walks of life, and the realm of physical industries is no stranger to it. From manufacturing plants to power grids, the integration of technology into industrial environments is now ubiquitous.
The ability to access information about applications, systems, and people seamlessly from anywhere and at any time is no longer a luxury but a necessity, driving industries to enhance visibility and productivity through digital means. The convergence of operational technology (OT) and information technology (IT) is no longer a concept for the future; it is happening now. Industry 4.0, the latest graduate from the industrial revolution class is well and truly thriving. From machine automation to augmented reality, the future is here. The convergence of OT and IT provides benefits like direct control, real-time monitoring, and data analysis that result in greater operational efficiencies and improved decision-making.
But as control systems and OT networks evolve and more technology-based functions become part of processes to control and manage critical infrastructure, the cyber footprint of physical industries expands with it. This prompts an interesting question: With the physical and digital worlds colliding and intertwining, how do we approach cybersecurity in OT environments?
Although both OT and IT revolve around people, processes, and technology, the cybersecurity needs of both environments are vastly different, and so are the consequences of a breach. A cybersecurity breach in an OT environment can result in physical damage, loss of life, and environmental impact in addition to data theft and downtime that we often see in the world of IT. The security focus in OT centers around health, safety, and availability, while in IT the focus is mainly on confidentiality and data security.
The convergence of OT and IT, therefore, necessitates a comprehensive approach to cybersecurity. But let's first explore how OT came to be.
At the dawn of the industrial revolution, although machinery was used to operate critical infrastructure, there was a definite line between what was human and what was machine. But through the different phases of the industrial revolution, that line has blurred.
| Industry | When? | What? | Major Innovations |
|---|---|---|---|
| Industry 1.0 | Late 18th century | Transformation of the global economy from an agricultural and small handcraft-based economy to an industrial economy. The introduction of coal, steam, and water power revolutionized manufacturing processes, leading to mechanization for the first time. | This period witnessed groundbreaking innovations such as the steam engine, which played a pivotal role in powering factories and expanding transportation systems through waterway routes as well as advancements in metal forging that enabled mass production and the development of new machinery. |
| Industry 2.0 | 1870s | Discovery and the use of oil, gas, and electricity in manufacturing, transportation, the rise of chemically processed products, and improvements to communication. | Innovations such as the combustion engine revolutionised transportation, leading to the development of automobiles and airplanes, while products like toothpaste became common household items, reflecting advancements in chemical engineering and consumer goods. |
| Industry 3.0 | 1960s | Introduction of electronics and computers. | The development of programmable logic controllers (PLCs) significantly enhanced manufacturing efficiency and precision. The invention of computers allowed for the automation of complex tasks and data processing, laying the foundation for modern digital industries. |
| Industry 4.0 | Early 21st century | Internet, modern software, and the rise of automation. | Innovations such as augmented reality and the Internet of Things (IoT) have enabled unprecedented levels of connectivity and data exchange between devices and systems. |
Today, technology and digital control systems spread to every industry. Adding to PLCs in Industry 3.0, the advent of Industry 4.0 has brought in industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and distributed control systems en mass, setting the stage for the convergence of IT and OT. Complex software algorithms, industrial internet networks, end-to-end automation requirements, and big data analytics integrate OT's real-time data with IT's automation, transparency, and analytical power. The improvements to productivity, real-time visibility, remote access, and the ability to predict maintenance have, understandably, been highly attractive to businesses.
For instance, water treatment plants can now monitor flow levels and control them remotely at any time. Thermodynamic changes in refineries are computed in real-time, and necessary adjustments are implemented automatically. Power production in power grids and wind energy farms is optimised by predicting and reducing down-time in advance.
However, the convergence does not come without challenges, including cybersecurity threats, complex implementations due to the prevalence of legacy software in industries, and downtime during upgrades and patches.
Historically, cybersecurity in OT environments was considered a non-factor due to the isolated nature of industrial OT from external networks. But as we grow into Industry 4.0 and embrace the convergence of IT and OT, has that approach changed over the years? Unfortunately, too slowly. According to the SANS 2023 ICS/OT Cybersecurity Survey, 69% of respondents viewed cybersecurity threats to ICS as severe/critical or high, yet only 56% stated that their organizations have a dedicated ICS/OT Incident Response Plan in place.
Adding to this, employees in sectors like manufacturing, petroleum, transportation, etc. are not as well-informed or trained as they need to be when it comes to cybersecurity. Further, cybersecurity solutions available in the market find it difficult to accommodate legacy software used in ICS and SCADA systems.
While industries are enticed by the benefits and impact of technology in their environments, their priority to implement cybersecurity measures has not been as robust. This has meant an increased frequency in cyberattacks since the 2010s in physical industries, and cybersecurity measures have usually been reactive and slow. While an IT breach could result in data theft, downtime, and reputational damage, breaches in OT environments can have larger physical consequences such as economic disruptions, environmental damage, and even physical injuries and loss of life.
In May 2021, the largest petroleum product pipeline system in the United States faced a ransomware attack from DarkSide, a cybercriminal group from Eastern Europe. The attack not only compromised the pipeline company's data and systems, but also led to localized fuel shortages in the southeast area of the United States, leading to panic buying. However, it could have been worse. What if instead of disrupting availability, DarkSide traversed the pipleline's SCADA systems to change flow levels or alter thermodynamics with the intent to cause calamities? The consequences could have been more devastating.
Similarly, in 2016, a cyberattack struck the Ukrainian power grid, causing power outages in the northern part of Kyiv. This attack directly targeted the OT systems of the power plant, where attackers gained unauthorized remote access to inflict damage on the grid. Both instances highlight the attackers' intent to cause outages, underscoring the critical importance of availability in OT environments.
Unlike in IT, where downtime primarily affects data access and business operations, disruptions in OT systems can halt critical industrial processes, leading to substantial physical, economic, and environmental repercussions. Industrial processes in sectors like manufacturing, energy, and chemical processing, among others, rely on the uninterrupted functioning of their OT systems. Downtime can disrupt processes mid-way, halt production lines, and result in significant losses for the industry. From a safety perspective, disruption and downtime to critical processes could mean hazardous material spills, damage to industrial equipment, environmental impact, and even explosions.
The importance of availability in OT environments throws light on the need for a balanced, inclusive approach to cybersecurity. While cybersecurity staples such as comprehensive access management, robust intrusion detection systems, employee training, and security audits are crucial, they must be complemented by remediation strategies that minimize downtime during patching, system updates, and other maintenance activities. Outage or disruption of systems during these processes is often not an option, requiring carefully planned procedures that maintain operational continuity.
With these factors in mind, clearly any cybersecurity strategy for an OT environment requires a different thought process than that of an IT environment. But what can be done?
The distinct nature of OT environments, the focus on availability and continuity, the consequences of a potential breach, and the convergence with IT means that the cybersecurity measures needed to mitigate threats in an OT environment need a comprehensive, all-encompassing strategy. Further, different industries and environments have their own unique cybersecurity needs.
Let's explore some key measures that can be put in place:
The interconnected nature of modern industrial networks and the IT-OT convergence means that even a single breach can have catastrophic consequences.
Network segmentation refers to dividing a network into smaller fragments. It is an effective way to reduce the attack surface by ensuring that your networks are split not just between OT and IT but also between different processes. By doing this, you can limit an attack on one vertical from spreading across the network. This can be achieved by identifying sensitive processes and systems and isolating them from less secure parts of the network including using demilitarized zone.
Segmentation also helps administrators gain improved visibility and implement fine-grained controls and security policies specific to different segments of the network.
According to Verizon's Data Breach Investigations Report 2024, 74% of all breaches involve the human element. This could be through social engineering attacks, privilege misuse, misplaced credentials, or simply manual error. A breach involving a privileged credential of an IT administrator, process engineer, or systems manager could mean that the attacker gains access to critical SCADA systems or traverses the network to disrupt key parts of the environment, as seen in the Florida water treatment plant incident and the colonial pipeline breach.
Further, breaches caused by phishing and stolen or compromised credentials were ranked among the top four costliest incident types, costing an average of USD 4.76 million and USD 4.62 million respectively. Therefore, the need for a comprehensive access management strategy in OT environments is evident, but how do organizations go about it?
Organizations need to adopt a comprehensive IAM strategy and implement solutions that helps them gain a holistic view of all identities and privileges, prevent unauthorized access, monitor remote access in real time, enforce the principle of least privilege access, and ensure their legacy systems and software can also be managed.
Some of these controls could include setting up robust role and policy-based access controls, MFA for remote access and login, using encrypted channels for secure access, managing all sensitive identities and privileges using a privileged access management solution, provisioning time-limited access based on approvals without revealing credentials, real-time monitoring of remote sessions, maintaining comprehensive audits and reports of all remote actions.
wide health checks help identify security loopholes and areas of improvement in your industrial network and help you comply with industry regulations.
This could involve several actions, including:
IBM's Cost of Data Breach Report recently indicated that it takes roughly 241 days for an organization to detect a breach if they identify it themselves and 320 days if the attack was disclosed by an attacker.
This is especially concerning in OT environments where the sensitivity of a breach can be severe and where every second can have wide-ranging physical, financial, and environmental consequences. Therefore, it is vital that organizations have real-time threat detection methods to identify possible breaches when they occur so that appropriate mitigation measures can be implemented.
A threat detection and mitigation strategy needs to account for the growing threat vectors in Industry 4.0. Ideally, the strategy should include:
Organizations should ensure that their cybersecurity armor functions as one and not in silos, so that different solutions communicate with each other and the administrators gain a holistic picture of threats in real time.
Given the recent influx of technology and the complicated nature of OT-IT systems, it is imperative that all employees are given comprehensive security training. This encompasses risk awareness, emergency procedures, and adherence to safety protocols. Such training ensures that personnel are not only cognizant of potential risks but are also equipped to respond quickly and efficiently in emergencies.
The training programs could include courses, workshops, collaborative learning, simulations, and so on to help employees be vigilant and effective partners in helping maintain the cybersecurity posture of the environment.
Although the cybersecurity needs of OT environments are constantly evolving in Industry 4.0, the first step towards tackling them has to come from organizations embracing the need for a cybersecurity strategy. In 2021, approximately 90% of manufacturing organizations had their production or energy supply hit by some form of cyberattack, and yet the adoption numbers for a comprehensive cybersecurity strategy remain below 40%.
Tackling cybersecurity needs of OT environments poses the unique challenges of protecting legacy systems, substantially higher implementation costs, prioritizing no downtime and availability over other factors, factoring in the OT-IT convergence, and the devastating physical consequences that could occur in case of a breach. Therefore, when implementing a cybersecurity strategy, organizations need to ensure that it checks all the boxes to address these challenges, and the solutions that they implement provide complete visibility and coverage for all of their systems. As in the case with IT security, cybersecurity in OT is a continuous process. Vitals aspects including regular health checks as well as employee training cannot be neglected. Remember, 74% of all breaches involve the human element.
As we see more of technology's imprint in OT environments in the coming years, let's hope OT organizations embrace cybersecurity rapidly and implement comprehensive strategies to tackle the needs unique to their industry and processes. Cybersecurity solution providers must also rise to the occasion, providing solutions that cater specifically to the complexities of OT environments, including the management of legacy systems.