With its far-flung physical assets and supervisory control and data acquisition (SCADA) systems, the energy industry has a long history of connecting operational technology (OT) with IT. It makes sense that energy companies and utilities have been among the organizations aggressively seeking ways to implement Internet of Things (IoT) solutions.
The critical infrastructure assets managed by energy companies and utilities also make them a high-value target for cyberattackers. However, many organizations struggle to protect these assets. In an April 2019 report, cybersecurity solutions provider Fortinet notes that 77 percent of organizations that operate IoT technology have experienced a malware intrusion in the past year, and 78 percent do not have full visibility into the cybersecurity of their OT environments.
The security challenge that energy companies and utilities face is heightened by the need to maintain the performance of their linked OT and IT systems. In many cases, security efforts can slow down connected devices and systems, reducing the benefits of these connections. In a recent webinar hosted by Fortinet, cybersecurity experts discussed the importance of balancing OT modernization and cybersecurity. They suggested best practices, such as multifactor authentication, role-based access control and network segmentation, to protect connected systems. Integrating these capabilities further enhances their effectiveness without hampering performance.
The Disappearance of the ‘OT Air Gap’
“The air gap that previously existed between OT systems and the IT network that would protect [against] some of the cyberthreats that exist today has evaporated,” Patrick Spencer, senior director of content and customer marketing for Fortinet, said during the webinar.
Spencer further noted that, according to Fortinet research, 80 percent of organizations are adopting new technologies faster than their ability to secure them against attack, and 97 percent of organizations acknowledge security challenges due to the convergence of OT and IT.
Brett Young, a principal consultant for Capgemini, said that numerous mergers and acquisitions in the industry have exacerbated this problem, making it more difficult for cybersecurity administrators to have full visibility into how different systems are being protected.
“When I get to a customer, if they have 100 different facilities, that landscape is very varied — one set of firewalls here, one different type of production there,” Young said. “The really big challenge right now is for everybody to get their arms around what they’ve got in the way of inventory and processes, because that is adding another level of complexity to solving the bigger problem.”
Spencer noted that attackers seeking to leverage the convergence of OT and IT may be interested in more than merely causing power outages. Some, he said, could even launch attacks aimed at physically harming employees.
Best Practices for Securing Converged Environments
Spencer reported that Fortinet research has uncovered common traits and behaviors of “top-tier OT security” organizations. These behaviors tend to focus on implementing fundamental security building blocks, and then integrating these disparate pieces to create a robust security environment.
Top-tier OT security organizations, according to Fortinet research, are:
- 100 percent more likely to implement multifactor authentication
- 94 percent more likely to use role-based access controls
- 68 percent more likely to manage and monitor security events and perform event analysis
- 51 percent more likely to use network segmentation
- 46 percent more likely to schedule security compliance reviews
“Integration enables a single product, or really a platform, to be able to service the security needs of several different elements of the solution,” said Peter Newton, senior director for product marketing at Fortinet. “So, something that would enable a role-based access system to be able to share information with a network segmentation system. And then, that enables automated response, which of course reduces the workload on cybersecurity staff, and enhances the ability of that cybersecurity team to keep up with changing threats.”
This type of integration, Newton said, addresses a number of the security challenges created by the convergence of OT and IT systems. “Integration … we see it as the best solution for the issues around visibility, around complexity and around a critical cybersecurity workplace shortage, to delivery cybersecurity within those constraints,” he said.