Why IT and OT Are Converging
The convergence of IT and operational technology is a relatively new trend within the manufacturing, chemical and utility industries. For years, these organizations kept such systems separate, complete with siloed personnel departments to manage them. Businesses kept their OT systems off the internet.
The dawn of cloud computing and Industry 4.0, which ushered in advancements like smart factories and the Internet of Things, has changed that. Today, connected devices and real-time data are vital to automate and inform factory and plant operations.
But it does create a raft of emerging cybersecurity challenges that such industries are struggling to catch up with. “Here’s the thing,” Ayala said. “A lot of people can’t handle the truth, but the fact is, threat actors are going to get in, and we need to get past that.”
To illustrate his point, Ayala showed a graphic displaying the major security incidents affecting companies within the manufacturing, chemical and utility industries. The number of incidents occurring since 2010 were at least triple the number that occurred during the first 10 years of the century. One reason is the advancing sophistication of hackers, but another is the growing digitalization of systems that had previously been “isolated, siloed islands,” Ayala said.
Today, “we’ve enabled remote access,” he says, and the pathways used by authorized parties to access applications can be compromised.
Three Steps Utilities Can Take to Thwart Cybercrime
What can businesses do? First, they can look at what’s networked and ask themselves, on a case-by-case basis, whether it really should be. While much of the connectedness of modern industry is necessary, Ayala argued, some of it isn’t.
“All of this connectedness has made us vulnerable,” Ayala said. “I’m not saying that connectivity is not good. I’m just saying that we have to use sense in deploying these things.” For example, in most industries, making life more convenient for employees is a critical differentiator in the competition for talent. But for, say, an electric utility, is it worth the risk to allow an engineer to log in from home?
In the utility industry and within other critical facilities, many pandemic-related work-from-home adaptations should probably be rolled back, he said: “We do a lot of things for convenience, and convenience is our biggest enemy.”
Another counterintuitive step for such businesses might be to eschew a certain degree of vendor standardization, he said. It may seem reasonable to have the same company’s cameras facilitywide, for example, but it makes life a bit easier for hackers, who appreciate a nice, easy horizontal attack surface.
Finally, security leaders on both the physical and IT sides must ensure implementation of the standards-based security protocols, such as the 62443 series of standards, produced jointly by the International Society of Automation and the International Electrotechnical Commission. The 62443 standards are themselves itself built on the broader National Institute of Standards and Technology’s Cybersecurity Framework, a critical guidebook for security professionals in every industry.