Not all that long ago, the cybersecurity strategy for most operational technology was simple: Keep the assets isolated from the IT network and keep them off the internet.
But as industries such as manufacturing and energy and utilities embrace digital transformation, it is becoming harder and harder to compete while keeping OT — especially supervisory control and data acquisition (SCADA) systems — siloed. And while converged IT-OT networks deliver an array of business benefits, they also challenge technology leaders with new complexities, including increased cybersecurity risks and costly compliance efforts.
“Five or six years ago, upper management in these organizations started demanding more visibility into their SCADA networks,” says Pedro Serrano, a senior security architect at CDW. “Well, guess what? The moment you introduce that visibility, now you’re connected to the world, and you have to address security in a whole new way.”
Click the banner below to secure your SCADA networks in an evolving threat landscape.
Modern SCADA Systems Are Exposed to Cybercriminals
For energy and utility companies, securing operational technology was “more about restricting physical access to the environment,” says Carlos M. González, research manager of Internet of Things ecosystems and trends for IDC, because “network connectivity for OT was pretty minimal.”
That’s changed, González says: “Companies are realizing they need better insight into their OT networks to be more flexible, to manage resources, to reduce downtime and to keep up with demand. As a result, they’re now connecting OT devices to IT networks, and often they’re pushing things through that aren’t ready in terms of security.”
Having SCADA networks connected to the outside world presents obvious risks, including ransomware, malware and potential hacks by hostile actors looking to cause chaos. Here are some of the most important tactics that organizations can use to address the risk of IT-OT convergence:
Asset inventory and security assessments. “The No. 1 thing companies need to do is to create an accurate database of all the assets connected to their networks,” González says. “People are constantly surprised when they conduct an inventory and realize they have more devices connected than they thought.” In addition to asset inventories, organizations should consider gap analyses, vulnerability assessments and penetration testing to uncover weaknesses in their defenses and prioritize mitigation steps.
Multilayered security measures. No single solution will be able to shore up all of an organization’s SCADA security gaps. Instead, IT and OT leaders should work together to develop a multilayered security strategy that includes tools such as firewalls, intrusion detection and prevention systems, and endpoint security solutions. It is also important to adopt security analytics and monitoring tools that will help organizations gather real-time insights and spot potential intrusions before attacks have a chance to spread throughout an environment.
Network segmentation. The convergence of OT and IT doesn’t have to mean that every device within an organization lives on one open network where, for instance, every smartphone or laptop can communicate directly with every oil pump or factory sensor. Instead, organizations should break up their networks into logical segments based on function and sensitivity.
Effective segmentation results in a more secure network architecture that helps limit the spread of malicious behavior. “Too often, SCADA system components are essentially left out in the open,” Serrano says. A properly segmented environment might have separate networks for host servers and switches, SCADA systems, operator workstations and controllers.
Patching and updating. “Many SCADA networks are legacy systems that were designed to run for years on end, doing the same thing over and over again without being updated,” Serrano says. “But now that these assets are networked, it’s important for organizations to keep up with their patching.” Automated patching solutions can be especially effective, as they do not rely on (often overburdened) human workers to remember to set aside time to perform what is usually a routine, mundane task.
Employee training and awareness. González calls people the “biggest question mark” when it comes to IT security. Even if an organization never has to deal with a threat from a malicious insider, he says, untrained employees can make mistakes that open up significant security gaps.
“There’s still a lot of human involvement when it comes to cybersecurity in OT,” he says. “Let’s say that a person with access to an industrial control system clicks on a phishing email. All of a sudden, you have malware in your OT environment.” Rigorous training programs can teach employees to sniff out and report suspicious activity.
Incident response planning. Cybersecurity professionals live by the mantra “it’s not if but when.” No matter how robust a company’s security tools are, and no matter how vigilant IT and OT leaders remain, attacks can still get through an organization’s defenses and threaten SCADA systems.
When SCADA systems are breached, the consequences can range from halted assembly lines to electrical blackouts to contaminated water supplies, so response time is a critical factor. That’s why it’s so important to have a tailored incident response plan for converged IT-OT environments. It’s also vital to regularly test incident response plans and update them over time in response to changing threats and system architecture.
Third-party partnerships. Tackling the cybersecurity implications of IT-OT convergence can feel overwhelming, especially for staff who lack expertise in building defenses for such environments. And many organizations struggle to attract affordable cybersecurity talent.
By working with a trusted partner, organizations can get the help they need to assess their ecosystems, build out their cybersecurity environments and craft playbooks that will help them respond to whatever comes their way.
“If you implement new security tools, and there’s nobody there to monitor them and take remediation steps, that doesn’t do any good,” Serrano says. “You need somebody behind the wheel.”