The future of OT security: An integrated approach
Operational Technology (OT) cyber security, while currently lagging behind IT security and facing growing risk, is now positioned to leapfrog directly into an advanced level of cyber security maturity.
In most organisations, the OT areas have a lower level of cybersecurity maturity than the IT side of the organisation. This is both a blessing and a curse. While South African OT organisations are at a higher risk than IT, they now have an opportunity to plan their maturity from start to finish with a cost-efficient deployment to meet the vision of their business.
Digital transformation holds significant importance for OT organisations due to the numerous benefits it brings. However, as everything becomes more interconnected, the risk of cyber attacks also increases. Therefore, it is crucial for these organisations to prioritise securing their systems as a critical component of their expansion strategy.
The pandemic fast-tracked changes in the OT space, driving convergence with IT, progress and greater risk.
For decades, OT had followed a principle of being isolated (air-gapped) with limited remote access, if any. For most industries, this was the only security measure needed. If the risk was still high, specific OT Security solutions and skills would be acquired. The pandemic forced the mass adoption of remote access, and accelerated OT/IT convergence, which broke the air gaps and increased machine automation.
Post-pandemic, organisations have not reverted to how things were before. In South Africa in particular, they have realised that OT/IT convergence is the future and that the benefits outweigh the risks.
Changes in the threat landscape such as increased interconnectivity and more targeted attacks increase the risk as well.
The number of attacks on OT is growing. Ransomware is targeting critical OT due to the likelihood of the ransom being paid, while ransomware-as-a-service has lowered the technical barriers to entry to deploying a cyber attack.
Fortinet’s 2022 State of Operational Technology and Cybersecurity report highlighted that 93% of organisations had at least one intrusion in the past year; while 78% had three or more.
It is no longer a matter of ‘if I get attacked’, but rather ‘when’ and ‘how many times’, and ‘can my organisation detect, respond, and recover’?
As OT and IT converges and remote access requirements increase, there is a greater chance of a successful cyber attack getting through to OT. An infamous example is the US Colonial Pipeline ransomware attack in 2021. While the ransomware hit the IT side of the business, due to interconnectivity to OT, it also forced decision makers to shut down their OT side as a precaution.
Another challenge is loadshedding, which has made South African workforces more mobile. Employees are likely to have more than just a workstation, but also a laptop and even cell phone as a means of work. They may also need to access OT remotely. This creates multiple opportunities for an attacker to compromise an employee.
While OT leaders may be aware of the cyber security risks they face, they may not be equipped to deal with them. Considering the maturity level and general overall cyber security skills deficiency, it is likely the risk is not appropriately quantified and addressed. Very few organisations that I have interacted with could claim their OT is adequately protected – and even the definition of protected is self-defined and not following an international best practice. I believe most organisations are accepting the risk as they are unaware of the actual situation. Unfortunately, they will understand their risk only once an incident occurs.
Addressing new challenges
Fortinet noted recently that OT leaders would confront a number of challenges this year, including an ever-expanding threat landscape, new government regulations worldwide, compliance becoming more complicated, and the cyber security skills gap.
Adding to these challenges, networks have become more complex and distributed, and seeing and responding to threats has become increasingly difficult. This is driving a need for a broad, integrated, and automated cyber security mesh platform that provides centralised management and visibility, supports and interoperates across a vast ecosystem of solutions, and automatically adapts to dynamic changes in the network.
Fortinet has long referred to this as the “Fortinet Security Fabric’ that covers the OT security best practices and requirements for the entire converged OT-IT network. The solutions include IAM (Identity and Access Management), sandbox, and SIEM (Security Information & Event Management) among others.
This provides consistent protection for distributed Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices, field operations, cloud-based services, and mobile workers.
Another key challenge in achieving cyber security in the OT space is overcoming a general lack of direction from C-level leadership.
According to the 2022 State of Operational Technology and Cybersecurity report, only 15% of respondents say that the chief information security officer (CISO) is responsible for IT security in their organisation. The survey indicates that IT systems security is primarily overseen by managers and directors in various functions such as plant operations. IT systems security must become a top concern as industrial systems increasingly become a target for cyber criminals.