The cybersecurity landscape is changing rapidly. With the rise of the industrial internet of things (IIoT) and the emergence of the cloud, the number of endpoints has increased dramatically, and risk is higher than ever. While manufacturers are still navigating their way around this new threat ecosystem, one fact has become clear: Cybersecurity is no longer solely the purview of the information technology (IT) department. To protect against cyberattacks, companies now need to bridge the gap between IT and operational technology (OT) and enlist the OT side in threat management.
But this process can be more complicated than it seems, according to Wayne Dorris, a certified information systems security professional (CISSP) and business development manager for cybersecurity with Axis Communications. Many plant managers and others in charge of OT have been doing their jobs for decades, and cybersecurity was never before under their umbrella. Now that everything from elevators to HVAC systems is online, that has changed.
But the bigger problem might be the sheer number of endpoints out there in a modern industrial facility. In 2016, Johns Hopkins University performed a study to help the Department of Defense understand just how many endpoints there were on IT versus OT.
“There was about 10 million IT endpoints, most of that being web-facing servers or .gov, whatever organization that they are working for, laptops, etc.,” Dorris said. “When they looked at their OT environment, there were 2.5 billion endpoints. So right there, you are seeing the amount of … difference in the number of endpoints.
“The other, bigger, stark difference that came out of that study, when you look at the operating systems on the IT side, we deal mainly with 3-5 operating systems: Linux, Windows, VM. It’s a pretty standard set of stack. … Compare that to what they found on the OT side: There were over 90,000 different operating systems. And this kind of leads to the difference. You can secure OT, but it is a completely different animal.”
That’s why it’s essential for companies to enable communication and the sharing of best practices between IT and OT. Because OT wasn’t traditionally responsible for industrial cybersecurity, they can often learn a lot from their IT counterparts. And whether the two sides like it or not, they are now linked in trying to fend off malicious cyber actors.
Hackers are constantly on the lookout for vulnerabilities. If someone with malicious intent can get into your systems through an OT endpoint, they can then make a cross breach into your IT networks.
“One of the best things that I try to advocate on is that OT can learn from IT,” Dorris said. “You do need that big list of, ‘These are my standards,’ or, ‘This is what I’d like to see put onto a device.’ Really what you’re doing is you’re creating a network security baseline. Understand that you may want to take some principles, say, like encryption. Understand that’s going to be a for sure that we want to have on our OT side, and we’ll enable it everywhere that we can enable it.
“This is essentially what the NIST (National Institute of Standards and Technology) IoT cybersecurity baseline is doing. It’s legislation that is in draft right now. When we look at that, it’s really setting this baseline.”
Dorris said setting that basic standard of protection is extremely important for manufacturers. Whether it’s a thermostat, camera or HVAC system, if it’s going to live on a critical infrastructure network, security controls should be added.
“On your baseline, you want to focus on the basics: privileged account management – who is holding those admin accounts, particularly for all that OT stuff that the OT side is handling – encryption. Because basically, as long as I can encrypt, I can keep credentials from getting compromised,” Dorris said. “Then, the third and most important part is understanding the manufacturer’s patch and update schedule for software or firmware for that device. The majority of attacks that we see on the cross breach happen because the attacker is expecting – even if the manufacturer has announced that there is a patch for this device – it can be easily 120 or 180 days before that patch gets applied. So they are working that window to quickly say, ‘Hey, is this device widely adopted out there in industrial settings? If it is, we have quickly found that we can turn this vulnerability into an exploit. We can weaponize it, and then quickly we can get in and see what else we can do.’”
The other critical endpoint is what Dorris calls the human firewall. All employees need to be informed of basic cybersecurity practice. Again, the responsibility for protecting company assets no longer falls just on the IT department; it’s something everyone needs to be a part of.
“We can only train our employees to be so good,” Dorris said. “Obviously for the attacker, it’s a whole lot easier to get somebody to click on something that goes, ‘Oh, hey, I think I won a new car. Just click on this link and see if I’m the winner.’ The human firewall is, of course, the most important, but it’s also the hardest one to protect.”
Check out Part 1 of our interview with Wayne Dorris, in which he discusses the recent rise in ransomware attacks and what companies can to do prevent them. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.