One of the clearest “coming attractions” for operational technology (OT) is the application of traditional information technology (IT) systems or security management (ITSM) into the industrial controls environment. For nearly 20 years, IT teams have applied foundational techniques such as hardware and software management, secure and sustainable configuration management, patch management, user and account management, etc. These processes – and the tools they use to automate them – have not improved IT system security, but also have improved reliability, lowered operating costs and provided better customer satisfaction with IT as an organization.
Robust IT systems management is conducted comprehensively, regularly, and with statistics on compliance and outliers. It provides the basis for much of the security within the IT realm – from ensuring updated security patches, to proper network rules in firewalls, etc.
These tools, techniques, and processes are missing from almost all OT environments. Organizations and their original equipment manufacturer (OEM) partners build cyber security systems to last 20 or 30 years. Upgrade cycles are measured in decades, not three-year refreshes or monthly updates. There are many good reasons for these approaches given the unique processes and sensitive devices involved. But, in most cases, these computing devices – servers, workstations, switches, programmable logic controllers (PLCs), relays, sensors, etc., are not “managed” in a typical ITSM model.
We see this clearly in our assessments of these industrial environments – unpatched systems, device configurations with significant insecurities, many dormant and insecure users and accounts, failed or non-existent backups, and at the foundation a fundamental lack of accurate and deep asset inventory. The focus in most industrial organizations is the process itself rather than the management of the computing devices that control that process. Ease of operation is the primary driver, enabling the technicians to reduce the cost and complexity of the process.
The need for greater OT system management
Over the next five to 10 years, OT needs to adopt the core elements of ITSM. To date, most industrial organizations have relied on network protections for their OT systems – firewalls or data diodes, the mythical “air gap”, network anomaly detection, or intrusion detection systems (IDS). No one would debate the value of these initiatives in a defense-in-depth model. However, the next five years will make these defenses less and less effective, requiring a push to greater OT security management programs. Several trends and events drive this change:
Increasing IIoT/Industry 4.0 connectivity between industrial operations and the internet
Organizations have trialed and proved connected plant initiatives for a decade. In the past three years or so, organizations pivoted from trial to wide-spread adoption and the “wave” is gaining steam. Based on multiple analyst views (Gartner predicts the enterprise IoT platform market will grow to $7.6 billion in 2024), these initiatives are set to grow dramatically over the next five years. Whether it be OEMs connecting to wind turbines to regularly update the programs or monitoring the flow of fluids through a valve to tune for maximum output, we already see these connections occurring. As connectivity explodes, network protection alone will grow increasingly untenable as a solution to OT security.
Increasing public vulnerabilities in OT equipment
In our recent ICS Advisory Report, we found a 75% increase in CVE’s in ICS-CERT advisories between 2019 and 2020. This growth highlights the growing research into the vulnerabilities of these industrial-specific software and embedded systems. Moreover, this is just the tip of the iceberg as the software supply chain risks from the underlying components of these systems are hardly identified at all yet. The reality is that OT systems’ reliance on “security by obscurity” is falling away as the curtain is pulled back. This will require a much more robust, IT-like, endpoint management capability of these systems.
Increasing regulatory pressure
Over the next three years, almost every developed country, and many developing countries, will implement rigorous security requirements that apply to OT systems. From the US Department of Defense’s recent CMMC standard to the UK’s RIIO2 standard to Qatar and other locations within the Middle East. The trend is to greater regulatory oversight of the world’s critical infrastructure. We have seen how these regulations impact utilities in North America with the NERC CIP requirements which essentially require true OT endpoint systems management – patching, configuration management, user and account control, backup management, etc.
Increasing pressure from CISO/board of directors
As all of these changes occur, boards of directors place more emphasis on securing the OT environment. This is not surprising given the potential financial impact of these attacks –see the results from Merck, Maersk, Norsk Hydro, and more recently at many organizations involved in the supply chain for critical COVID vaccines. Insurance companies are pressuring companies to ensure all systems are protected. Therefore, CISOs put greater emphasis on OT. They expect the same type of security capabilities and systems management as they achieve in IT, which will drive greater push for OT systems and security management.
The future of OT cybersecurity
So, what does this mean for OT leadership? How will it impact the “leaned out” operational excellence achieved over the past 15 or 20 years? What is the impact on the day-to-day jobs of the instrumentation and controls techs?
In short, a coming tidal wave of new requirements, reporting, and security responsibilities on the computing equipment that runs industrial operations. Why do we call this a “tidal wave?” Because we have seen it. The North American electric utility industry over the past dozen years has adopted an increasing set of requirements of OT systems management. Is NERC CIP perfect? Of course not. It has many areas that may not deliver a great return on investment (ROI) on security.
But would we expect the regulatory requirements around the rest of the world to be significantly more efficient? Probably not. In addition, these were established before the presence of IIOT and cloud, before the increasing numbers of endpoint vulnerabilities, etc. As those areas grow, the need for endpoint management will grow ever greater.
The reality is that most OT environments do not manage these endpoints. Therefore, as these new requirements emerge, most will be relying on manual tasks to gather critical reporting for the C-suite or regulators. Most will be using different OEM tools to try to patch systems manually or with an inefficient approach of the system by system. Most won’t have automated asset inventory or vulnerability assessment to provide real-time visibility, so will rely on manual teams to gather this information into spreadsheets, etc.
We often hear forecasters talk about the coming risk from hackers, and this is real. But the real coming risk is the operational costs in keeping up with the necessary OT systems management to ensure security in connected, vulnerable, regulated environments.
OT endpoint systems management
The future is clear: It involves a greater and greater need for endpoint systems management of OT computing equipment. The challenge is that doing this efficiently and effectively does not happen overnight. This begins with a truly robust asset inventory. But an inventory is only the foundation of a true OTSM program. It also includes efficient and OT-safe vulnerability management, patch management, configuration management, etc. This integrated and automated approach can reduce the labor requirements by 70% over traditional manual methods. As this tidal wave approaches, we encourage industrial organizations to begin to map out their OT endpoint management roadmap.
– This article originally appeared on Verve Industrial’s website. Verve Industrial is a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.