How an IT/OT SOC can help protect OT systems

Courtesy of Brett Sayles

Information technology (IT) and operational technology (OT) are still very different things, especially in how they handle cybersecurity. Though many manufacturers still believe their OT systems are safe or air gapped, industrial organizations are being targeted by cybersecurity threats more often than ever before. To truly protect industrial systems, IT and OT need to work together. Organizations can forge a united front by creating a converged security operations center, or SOC. A converged IT/OT SOC can give you greater visibility across your operations and help you defend against outside threats.

In this partial transcript from the Dec. 5, 2023, webcast, Five Essential Steps to Creating a United IT/OT SOC, sponsored by Fortinet and Tenable, two experts answered the following questions:

  • Why are industrial organizations under attack?
  • Why are IT and OT still divided when it comes to security?
  • What is a security operation center, and how is it used?
  • How can you get executive and organizational buy-in?
  • What are the benefits of a converged IT/OT SOC?

The speakers were Luis Narvaez, regional product manager for controllers and cybersecurity for Siemens Factory Automation, and Jim Cook, COO for Velta Technology. This is the second part of the transcript. To read part 1, click here. For Part 2, click here. The following has been edited for clarity.

How secure is your OT?

Jim Cook: I want to go back to something Luis had in there, and I thought it was great — that question about just asking the company, “How secure is your OT?” It’s a great question. A lot of companies will just look and go, “Wait, what’s OT?” So that’s out there, and I just wanted to do that.

So really, what is that risk? Luis had some actual statistics, but the first one that’s out there is very common: Everybody is at risk, OK? So don’t say you’re not at risk. You’re at risk. You exist, and you’re connected to the network. Somehow, you’re at risk. Follow the money. This ransomware is a big thing. I mean, they’re just going to keep going to the easiest place to make money. If disrupting you, they can make money — and it’s easier now because you’ve got less security over in your OT, and they’ve got more in your IT — if that’s the way to make money, they’re going to do it.

You also have this increase in remote access needs. Again, just in the past couple of years with COVID. I add that to lean manufacturing. That has been a concept out there beforehand. The increasing needs for efficiency out of that technology and investment on the floor. I don’t go anywhere where someone is saying, “Yeah, we need remote access to this machine, this automation into this facility.” Well, it doesn’t work the same way when you’re in the IT, but they’re coming into that plant floor. As he mentioned before, the disruption impact is high. It can be costly and unsafe.

So the disruption impact is high, and it’s not simply just restarting a server. Restarting a server can shut down a whole production line. So there’s things that are unique in there. There’s a common path from IT. There’s a recent study about how the majority of those impacted in the OT space are coming from the IT space. They’re connected. There’s this self-induced disruption, which, when you start talking about cyber events, that is sometimes a misnomer. A cyber event or a cyber threat. Is it really a cyber bad guy, or is it just an inadvertent and internal issue? Maybe you had an outside vendor make a change that shouldn’t have happened. Maybe you’ve got an IT department that’s trying to help but actually hurting you when they’re in their OT. We’ve seen different variations of both. The air gap or firewall only limitations. I’ll hear that a lot.

“Well, we’re air gapped.” Sure, you are. Very, very, very, very, very few organizations are truly air gap. We usually consider that a myth. Air gap is always “air gap,” which means something different. Or you’ll get the answer, “Well, we’ve got a firewall. We fired off a wall off the OT,” where that also is ignoring that big onion that Luis had out there on defense in depth. But when you hear, “Hey, I’ve protected my OT environment with firewall only,” that leads to the question: What percentage of breaches last year had firewalls?

I don’t actually have the number, but I am pretty sure of the breaches that were out there, it was 100% or more had firewalls. The big breaches that you’ve heard of, they’ve all had firewalls. So a firewall, that’s only one layer. But from all the major IT breaches that occurred last year, it was approximately 100%.

One other point I wanted to touch on was what insurance providers are paying attention to now. If you are not involved in the cyber insurance, you will be soon. When the claims are starting to outgrow the insurance coverages, what happens is the bleed over from an OT cyber disruption goes beyond the cyber policy. So that is making insurance providers pay attention. You say, “OK, I’ve got commercial insurance.” Well, cyber insurance doesn’t usually cover production shutdowns. So then you’ve got to roll into another insurance. That’s another thing that’s occurring.

The very real threat to OT systems

So let’s go on to: Is this stuff real? Is this actually happening to OT environments? And yes, yes. This is not a movie. This is real, as my friend Steven Kovacs from years ago said, even with the limited sharing that goes on about this risk of cyber operations. What you have to pay attention to on the OT side is production disruptions with the breach.

And one that is recent — and I don’t have any insight information on this one — but the Clorox breach from a few months ago. When production is being impacted, there is a spillover into that OT environment. And we’ll get into some of the specifics in a minute. I’ve had some engineers push back and say, “How many times are the programmable logic controllers (PLCs) hacked? Or how many times are they getting the human machine interface (HMI)?” Just a couple of weeks ago, there was the water hack, where they released a picture of an HMI that has a PLC behind it with the actual hack screen on it. I don’t know if it’s the only one that’s out there on the internet, but it is one of the few times I’ve seen that actually on the internet.

So it is very real. It is not a movie. Let’s get into what I call now the “realities.” These are the current ones, the real ones, and you’ll hear about PLC vulnerabilities. Those are out there, but they’re vulnerable in a different way right now. The first one that I always bring up is the unpatched Windows. It has the most known exploited vulnerabilities. If you go out onto the list, and CISO produces this list, they categorize these kinds of known exploits. It’s a good list that I think all the other threat intels are feeding.

I know it’s not everything, but if it’s on that list, that thing has been exploited out in the wild, and you should really be thinking about it. Who has the most on the list? Windows. And sure enough, most OT environments have Windows. Whether they’re embedded HMIs, whether they’re engineering workstations, they’re out there. And there’s no endpoint protection on. They’re not updated. They’re probably Windows 7. If you look hard enough, you might find Windows XP out there. If you’re looking in the OT/IT world, and an IT person comes up to you, you say, “Would you allow a Windows 7 with no antivirus that hasn’t been updated for two years onto your network?”

And they go, “No, we wouldn’t let it.” Well, we do it all day long out in the OT world. The other one, secondary to that, is not knowing. Not knowing that’s a real risk. If IT does get hit, somebody’s going to turn to me and say, “Hey, Mr. OT network, do you have what we have over here?” And you’re going to go, “I don’t know.” In certain environments, you may have to shut down out of safety precautions. You may just have to say, “Depending on the manufacturing type, is it explosives? Is it dangerous? Could it be costly if it’s an uncontrolled shutdown?” You’re going to have to shut down out of safety.

Another one that’s out there: Some companies have segmented their network, but they haven’t cleaned everybody that comes in on a regular basis and plugs into their network. And malware is just sitting down there waiting, trying to phone home. The first time something gets misconfigured, it phones home and activates. That’s very real out there. This gets to the cyber events that could be internal — internal misconfiguration in IT tools, PLCs, passwords. Certainly, that’s even interlocks that might be going on if they’re going through the OT. But from IT tools, same thing. If you’re using the IT tools over into the OT space, that can be causing issues with certain types of scanning, certain types of PLCs. They don’t get along.

I’ve seen organizations where they’re trying to pen test, and they don’t have it properly segmented. They’re shutting down their operations from the pen test, and the cure is worse than the disease. You guys are trying to prevent me from shutting down while you’re doing a pen test, but your pen test is actually shutting you down. That’s out there. Remote and third-party access. As much as I talk about remote — and Luis has mentioned remote coming in and third-party access coming in — there are multiple ways that they come in, and I think he had mentioned it. He had mentioned about how you’ve got to get people on the floor to find out.

People on the floor will know that each of these devices, they’re managed by different support companies and by different people, and they have different types of remote software into these units. Nobody’s really sure how they get in, but they do. You’ve got compromised credentials. Even if you have everything but somebody’s credential goes up, they can get right into the network. Even if you have multifactor authentication (MFA) and you’ve got compromised credentials, how would you know that they’re in your network when they’re not supposed to be? Of course, you’ve got unmanaged devices, and you can get lateral movement. Certainly, there’s the hidden networks on the OT side. You know this. On the IT side, this is news to them that there are these networks that actually exist in the panels to run these machines that are built below the networks and to get around the network that exists in the OT.




Keep your finger on the pulse of top industry news