The benefits of creating a united IT/OT SOC, part 1

Courtesy: Brett Sayles

It’s no secret that industrial organizations are at the forefront of cybersecurity threats. Industrial organizations are targeted because they have a lot to lose during operational downtime. Attacks on operational technology (OT) can also pose a threat to human life and safety, but a divide still exists between information technology (IT) and OT when it comes to security. So how can you bring these two sides together? Organizations can forge a united front by creating a converged security operations center, or SOC. Already used regularly for IT security, a converged IT/OT SOC can give you greater visibility across your operations and help you defend against outside threats.

In this partial transcript from the Dec. 5, 2023, webcast, Five Essential Steps to Creating a United IT/OT SOC, sponsored by Fortinet and Tenable, two experts answered the following questions:

  • Why are industrial organizations under attack?
  • Why are IT and OT still divided when it comes to security?
  • What is a security operation center, and how is it used?
  • How can you get executive and organizational buy-in?
  • What are the benefits of a converged IT/OT SOC?

The speakers were Luis Narvaez, regional product manager for controllers and cybersecurity for Siemens Factory Automation, and Jim Cook, COO for Velta Technology. The following has been edited for clarity.

Luis Narvaez: I’m going to share some info just to highlight a little bit more about some of the cyber risks that we’re experiencing in manufacturing and industries in general. I like to start off with this quote, and I think it resonates with me a little bit because there’s nobody that knows everything about cybersecurity. It’s a continuously evolving path, continuously evolving topic, and there’s always something to learn. I think that description is a little bit generous. I don’t like to call myself an expert in anything because I’m always trying to learn a little bit more about whatever there is to tackle. So that being said, I’ll move on to the next: What kind of trends are really bringing challenges to industries?

There are lots of things that bring various degrees of challenges to different industries. Not just manufacturing, but we could think about critical infrastructure and so on. From the need to digitalize operations and the enterprise, meaning collecting data from assets, to lack of skilled workforce when a lot of people are retiring over the next several years. People that have a lot of domain expertise and knowledge when it comes to manufacturing, when it comes to industry processes, that knowledge, those decades of knowledge, is very hard to capture, and it’s very hard to fill that need, that knowledge, those gaps with just training and such.

Also, the push for legal regulations, whether that’s federal mandates or compliance to more legal standards, that’s driving a lot of manufacturers and industries to establish more cybersecurity-compliant standards within their own organization and also the need to participate in a global economy. A lot of organizations are doing business on a global scale. On top of that, the need to have remote work or remote service, to be able to service equipment quicker and faster, is becoming a trend that is obviously bringing a lot of attention to securing the manufacturing space. So I think a lot of these trends are something that we need to be aware of. It’s happening. It’s not really going anywhere. If anything, it’s bringing higher risk to manufacturing and industries, and we need to figure out solutions to address that risk.

Going back to that digitalization topic, a lot of organizations, they’re connecting assets, they’re connecting devices, whether that be to the cloud or to the IT or to the enterprise, whatever the case is, and there’s not really a lot of clarity as to how secure the OT is. If you were to ask any manufacturer on the OT side how secure their OT is, I don’t know that there’s really a whole response that people can give — or at least a lot of organizations, I’ll say, can give — to address that question.

A lot of times, we see in manufacturing, a lot of those security measures don’t really relate on the OT side. That could be because a lot of the components are inherently different and have longer life cycles, or considered that legacy space. There are also different requirements on the OT side versus the IT side. I think a lot of people on the industrial security side are very aware of the CIA versus the AIC prioritization stack when it comes to availability, integrity and confidentiality, or vice versa, when it comes to IT and OT security. Those kinds of factors play a part as to why OT is not as secured as it should be or could be moving forward.

To add some context, we have some figures that, based off of a manufacturing automation survey, over 60% of smart factories have experienced a cyber incident. Over a third of those cyber incidents are happening on the manufacturing floor, on the manufacturing side of things. That’s a pretty significant number. Those numbers only increase. Just at the end of last year, Dragos did a survey — they always publish their year review reports — and it said 72% of ransomware attacks occur in manufacturing. So we talk about the cyber incidents. Now, cyber incidents could be a number of things, but ransomware is pretty serious. Just recently, there’s been a lot of media on some ransomware attacks on wastewater facilities, or particularly targeting specific ICS devices made in Israel. Those types of attacks are crippling manufacturing and have a lot of implications on the OT side that need to be addressed.

So let’s look at the OT cybersecurity journey. According to Gartner, there was a survey where they broke this cybersecurity journey into six different phases, ranging from awareness all the way to your OT cybersecurity program, optimizing that, and so on. Nearly two-thirds of organizations are just in this awareness phase. This could just be triggered from whether there was a breach or some sort of cyber incident on the organization. It could have been driven from the board of directors or from upper management that, hey, this is becoming a big deal. Again, those megatrends we talked about earlier, those could be playing a factor into bringing a more robust cybersecurity program into the organization. There could be government legislation or intervention that’s also driving this, meaning there’s all kinds of legislation coming not just within the U.S., but globally that could be driving organizations to have a better look at their cybersecurity programs.

But they’re not at the stage where they’re actually implementing some of these measures or optimizing. There’s very few. Again, according to that survey, about 10% of organizations are in that phase where they’re integrating these technologies, integrating different solutions, integrating a SIEM, a SOC, a SOAR, and optimizing their cybersecurity program. Ideally, you’d like to see, at least in the future, those two numbers change hands a little bit, where you have less organizations just being in that awareness phase and more organizations being in that phase of let’s implement, let’s optimize our cybersecurity programs and fight back against these cyber threats out there.

To add a little bit more context, let’s look at the number of vulnerabilities that are published, as well as the amount of connected devices. According to IoT analytics, in 2025, we’ll have over 40 billion connected devices worldwide. Now, these are not necessarily all ICS devices, but it still brings a little bit awareness of the amount of data, the amount of devices that are being connected globally, whether it is ICS devices or IoT devices or IIoT, meaning industrial Internet of Things, devices. I work for Siemens. Siemens did an internal survey back in 2022, and they’ve got over 740,000 registered devices just within the organization. That’s a 9% increase from 2021. So even large organizations are starting to see this trend of more and more connected devices within their enterprise networks. So that’s something to be aware of.

When we look at the number of published vulnerabilities at the end of 2022, we had over 23,000 disclosed vulnerabilities published. Looking at the connected devices, published vulnerabilities together have a little bit of a multiplication effect. So you can look at this and see there’s a serious problem. There’s a lot of risk out there, and if we don’t really address the need for cybersecurity, this is only going to get exponentially worse. At the end of the day, asset owners are going to need help. They’re going to need help with services. They’re going to be need help with implementing solutions, and hopefully today gives you a little bit of insight as to some of the solutions, some of the ideas that can help move toward an SOC or a more robust cybersecurity program within your OT organization.




Keep your finger on the pulse of top industry news