For a long time, operational technology (OT) considered itself mostly protected from threat by the fact that it wasn’t connected to information technology (IT) — or, more accurately, it wasn’t connected to the big, bad world of the internet. OT was safe thanks to an air gap, or so the theory went. But that isn’t the case anymore, and it hasn’t been for quite a while. And this can cause major problems because of the fragility of OT networks.
The age of the Internet of Things (IoT) and IT/OT convergence has ushered in an era where IT is being used to help manage OT. Overall, that’s a net positive, because IT can help make OT more efficient. But there is a rub, said David Masson, director of enterprise security at Darktrace, a leading cybersecurity artificial intelligence (AI) company. When you bring the benefits of IT into OT, you also introduce a new world of threat.
“When the air gap still existed, there was this division. There was this sort of distancing. There was a siloing of the threats,” Masson said. “IT got its own big, bad world; OT had its. As we’ve seen in many cases in the IT environment, people tend to start using security products that are effectively siloed. One product for this, one product for that, one product for the next thing — cloud, SaaS (software as a service), email, IoT, whatever that is. And on the IT side, because they’re all different, they don’t communicate with each other. And when you don’t have communication, you’ve got gaps. And when you’ve got gaps, threat actors will exploit that.”
The converged ecosystem
In the modern environment, this perceived division between IT and OT is mostly an illusion. Almost everything lives on a network now, and IT and OT are highly intertwined. That’s why recent cyberattacks like the ones on JBS, the world’s largest meat processor, and beverage maker Molson Coors effectively shut down OT systems even though they were IT attacks. Any attack on OT is likely going to originate in an IT system. Companies need a way to protect both systems in this converged ecosystem.
“I would advise people who are looking at this right now to be considering trying to use the same technology for both your OT and IT,” Masson said. “It will work, so that you get one unified approach to your security with systems that are actually going to communicate with each other. Because what I can tell you is when your threat actors attack you, they take a unified view of your entire digital infrastructure. That’s the way they view it.”
When considering cybersecurity practice and budget, many companies think primarily of protecting their IT networks because that’s where most attacks start. But recent strikes on critical national infrastructure — and as a food and beverage company, JBS certainly counts as that — have had an impact on OT systems, as well. And OT is definitely worth protecting because taking OT systems down can have a huge, multifront impact on companies.
“Not just from the point of view that because it supports critical national infrastructure — the systems that we rely on to run the countries that we live in — but also because, at the end of the day, it’s going to affect your bottom line,” Masson said. “If you’re a company, you’re there to make profits and provide salaries and wages and dividends for everybody. If you’re not any good at this, this isn’t going to work for you, and your share prices can drop. Your customers can walk away, and that’s probably the biggest issue is when customers walk away from it. So there’s an incentive not just for doing the right thing for the country but for doing the right thing for the organization to actually start protecting your OT.”
Attacks on OT most certainly can impact a businesses’ bottom line, but they’re also a major safety issue. Luckily, most of the recent cyberattacks have been more about money (i.e., ransomware and encryption of IT data) than about trying to shut down critical systems. But the Oldsmar water treatment facility attack in Florida and the Aurora vulnerability demonstrated the kind of damage that can be done when malicious actors threaten OT systems.
And as Masson made clear, OT systems can be ransomed. In fact, OT networks are particularly vulnerable to this kind of attack, especially in cases where an organization can’t afford to have production halted, changed or interrupted in any way. That’s the reason attackers go after things like municipalities and hospitals: There is a big drive to maintain those services, and the easiest way to maintain them is to quickly pay the ransom.
The fragility of OT
OT systems are also vulnerable because they’re “fragile,” said Masson. That might seem like an odd way to describe massive plants and machines intended to reliably perform the same function for 20 years, but OT systems were not designed with security in mind. They were designed for availability and safety.
“The reason they’re all so fragile is because it’s easy to actually stop them,” Masson said. “The devices that exist inside the OT might look robust, and they do the same thing thousands and thousands of times for 10, 20 years, or whatever, so long as they stick in that environment and do just that. The minute something else appears that’s different or interrupts or changes what they’re about, it probably causes them to fail, and that’s why they’re so fragile. Unfortunately, threat actors know that. Threat actors know that if you really want to cause some damage, attack the critical national infrastructure of a country because the CNI is almost certainly being run by OT, and you can really do some damage there.”
Another reason for the fragility of OT is that these systems are often old and outdated. Many were designed long ago; in some cases, before the internet even existed.
“[It’s] almost to the point where nobody knows how to run them anymore, because whoever designed them isn’t on the planet anymore,” Masson said. “That makes it very, very fragile. It also means that people don’t want to really touch things or change things. They’re very resistant to change because to do so, nobody’s really sure what the outcome will be. It might be OK, or it might not be OK. And if there is a chance that it’s not going to be OK, we won’t do it. That’s why you don’t get people patching OT in any way to the sort of extent and time scale that you get in IT, because they don’t know what the patch will do. It might shout, like, ‘Boo!’ at a PLC (programmable logic controller), and it gets frightened and falls over and stops working.”
For all these reasons, OT usually gets shut down regardless of whether a cyberattack targets IT or OT. Businesses from beverage makers to hospitals to governments simply can’t afford to take their systems offline for any length of time if an IT attack jumps to an OT network. It’s safer to simply shut down OT to ensure its safety and continued availability. Masson cites the JBS hack as a perfect example of how companies typically react in the face of cyberattacks, given the fragility of OT.
“They had to stop production, and the reasons for stopping production is because they were obviously frightened that the attack on their IT could jump across to their OT,” he said. “They were wanting to make absolutely sure that they can bring OT back online again, so they’re going to shut their OT down in the correct manner because they know they can then bring it back up again in the correct manner. But if malware gets onto it from the IT side, then there’s a chance they’ll never be able to shut it down properly and they’ll never be able to bring it back up again properly. So the result is a decision driven by fear.”
OT networks often look extremely complicated, and for good reason —they are complicated. Masson said they can almost look like chaos to most human beings. Bringing the world of IT, with all its benefit and threats, to OT has created mass complexity. Masson’s advice is to use the same technology for both.
“I would advocate that you want to use a technology that can handle that complexity, that can actually handle chaos, that can make sense out of it and actually work out what everything is actually supposed to do. … If you have the technology that can do that, you don’t get to the breach. So many products out there rely on having victims before we come up with solutions, and that’s not really going to work in an OT network. You need to get on it before the damage is actually done, and there are technologies out there that will actually be able to do that for you.”
Keep an eye out for Part 2 of our interview with Darktrace’s David Masson in the coming weeks, where he will offer some advice on how AI can help manage the complexity of the modern, converged IT/OT environment. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.