What is shadow OT and why is it important?

Wires plugged into a network
Image courtesy: Brett Sayles

Shadow OT Insights

  • Shadow OT are parts of an operational technology (OT) system that are unmonitored, unseen or forgotten, and can be a liability to a company as a result.
  • One way to help combat this issue is with OT asset visibility. Businesses are starting to turn toward solutions like OT asset visibility management software.

If you’ve been in cybersecurity for a while, you’ve probably heard the term “Shadow IT.” But did you know that there are even bigger blind spots inside operational technology (OT) infrastructure? Security and executive teams almost always have an incomplete picture of what’s happening inside their operational systems even though these are critical, moneymaking parts of a business. This is the phenomenon of “Shadow OT.”

‍What is Shadow OT?

Shadow OT refers to unidentified, unmonitored, or forgotten assets or networks inside of a company’s cyber-physical systems that are frequently missed by existing device inventory tools. Shadow OT creates enormous risk for a company because it impedes its ability to identify and respond to a cybersecurity threat quickly enough to avoid the impacts of an attack.

As the adage goes, you can’t protect what you can’t see, and this hidden infrastructure can put organizations at risk. If you can’t identify, monitor and manage your operational systems, it’s almost impossible to detect and respond to cyber threats quickly enough to avoid the impacts of an attack, which could include anything from process disruption to fatalities depending on the industry.

‍Why is it important?

OT assets’ criticality differs from the criticality of information technology (IT) assets. When planning for IT security, you’re protecting data. If you have a good plan in place, even if the worst happens, you can restore data from a backup. If an incident occurs in an operational environment, you can’t restore the physical world. Physical damage to a plant, wind turbine, vessel, nuclear reactor or, in a worst-case scenario, the loss of human life can’t be restored from a backup.

Unique or legacy OT systems are frequently missed by existing IT cybersecurity technologies that create device inventories because they weren’t built to gather data from these environments. Over the past decade, many tools offering visibility into OT infrastructure have come to market, but the approach has been sporadic at best.

The current state of OT asset visibility

OT visibility for most companies today is limited to a plant-by-plant basis and is not easily accessible at the corporate level. Most specialty OT visibility tools on the market today haven’t done a great job of normalizing the vast amounts of data they receive from these systems, which has resulted in OT alert fatigue for security operations center (SOC) teams. They are almost always frustrated by the lack of context about a potential issue or threat. Getting this data out of a plant or site and into the corporate SOC has proven to be a challenging undertaking, and we still see chief information security officers (CISOs) struggling to answer basic questions about their company’s OT security posture.

The OT security industry as a whole is also going through an “aging out” process, where older operators who possess important understanding about devices and systems are retiring and taking that tribal knowledge with them. Younger practitioners don’t have an easy way to quickly uncover this information, which is why it’s so important to put the right processes and technologies in place to support people in their OT cybersecurity efforts.

Collecting data from OT environments

According to a 2022 Ponemon Institute study, only 45% of respondents say their organizations are effective in discovering and maintaining an inventory of all devices attached anywhere on the OT network throughout the asset lifecycle. To combat Shadow OT, security and operational teams need to work together to create a single source of truth for their asset base.

Centralizing all of your asset and security data in a single location makes it easier for everyone to see and act on cyber or operational issues before they cause a problem in the physical world. OT asset management tools are a great way to do this. Be sure to look for one that can ingest data from many different sources and can also share data with the enterprise tools that the SOC and executive teams use.

Original content can be found at Industrial Defender.




Keep your finger on the pulse of top industry news