Digital transformation has been a watchword in business circles for a while now, as everyone rushes to get their assets networked. But when it comes to protecting operational technology (OT), this can cause problems. One of the major issues with securing OT is many of the machines have been around for a long time. So how can companies in critical national infrastructure protect their legacy OT assets in the digital age, and how big of a problem are these systems?
While digital transformation might be good for business writ large, it can pose significant challenges for OT cybersecurity, said Richard Robinson, chief executive officer of Cynalytica in the United States and director of Cynalytica International in the United Kingdom. First and foremost, digital transformation is happening and will continue to happen. There are just too many strong business and operational reasons for it. However, when it comes to connecting OT infrastructure networks as part of that digital transformation, things can get tricky.
“Most organizations would probably say that the biggest concern is that the legacy, or the aging OT, is difficult to manage and to integrate,” Robinson said. “And they’re correct. So, unfortunately, they’ve either then ignored it or rationalized not addressing it properly. It’s like if they just close their eyes and plug their ears, it’ll go away.
“We have, unfortunately, seen this attitude frequently in the energy and the water sector, especially in light of all of the cybersecurity events. That is still kind of a prevalent attitude, and I don’t know if it’s protectionist or just whatever it is, but that’s one of the biggest concerns.”
Integrating legacy OT
Historically, OT integration has been ignored because it could potentially introduce operational problems or a new cybersecurity threat vector. According to Robinson, it doesn’t have to be that way anymore because there are tools and technologies that can help address the problem. Still, legacy OT is a major part of critical infrastructure and that’s not likely to change anytime soon.
“In many situations, it’s not economically viable to replace that infrastructure,” Robinson said. “Then maintaining it as a cyber asset once it’s connected to the network brings on a lot of baggage that needs to be understood and appropriately addressed. With these, the control systems are the greatest risk for compromise. In the government space, GAO (U.S. Government Accountability Office) has published several reports to the DoD (Department of Defense) and to the Department of Energy driving this fact home on the criticality of the infrastructure and the need to protect it.
“Very few organizations that are on their digital transformation path currently monitor, collect or correlate any of the data from these legacy environments, which essentially leaves them vulnerable to being exposed as well as being unaware of actually what’s happening in these environments when they start to connect them.”
Another issue is many organizations seem to think they’re on top of the problem, or that it’s going away, or perhaps they’re air-gapped. In the modern environment, an air-gap is not a reality for most companies.
“Many air-gapped environments still have remote access for vendor maintenance, some wireless components and other elements that make them very un-gapped,” Robinson said. “When we hear this from operators, it’s almost become a cliche for, ‘I have no idea what I have or how this works in my environment.’”
Most legacy systems were built decades ago — well before the internet. And they were designed to be predictable, reliable, resilient and last for decades. When they were installed, no one was concerned with internet security issues like encryption, authentication or non-repudiation. As a result, there’s still a significant lack of awareness and understanding about the real challenges and potential solutions around the integration of legacy environments as part of digital transformation.
Robinson said the majority, if not all, of the digital transformation efforts are now being marshaled through the information technology (IT) or business functions and not through operations or OT. But taking an IT-centric approach to the integration of a legacy OT environment without fully understanding what that entails is the core problem.
“The communication in these environments are not TCPIP communications; they’re old-school, industrial, serial communications,” Robinson said. “For a lot of folks, that is a lost dark art. So when you start connecting those things to environments without understanding them, or understanding how you’re going to architect and structure and get that data safely and securely into the environment, is really where the challenges begin, and that IT-centric view on it makes that a really, really large challenge.”
Monitoring OT environments
When it comes to monitoring OT environments, Robinson prefers monitoring serial directly versus TCP/IP because TCP/IP conversion encapsulation of the serial communications isn’t as efficient. Companies could be losing valuable data in the conversion and encapsulation, and there’s the potential for the data to be spoofed or the gateway to be compromised.
Before any of that, the monitoring needs to be both safe and secure. When given the choice between doing something securely and maximizing value for the business, companies will always go for value and ease of use. So when companies are monitoring serial communication, they must start with being safe, secure and not introducing operational disruptions or creating new cyber threat vectors.
“By [monitoring serial], it provides the operator with the actual raw communication data coming off the wire, and that is essentially the ground truth,” Robinson said. “It’s not being interpreted. It’s not being transformed. It is the actual data that’s going to and from a controller to a field device. So regardless of what’s happening within the rest of the environment, you’re actually seeing what’s happening in that environment.”
Watch for Part 2 of our interview with Cynalytica’s Richard Robinson in the coming weeks, where he will discuss protecting legacy OT assets, the value of artificial intelligence and machine learning, and the MITRE attack framework.