February 24, 2021
Paul Brager Jr, Director, Global OT Security Programs, Baker Hughes
IT/OT convergence, as a business enablement strategy, has been in focus for some time, as organizations desire to leverage data from within their industrial spaces. These use cases can be automation optimization, lean initiatives, data analytics and visualization, or any combination such that value can be extracted and exploited. Consequently, however, enabling those use cases is not without risks, as many of these industrial spaces were not designed-or in many cases, are incapable – of providing a reasonable security posture, and as such are subject to the risks of the entire organization and beyond. What, however, is “convergence”, and what does it mean for manufacturing ecosystems?
Prior to answering the latter question, a proper understanding of convergence is appropriate. Convergence within the context of IT (information technology) and OT (operational technology) involves the reasonable integration between traditional “IT” networks, and automation or “OT” network environments -usually with some specific purpose in mind. In recent times, this convergence has largely centered around gathering near real-time data from industrial assets and transporting it into other areas within the enterprise. Convergence has somewhat shifted to include transporting data into analytics clouds for processing and visualization, and in some instances, as parts of feedback loops. Consequently, as the needs for machine data and analytics have increased, so have the cyber security risks to the industrial environments, networks that are converged, and more importantly, the data.
“Convergence within the context of IT (information technology) and OT (operational technology) involves the reasonable integration between traditional “IT” networks, and automation or “OT” network environments -usually with some specific purpose in mind.”
When establishing cyber security strategy, one must consider “what are the assets and data being protected”, and perhaps even more prudentially, “can they BE protected”. Industrial environments traditionally have not been connected to enterprise networks, and therefore were designed with the expectation of isolation in mind. Combined with often proprietary and/or legacy applications and operating systems, these industrial networks were largely indefensible, relative to their enterprise counterparts. Further exacerbating risks, traditional enterprise security controls were either unsupported or infeasible within these industrial networks, and the availability of patching for critical vulnerabilities severely lacking. Within more modern networks, more assets are enabled (connected via LAN, Wi-Fi, etc.), with limited or no self-defensive capabilities, which explodes the attack surface of these environments significantly. Attaching these networks to the enterprise LAN exposes connected assets to the rest of the enterprise, and makes them susceptible to the same risks (malware, phishing, ransomware, etc.) as traditional compute devices, without the luxury of security controls, such as AV/AM. The results can be catastrophic, resulting in downtime and lost productivity, damaged or wasted product, contractual failures and penalties, and the list continues. Recovering many of these assets can be timely and costly, assuming they can be recovered at all, as the vendor may need to restore the asset to factory specifications and certify its operation for support purposes.
“Attaching these networks to the enterprise LAN exposes connected assets to the rest of the enterprise, and makes them susceptible to the same risks (malware, phishing, ransomware, etc.) as traditional compute devices, without the luxury of security controls, such as AV/AM. The results can be catastrophic, resulting in downtime and lost productivity, damaged or wasted product, contractual failures and penalties, and the list continues. “
What does this mean for manufacturing ecosystems that need to be converged? There are cyber security strategies which can be deployed to manage the attack surface of automation environments, while enabling the business to extract value from machine assets. First, there must be some logical boundary between the automation and enterprise networks – this segregation can be facilitated by a firewall (or pair of firewalls) specifically configured to manage data flow between the networks. Additionally, understanding “what” needs to be protected by having an accurate asset inventory of automation assets, along with operating systems, manufacturers, points of contact, etc. – which will facilitate a least privilege, limited attack surface approach to the convergence strategy. Detection and response capabilities must be aligned to evaluate the entire ecosystem – enterprise and automation, since the environments have logically been converged. Staff must be trained to now interact with both automation and enterprise support issues, as they may become more intertwined Machine data acquisition must be well defined, as well as protected while in transit. These things must occur without any impact to production or the ability to conduct business, which can create challenges in and of themselves.
IT/OT convergence will continue to accelerate within manufacturing ecosystems, as the need for more data closer to production continues to increase. As machines produce more usable “intelligence” that can be leveraged for feedback in the manufacturing or optimization process, the demand on infrastructure and security will be robust. Having a holistic convergence strategy that encompasses cyber security, changes in supportability and visibility and accounts for the tactical direction of the business to extract value with inevitably enable the manufacturing ecosystem and serve to drive business forward.
Paul Brager Jr. is regarded as a thought leader and expert in the cyber security community for twenty-seven (27) years, Mr. Brager has deep expertise evaluating, securing, and defending critical infrastructure and manufacturing assets (ICS, IoT, and IIoT). As a speaker, author, and researcher, Paul seeks to move the conversation forward surrounding industrial control systems (ICS), Industrial Internet of Things, supply chain and automation cyber and ways to mitigate the attack surface in heterogenous environments. He has provided commentary on several security related podcasts, publications, and webinars that provided guidance and insight into strategies for critical infrastructure protection, IT/OT convergence, and IIoT (industrial internet of things).
Hear more from Paul Brager Jr. at the Manufacturing X.0 event, May 24 – 27, 2021.