6 Best Practices to Advance OT Security Amid IT-OT Convergence

As industrial organizations seek operational performance improvement in their never-ending quest to boost efficiency and revenue, the need for integration between digital technologies (IT) and traditional industrial systems (OT) increases.

This push toward more integration has raised a critical—and valid—concern about data security in the operational technology (OT) world, which contains the hardware and software that control and monitor physical devices, processes and infrastructure in industries like manufacturing, energy, transportation and utilities.

This integration, often referred to as IT-OT convergence, brings numerous benefits, but it also exposes OT systems to new types of security risks.

As the industry moves toward more IT-OT convergence, let’s take a close look at the challenges surrounding OT security.

Moving beyond outdated OT security approaches

Although extended automation in the OT world has existed for the past 30 to 40 years, security thinking in OT isn’t on the same plane as security thinking in IT.

OT systems must be interoperable with new and old machines/units or infrastructures (for example, 10-year-old process trains could be extended with the latest equipment). When these legacy OT systems and automations were initially designed, cybersecurity simply wasn’t a primary concern. Awareness of appropriate security measures developed over time, which means that some industrial sites still lack the adequate protection required in today’s world.

In the past, protecting industrial automation systems was done through segregation: total isolation of IT and OT networks. Creating these so-called “air-gapped systems” was done to reduce security risk.

Today, powerful data analysis, decision support systems and digital twins are available in the cloud. If you want to reach the next level of operational excellence, then you can no longer isolate the OT network. To implement and benefit from extensive data analysis, you have to work in the cloud; segregating IT and OT systems has become almost impossible.

How and why OT security is different

Over the past few years, we’ve all seen how the smallest disruption in the supply chain can have a direct impact on the overall economy and society.

The same holds true for OT systems. An attack on an OT system can have far-reaching, real-world consequences. If one installation goes down, it has a ripple effect across everything from operational shutdowns to significant economic losses. For example, if an oil-production system goes down for any reason, it can impact an entire oil field.

Endpoint vulnerabilities

OT systems have different endpoint vulnerabilities as compared to IT.

OT devices are, by design, different from IT devices. They must provide time guarantees, priority management, etc., which may require proprietary software that uses specific communication protocols. These software platforms and protocols are not designed for data security, so they may not include security features. This makes it easy for attackers to exploit OT systems and gain unauthorized access.

These endpoints create multiple points of access within industrial facilities, which also face a high fluctuation in employees and external contractors who may act as threats (intentional or not) that compromise the system.

Patch management

Software patches and updates are also handled differently in OT. For example, a refinery can’t immediately be patched whenever a new patch is issued. Certain patches may require a system reboot, which takes the system offline. Some production systems have typical runs of five to 10 years.

When you patch the OT system, you must patch all interfaces at the same time and ensure total interoperability of all connected systems. This makes patch management very complex.

System connections

To improve OT infrastructure, more and more systems are being connected to the network. Some of the OT infrastructures I’ve worked with in the past have had more than 150 interfaces, which equals 150 additional points of weakness.

Regulations

Many industries are subject to specific regulations and standards regarding data security. Compliance is essential to maintain operational continuity and avoid potential legal consequences.

Our recommendations for comprehensive OT security

The data-security landscape is continually evolving, and new risks and solutions emerge constantly.

To effectively protect your critical infrastructure, it’s essential to stay up-to-date on the latest best practices in OT data security. These best practices include:

• Risk assessments. Conduct regular risk assessments to identify vulnerabilities and threats in the OT environment.
  
  
• Segmentation. Implement network segregation and segment critical assets from non-critical systems to limit the attack surface.
  
  
• Access control. Enforce strict access controls and privileges to limit access to sensitive data and systems.
  
  
• Security updates and patch management. Regularly update and patch software and devices to address known vulnerabilities.
  
  
• Monitoring and incident response. Deploy real-time monitoring tools and an incident response plan to detect and mitigate potential cyber incidents promptly.
  
  
• Employee training. Provide comprehensive cybersecurity training for employees and personnel to raise awareness of potential threats and best security practices.

Your OT security experts

Belden and its brands, including macmon, can help you navigate IT-OT convergence so you can experience the benefits it offers, while reducing the risks it can bring to OT security and systems.

Our team understands the importance and value of data security in OT environments. In fact, I recently led a presentation on the topic at the 2023 it-sa Expo & Congress in Nuremberg, Germany. This article is based on that presentation.

Related resources:

• Network Access Control Is an Essential Part of Your OT Security
• IT/OT Convergence is Happening Sooner vs. Later in Discrete Manufacturing
• Key Challenges Facing IT/OT: Hear from the Experts