ABB on how IT & OT must cooperate for secure IIoT

The danger of the OT-IT digital deadlock, according to a security specialist from a Fortune 500 robotics, power and automation firm.
4 July 2019

IIoT means OT and IT must work closely. Source: Shutterstock

Operational technology (OT) is everywhere and it’s age old. 

It refers to the technology that controls physical processes— the critical infrastructure powering refineries, power plants, electricity grids, telecom networks, rail systems, and water supplies. 

In these critical applications, OT comprises Industrial Control Systems (ICS), including automation equipment, software, and networks. And Building Management Systems, such as access control and CCTV, right down to the smallest sensors and valves. 

CSO and SVP of Architecture & Analytics at Zurich-based ABB— a Fortune 500 giant operating in robotics, power, heavy electrical equipment and automation technology— Satish Gannu is well-versed in OT and its advancement in recent years.  

“OT systems are not only business-critical, but they can also be nation-critical, or life-and-death critical,” Gannu told TechHQ. “Reduced to the essence, IT is about data, while OT is focused on physical processes.”

The divide between IT & OT

Before the rise of IIoT (Industrial Internet of Things) made visions of connected, smart factories viable— OT had remained largely isolated within organizations. As a result, it remained immune to the emerging digital threats faced by IT at the turn of the century. 

“I often sit in customer meetings with OT and IT professionals who work for the same company and have the strange feeling that I – the outsider – am the one connecting the two groups, because for decades their goals and priorities have been so different,” said Gannu. 

The two fields of technology, and their approaches to operational security and reliability have been developed separately from one another. IT focused on protecting data, OT on maintaining uptime, where a 1 percent reduction can amount to days of lost productivity per year. 

Up until now, these two tech functions rarely talked to one another, explained Gannu, but IIoT has brought about the need for an “intricately intertwined and negotiated merger”.

In Industry 4.0, OT and IT now must now cooperate and interlink. But by introducing OT to IT networks, it opens up the former to threats it has not been built to defend against. As this ‘life-and-death-critical’ technology goes online, ensuring security is an obvious focal point of this new relationship.

Powered by blue-collar operators on the one side, and white-collar IT workers on the other, getting these two forces to pull in the same direction is less than straightforward. As a result, current IIoT implementations are facing a crisis of management, which poses nothing short of a major security risk. 

A Forrester survey of IT and OT leaders from industry, for example, showed the two camps were evenly split on which function was accountable for security. 

A poll by NTT security, meanwhile, found 42 percent of respondents believe OT security falls to the Engineering Director, while 38 percent said the responsibility lies with the CTO— one in five said it was the job of the CISO.

Caught up in this ‘standoff’, 59 percent of companies are willing to “tolerate medium-to-high risk in relation to IoT security.” The cogs of the connected machines are the last thing that will be switched off.

“I consider this a major security vulnerability,” said Gannu. “Generally speaking, security threats to OT pose a far greater risk than information-only technology environments.” An OT attack can lead to ecological damage, national security risks, or worse. 

An attack of a power grid in Ukraine left almost 300,000 people without heat and power in frigid winter temperatures and simultaneously froze the controls of operators who could bring the grid back to life. 

In 2017, meanwhile, a Triton/Trisis malware attack on a Saudi Arabian oil and gas plant caused it to shut down entirely. But ceasing operations is only the “second-worst thing” that can happen in OT, said Gannu.   

“The worst is for the malware to target the ICS and send the plant spinning wildly out of control, costing not only money but lives.”

But while IT and OT have not traditionally been bedmates, for organizations that are able to create cohesion, the latter has the advantage of taking security lessons from the latter’s two-decades experience. 

Gannu said OT can learn from the “hard-won, long-fought lessons of IT to leapfrog to an advanced state of IIoT security”— architected and deployed to meet OT’s differentiated requirements.

“If one thinks of OT systems as another form of data center – the heavily protected core of enterprise IT – there are some promising ideas one can adapt from decades of IT experience to provide new levels of IIoT security while honoring the specific needs of OT.” 

The ABB executive points to three examples of how OT teams can ready the technology’s security standing, based lessons learned in IT. Three examples are the separation of end-point networks and micro-segmentation and user-behavior analytics.

# 1 | Separation of endpoint networks

IT has (largely) learned to separate easily-compromised endpoint networks of PCs and mobile from the core data center. It has developed ‘border crossings’ separating endpoint networks from the data center, which subjects connection requests to rigorous vetting. 

Beyond usernames, passwords or access codes, checks can include information regarding the device’s previous location (such as countries predisposed to cyber threats), activity, or what software is installed. Level of access granted to the data center depends on the result of the check. 

There are fewer users and endpoint machines in OT, but this same method of careful separation can be used to strengthen OT security and therefore the entire IIoT enterprise. 

# 2 | Micro-segmentation

Comprised of multiple machines, when users access a data center via one machine, they can typically gain access to all— this is generally not necessary. With micro-segmentation, CISOs can study the interrelationship of machines, determining which machines must be able to ‘talk’ to one another. This leaves necessary connections only, reducing vulnerabilities and potential damage. It creates further ‘bulkhead’-like defenses within a system. 

Bringing this security method to OT is straightforward— you don’t need to negotiate IT’s moving parts of three-dimensional data flow. OT systems are engineered to optimize repeated processes.

# 3 | User behavior analytics (UBA)

Again, OT’s simplicity and well-defined process orientation mean recognizing abnormal or unexpected user behavior is more simple than in IT. Security teams can deploy UBA at specific points, such as the ‘border crossing’ between IT and OT.

Another potential point for effective UBA is in the human-machine interface (HMI), where humans sit down to access OT systems. UBA here could monitor and profile their actions and keep them on record. Building profiles of machines, systems, and users could help determine what is normal and what is abnormal. 

One normal behavior has been defined, anything abnormal can be immediately identified as an anomaly and investigated as a vulnerability for attack.