Getty Images/iStockphoto


IT/OT convergence security must adapt for IoT connectivity

Organizations must build a strong security posture that includes both IT and OT to ensure their safety, which will require a paradigm shift from individual assets to systems.

When organizations assess their security strategies, they sometimes overlook IT/OT convergence security, particularly the operational side. With the adoption of IoT devices that connect operational technology to the IT component of IT/OT convergence, this aspect of security must not be forgotten.

IT/OT convergence is the integration of IT, both the hardware and digital processes used for data, with OT. For example, IT handles the data related to sales, inventory and payroll in a factory, while OT handles all the systems on the assembly line.

Traditionally, IT and OT were kept separate, yet today, organizations align and connect these systems to extract more value out of them. In recent years that computing and IoT technology has progressed enough to allow OT systems to share data easily with IT systems, particularly through industrial IoT, the combination of IoT and industrial processes.

Integrating SCADA, industrial control systems (ICS) and building automation systems with IT can prove a challenge for IT admins because OT was not originally designed to integrate with IT deployments. Organizations integrate IT and OT to get insights from the data, leaving security gaps that make them targets for hackers and other bad actors. Anyone could potentially enter through any sensor, instrument and device on the network and cause havoc on energy grids, power plants, water management systems, transportation networks or companies in the private sector.

Why IT/OT convergence security matters

Two main developments drive the push for better overall security today: edge computing and ransomware attacks on enterprise networks.

Edge computing risks

IoT devices and edge computing push the boundaries of technology, making it hard for IT administrators to secure devices or integrate them properly into a secure network. IT typically prioritizes security for software, services and data, while OT focuses on physical asset and location security. Until now, organizations may have relied only on IT security options to protect them, but because hackers have now turned their sights onto enterprise OT systems, admins can't ignore OT anymore.

Bad actors have attacked OT with more frequency because the number of machines and devices organizations use has grown, equipment is less likely to be secured and they're often connected to the internet. IoT devices give attackers both an easy entry point to the network and provide a connection from data centers or enterprise desktops to OT devices. Most modern equipment comes with a combination of digital controllers, networking systems and embedded software, making them an easy target. Hackers don't use OT systems to control assets directly; they use them to take control of other processes and functions.

Several attacks have used vulnerabilities created by IT/OT convergence to wreak havoc. The Triton malware that shut down Saudi Arabia's Red Sea refinery targeted the Triconex safety systems to disable them throughout the refinery and put it at risk of explosion. The Stuxnet worm that infected at least 14 Iranian industrial sites is another example of how they used IT/OT convergence to control ICS systems that operated equipment on the sites and compromised the embedded programmable logic controllers. Entering the network through an infected email attachment, it traveled to the Siemens' Simatic Step 7 software, which they used to program the ICS systems throughout the sites.

Aside from keeping intellectual property secure, IT/OT security could very well be a matter of life and death.

Enterprise ransomware risks

Enterprises have deeper pockets and a tendency to pay out, making them a profitable target for hackers. And they are profiting. One security expert found a 10 times increase in ransom paid out over the last year to a new average of $302,539.

Industries that rely heavily on OT for workflow, data generation and facility security may find themselves at higher risk for security breaches. The healthcare, industrial and manufacturing sectors have all seen increased growth in OT deployments. For example, the healthcare API market alone is forecast to grow to nearly $400 billion by 2026, making healthcare a profitable and deadly target for hackers. All it takes is one entry point to compromise the entire network.

Aside from keeping intellectual property secure, IT/OT security could very well be a matter of life and death.

Major threats to IT/OT convergence

Organizations must address four aspects within their systems to secure IT and OT systems.

1. No IT and OT team collaboration

When OT or IT teams have traditionally deployed projects, it has been without consultation or collaboration between the two teams. Teams usually deploy OT in ways that ultimately meet business objectives but may miss cybersecurity best practices that could protect the network if the teams had collaborated from the start. On the other hand, IT teams have rarely included OT systems in their overall security posture because they haven't had to. Instead, they've worked in isolation, leading to complexity, duplication of effort and increased operating costs.

IT vs. OT security priorities
IT and OT teams prioritize requirements differently.

2. Legacy OT systems

Many organizations still use their original OT because they're still functional or can't be upgraded because they are proprietary. Unfortunately, these legacy OT systems were designed with minimal security features and may even have vendor backdoors built into them to allow easy access for maintenance. That's why over 40% of IT business leaders have said legacy systems prevent their IT/OT convergence.

3. Insufficient knowledge of current assets

Organizations must know what OT assets are in place, where they are and their purpose for security, yet many organizations don't have a complete map and understanding of their topology for various reasons. They may have expanded so quickly that inventory was impossible, or their infrastructure management solution doesn't handle OT devices well if at all. Admins can't protect what they don't know is there.

4. Inability to stop production

Another security challenge is the 24/7 nature of many processes and production systems. They cannot be stopped or paused for an upgrade or update, so they're left alone. Production downtime is a cost-per-minute loss of revenue, and organizations often don't want to or can't risk it even to replace or remediate an infected system. Even if IT teams know they have an infected asset, they may not have a quarantine and remediation process and procedure because they can't afford the downtime. It becomes a vicious cycle of not being able to afford to replace the infected asset or the downtime to fix it.

IT/OT security going forward

Administrators should consider IT/OT convergence challenges as just the beginning of a security strategy. No one-size-fits-all strategy works because every company has a unique set of requirements that have evolved, are dictated by their environment or are mandated by industry guidelines.

Organizations must bolster IT/OT convergence security in these areas going forward:

  • effective network monitoring that includes both IT and OT assets;
  • standalone OT threat hunting and anomaly detection tools that are integrated into or combined with network monitoring apps to provide adequate coverage
  • attack surface reduction that reduces the exposure of IT and OT systems through role-based access controls for humans, hardware and software across the network;
  • asset lifecycle management that encompasses any scenario, such as adding new assets, acquiring new companies or agile production changes; and
  • monitoring new attack vectors such as DNS over HTTPS (DoH) as many IT/OT vendors may become vulnerable to them without notice -- DoH attacks have increased in the last three years, and because DoH is supported in various forms by Google, Microsoft and Apple, tech teams should consider their resilience to new attacks.

Next Steps

Schneider Electric PLCs vulnerable to remote takeover attacks

Dig Deeper on Internet of things security

Data Center
Data Management