The Radiflow Security Blog
OT Cyber Security: What Are the Common Challenges?
Traditional industrial control systems (ICSs) are self-contained; communications take place over physical wires between and among system components, and the system’s operation is independent of any other systems or networks in the plant.
However, while this works well for single-plant ICS implementations, modern factories often require coordination between multiple plants that are physically separate, whether across the street or on the other side of the planet.
Even within a single facility it is often necessary for different ICSs to communicate with one another. This can be tricky for suppliers that use different (and sometimes proprietary) ICS communication protocols.
An obvious solution is for ICSs to use the standard Transfer Control Protocol and Internet Protocol (TCP/IP) data network communication protocols. This has a number of advantages, as it enables systems to:
- Scale up with added components without deploying additional physical infrastructure
- Interact with each other and with other data systems/devices, whether on the factory floor or in the cloud, with no physical location limitations
- Operate on wireless networks, eliminating the need for cabling
- Rely on a single communications infrastructure that already exists in most factories
These compelling advantages resulted in the melding of operational technology (OT) systems and networks such as ICSs, with information technology (IT) systems and networks.
And that’s where the trouble began.
The Problem with OT Security
The main problem with OT is related to network and data security. Because traditional ICSs were isolated from data networks, there was no need to consider device or system security. When these devices and systems started communicating over TCP/IP networks, they became easy targets for hackers who could exploit their security vulnerabilities and gain access to corporate networks, causing all manner of harm. Thus the inter- and intra-connectivity of industrial networks led to a deluge of OT cyberattacks.
Here are three OT security challenges that many companies must deal with:
Lack of IT Involvement
Because OT systems were not integrated with other data networks for so long, OT operations and maintenance have been traditionally the responsibility of operations teams, with little or no involvement from IT.
Most operations personnel have no expertise in data or network security. And these systems weren’t designed with a security-centric mindset in the first place.
As a result, OT security was not a great concern as more and more OT systems were connected to corporate data networks. IT departments could have (and should have) lent their expertise in data security, but they often weren’t consulted, and still often aren’t.
Reliance on Legacy Communications Protocols
Many legacy OT systems still rely on legacy communication protocols even when operating on data networks. These protocols, some of which date back to the 1970s, were not developed with security in mind. Upgrading the protocols could cause issues with legacy hardware, so in many cases, OT systems are “stuck” with non-secure communication protocols.
3. Poor Device Security
In addition to vulnerable communications protocols, many legacy OT devices themselves were designed without any regard to data security, effectively turning them into “sitting ducks” on companies’ data networks.
Overcoming the Challenges
Overcoming these challenges and mitigating cyber threats in OT systems, while tricky, is well within the range of feasibility.
Some approaches include:
- Incorporate security-related activities into planned maintenance – OT systems and devices often run 24/7 for extended periods with no downtime for security maintenance activities. Keeping systems and devices patched against OT vulnerabilities should be incorporated into routine maintenance.
- Involve the IT team – One of IT’s primary responsibilities is the security of the network, data assets, and computing resources. IT teams often have advanced knowledge and tools to assess and systems for security vulnerabilities. They should be part of any project to migrate or deploy an OT system on a data network.
- Engage outside assistance – Some companies have lean or nonexistent IT teams so they have unreliable or no in-house expertise. Even among companies with IT teams, there may be a lack of knowledge in OT systems or OT security standards. In these cases, OT organizations could greatly benefit from engaging with a dedicated OT security services provider, such as Radiflow.
Radiflow’s professionals are experts in keeping OT systems secure from cyberattacks. If you are concerned about the security of your OT systems – and you should be – but don’t know what to do about it, contact us today. We can help.