Page 18 - Gi June/July 2019
P. 18
critical infrastructure – protecting essential systems from cyber threats
recently told me: “Business has made focus only on OT vulnerabilities. IT
the decision to implement new OT and and OT convergence means that
we’ve got to catch up and secure it. The both ICS and IT vulnerabilities
business arguments are too compelling. can be exploited to attack critical
It’s about enabling business leaders to infrastructure, as we have seen.
do what they want to do.” Clear and complete visibility of
However, it’s not easy to balance both IT and OT systems viewed
the need to remediate security threats together through a single pane
against the impact to the organisation, of glass is the only way to gain a
as we’ll see: holistic view on risks.
To illustrate the scale of the
OT environments tend to be structured problem, in the first four
around legacy technologies that were not months of 2019, the
designed with security in mind Industrial Control System-
Often they were secured via isolating Computer Emergency
initiatives, such as air-gapping. Response Team (ICS-CERT)
As modern plants increasingly issued 74 alerts describing
connect machines, devices, sensors, vulnerabilities in industrial
thermostats, etc., to the internet, the control systems.
security blanket of a fully air-gapped OT These vulnerabilities
environment is eradicated. apply to products from
leading control system
Most organisations that rely on manufacturers including
OT have a zero-tolerance policy to ABB, AVEVA, Mitsubishi,
downtime given the business criticality Omron, Rockwell,
of the systems Schneider Electric,
For example, an energy provider may Siemens and Yokogawa.
operate 15 or 20 different sites. It’s That quantity is small
not a simple, or even quick, process to compared to the 2,817 IT
shut down a treatment system to fix a vulnerabilities discovered
vulnerability in a programmable logic during the same period.
controller (PLC), even if we were to This velocity may or may
ignore the impact it would have further not continue throughout the
in the process. That said, could the year, but even if it decreases by half,
business afford to risk a threat actor the number is challenging to manage using different tools, different KPIs and
exploiting the vulnerability that could without an automated process. different policies to their IT security
damage the plant or even threaten life? programs will not make it in today’s
threat landscape.
Security solutions designed for IT Awareness among IT and OT Traditional ways of securing systems
networks don’t always transfer into OT professionals of the increased through Excel spreadsheets or tribal
environments threat landscape is essential knowledge are quite simply insufficient
For example, a poorly timed security if organisations are going to for securing organisations against the
scan, which would probably go modern cyber threat landscape.
unnoticed in an IT network, could have reduce their cyber risk It is not only those on the ground who
a devastating impact in a sensitive OT need awareness of the risks facing OT
environment. It could potentially knock environments; the C-suite and board of
out the gauge on a pipeline, cause a Insecurity is not an option directors also need to understand the
drill to malfunction, or even take the As with anything, acceptance is the cyber threats their organisation faces.
whole plant offline. To solve this issue, starting point. Awareness among IT and Effectively securing connected
organisations can employ passive OT professionals of the increased threat OT and IT environments is a work
monitoring that allows them to watch landscape is essential if organisations in progress, with progress being the
and listen, profiling the network and are going to reduce their cyber risk. operative word. It’s not something that
devices connected to it. This allows While it’s a challenging task, there will be fixed overnight.
them to understand what they have and are steps organisations can take. The As digital transformation continues
where it’s potentially exposed, so they first is clear and complete visibility of to result in the convergence of OT/IT
can identify vulnerabilities without the attack surface to identify, access and environments, industries that rely on
impacting system functionality. mitigate cyber risk. This includes both OT are acknowledging the challenges
IT and OT systems. and working towards solving the
While vulnerabilities are discovered Once that’s accomplished, the next cybersecurity issues the industry
in OT technology, there have been step is determining what is important is facing.
occasions where a patch to fix the flaw to the organisation’s ability to function
is not forthcoming and whether it is vulnerable to attack. Tenable Inc. is the cyber exposure
If you cannot patch, then what else can None of this can happen without company. Over 27,000 organizations
you do to secure your environment? integrating IT and OT security efforts. around the globe rely on Tenable to
Staff responsible for OT security The reality is that organisations with understand and reduce cyber risk. For more
cannot afford to be blinkered and separate, siloed OT security programs, information, visit www.tenable.com
18
ProtectingAgainstCyberAttacks.indd 3 16/05/2019 14:20
