Protecting the converged OT-IT environment

by

10 April 2016
Sean Duca of Palo Alto Networks

The convergence of IT and operational technology (OT) has been a topic of conversation for many years. It is about integrating operational technologies such as supervisory control and data acquisition systems (SCADA), remote terminal units, sensors, meters and smart meters with IT systems to ultimately promote a single view of an organisation’s information and process management. This helps ensure that every user, application, sensor, switch or device has the right information, in the right format, at the right time.

But what does this mean for security? We now need to think about cybersecurity threats created by the convergence of the IT and OT worlds. Unlike systems in the IT world which are constantly being updated with service packs, new releases and bug fixes (or at least they should be), systems in the OT world are rarely updated. It is very common for OT systems to run the same software they were initially set up with, which, in many cases, could be 10 or more years old.

Furthermore, these devices have very little security capability because they were installed at a time when even with an “air gap” or physical separation of systems was considered to be “secure”.

As the IT and OT worlds converge, these measures are no longer enough. In the IT world, the sheer number of applications, devices and services creates a larger attack surface and once a host is compromised, it is relatively easy for the attack to “cross over” to the OT world. 

So what are the fundamentals needed to secure this environment?

1)      Full visibility into the network to tailor a comprehensive security system

We need to be able to see what is traversing our systems and understand the risks. The capability already exists in most advanced network appliances which can provide deeper visibility with no disruption to daily operations in either the IT or OT worlds. Once we have this visibility, it is possible to segment the OT systems into security zones based on their risk profiles and security requirements. This allows for better control over who can access the systems and what applications they are able to use. With this “least privileged” access model, only explicitly authorised protocols, applications, and users are allowed.

2)      Enhanced network segmentation to protect critical data

Network segmentation is an effective method to reduce risk and minimise the scope of attack, but only if it is deployed correctly with prevention in mind. Merely turning a device on and requiring a login does not give you the control needed. Data has to be protected with tighter segmentation based on application whitelisting, a user access control model based on least privileged access, and systematically inspecting all payloads, including those of authorised applications. This will help reduce risk significantly, enabling security teams and advanced security tools to operate at their best.

  • Sean Duca is vice president and regional chief security officer of Palo Alto Networks Asia Pacific.