29 april 2021
OT Security - what is the challenge?
If you want to know more about the challenges and issues within OT, security expert Mikael Vingaard is the person to talk to. Mikael has worked in IT security in the last 20 years, and exclusively in OT security since 2014. He is now running one of the world’s leading ICS/SCADA honeypot networks, through which he gains insight into threat tendencies and the activities and patterns of specific hacker groups, among other things. He is one of the only three Danish members of the global and exclusive Beer-ISAC network, where he holds one of a total of only 200 coins awarded by the network to those who have proven their skills. Furthermore, Mikael has a special hobby of buying old equipment on eBay, which he uses to look for vulnerabilities that suppliers are either not familiar with or have not updated. Mikael does all this, not just because he can, but because he is basically driven by curiosity, and because he would like to make a positive difference and provide insight to those who seek it.
We had a chat with Mikael about why OT security is a hot topic and why industrial networks constitute one of the most critical areas of the cyber security industry, regarding lack of competencies as well as vulnerability. But also about the solution, and what the IT/OT security officers can do to meet these challenges.
Interconnectivity and increased exposure
In the last 5-10 years, we have learned through cyberattacks like the ones at Hydro and Ukraine’s power grid that OT has become more interesting to cybercriminals. The reason for this is that it is an area where you can do a lot of damage, for companies as well as the critical infrastructure services of an entire country. ”It is an effective and handy way of creating instability, but there are also other elements that factor into why OT has become so important”, says Mikael.
These elements are related to the fact that we are starting to be increasingly connected – in OT environments as well, which have existed in their own closed and inaccessible networks – until now. Digitalisation is no longer just an option, it is a premise for products and consumers as well as industries in today’s society, which affects industrial production environments in particular:
“Our heat pumps and electricity meters have to be able to communicate with industry suppliers, and this requires that we open up the fortress wall that has been closed so far”
When these industries are modernised in their efforts for operational efficiency and better competitive positions, old systems are exposed from entirely new angles, which results in more vectors for attack. This is a significant reason why OT security has gained great attention.
What makes OT security so complex?
One very obvious reason is the importance of keeping equipment and systems running, as they perform critical functions. Unlike traditional IT systems, they cannot ”just” be updated with new software. In addition, there is not enough time or money to talk about risk appetite in OT environments in the same way as in IT security. This brings Mikael to his point regarding a more pivotal (and organisational) issue associated with the different views of security of OT and IT people. They do not necessarily share the same reality – and this may require an ability to build bridges;
”When I am working on jobs where I need to get IT and OT to communicate, it sometimes feels like I have to become a marriage counsellor, rather than a technical specialist”
Within IT security, you learn that confidentiality is what needs to be protected, whereas industrial security is more about ensuring availability, and about keeping the processes running. And as Mikael points out, both points of view are valid and necessary, as they can jointly secure and protect the company.
However, an organisational task lies in facilitating a unified understanding, rather than engaging in trench warfare against each other. This is particularly necessary considering that some OT systems come with more than 25 years of technological debt, which means that it is important to approach them with some respect and the proper caution. Particularly if the goal is for them to communicate more with and be more interconnected with modern networks.
How can you increase security in your OT environment?
It does not have to cost an arm and a leg to increase the security level of your OT environment. According to Mikael, the individual IT/OT security officer can get far by adjusting the parameters already available. He calls attention to three measures in particular.
People are a significant parameter that you can adjust, which means that competency development is the way to go. Furthermore, Mikael points out how the approach with OT competency development has often been to teach IT security people about OT equipment. He believes that it would be an advantage to turn this around and take engineers, automation technicians etc., who are already working with the systems and machines, and upskill them with knowledge about IT security. Mikael has positive experience with this from his courses, as he has found that the bar for learning industrial security can be significantly higher than the one for IT security.
Another tip is to create good communication between the different professions. At his courses, it has been quite clear to Mikael that IT and OT people can learn from each other. Here, an IT security guy, who used to see OT as dinosaur IT, discovered the complexity of the systems with a new-found respect – and an automation engineer at the same course found out how easy it was to hack their equipment. As the IT/OT security officer, it is important to facilitate a joint understanding, as that will make it more clear how OT and IT can collaborate on providing optimal security for the company.
Furthermore, it is important for the security officer to know his/her industrial network. Unlike a dynamic IT network with computers and mobile units coming and going, the communication between units in an industrial network is very static and predictable. Therefore, if you know you’re your network well, you can quickly detect signs of irregularities before they become serious.
Mikael is certainly of the opinion that a ’complete’ solution would be utopia; ”These kinds of magical units do not exist”, he says, and continues: ”to increase the security level of OT requires a connection between people, processes and technology”. According to him, this would be the right mindset regarding the dilemmas and the need for transformation that the industrial OT environments are facing.
Mikael Vingaard regularly arranges courses in OT security on introduction as well as experienced levels. For more information and registration, go to otacademy.com.