In the past data networks and computers have run isolated and completely independent networks, all with different objectives and requirements. On the computer side it’s known as Information Technology (IT). The data network/industrial control system/process control side is Operations Technology (OT). Running independently worked for decades, but with the advent of new “Smart” technologies these two sides of the SCADA coin are coming crashing together.
IT is responsible for the creation, transmission, storage, and securing of data. Network compromises can have an immediate financial impact on an organization, often resulting in such things as the loss of customer confidence, fines and penalties, and even lawsuits.
OT, on the other hand, is focused on establishing and maintaining control processes with physical impact, such as manufacturing floors and production environments, whether local or in the field. Recent developments, including the need to more effectively compete in the digital marketplace, are now causing these traditionally separate environments to converge. A growing number of industries have already begun integrating networking and digital communications into the OT space by deploying new Industrial IoT (IIoT) devices such as smart meters, automated asset distribution systems, and self-monitoring transformers.
OT Security Challenges
These changes aren’t without risks. A cyber attack that successfully targets an OT ICS, supervisory control and data acquisition (SCADA) control system, or even connected devices such as valves, gauges, or switches, could result in devastating physical consequences to such things as critical infrastructure and services, the environment, and even human life.
Other concerns include the inability to properly identify, measure, and track risk, IT outages that impact customer-facing systems, and the interruption of business operations due to a catastrophic event. These challenges are being compounded by the lack of security expertise inside organizations, not only within their own in-house staff (reported by 40 percent of organizations), but also with the third party vendors they outsource their security services to (41 percent). This is not just due to the growing cybersecurity skills gap facing the entire computing industry, but also the fact that even available security professionals have little experience with OT environments.
As a result, nearly 90 percent of organizations with connected OT infrastructures have experienced a security breach within their Supervisory Control and Data Acquisition and Industrial Control Systems (SCADA/ICS) architectures, with more than half of those breaches occurring in just the last 12 months. Security concerns include viruses (77 percent), internal (73 percent) or external (70 percent) hackers, the leakage of sensitive or confidential information (72 percent), and the lack of device authentication (67 percent). And over a third are now concerned with the exploitation of backdoors built into connected IoT devices.
These and other challenges have resulted in strong internal resistance against bringing these two teams and infrastructures together, with mistrust coming from both sides. This is primarily due to these teams having fundamentally incompatible approaches to addressing cyber risk.
IT’s top security priority is protecting data, including intellectual property, corporate financials, and employee or customer private data. To address these challenges, they tend to follow the traditional CIA hierarchy for security: confidentiality, integrity, and availability.
OT, on the other hand, uses an inverted CIA model, where availability comes first, and safety is typically the top priority of availability. OT teams need to ensure that such things as control processes and production yields are not put at risk due to network changes. As a result, infrastructure components in OT networks tend to have extended life cycles, and traditional IT best practices like patching and updating can potentially take a currently functional system offline, with significant and unintended consequences.
How to Get Started
These differences are not intractable. Careful planning and coordination, combined with open communications and effective listening are critical to converging these different environments and reaping the potential benefits.
To learn more about these benefits, check out this report from Fortinent on the IT-OT Convergence in SCADA Systems. Click Here