The consequences of living in a hyper-connected world , where the need to keep everything “online” is growing more and more makes both OT environments and critical infrastructures, which were historically isolated, begin to have the need to interconnect.
This fact, which we could consider the result of the normal evolution in digitization processes, implies the need to extend networks, increase the use of Wireless or resort to the installation of IoT-type devices, which can significantly increase permeability in environments. critical, making it easier for security incidents to materialize.
The critical infrastructure “are systems that are considered essential and the services they provide are vital for everyday operations, economics, safety and general welfare of modern societies”.
But what if a cyber attack damaged any of these critical environments? Beyond the impact on the digital level, we all remember the WannaCry incident , there would also be the possibility of environmental damage, damage to public health or simply putting human lives at risk. The consequences could be extremely serious, since these are undoubtedly facilities that provide essential services to society.
The Specific Protection Plans of the different infrastructures include all those measures that are considered necessary based on the risk analysis carried out and based on the threats that affect its assets, including the information systems. Threats to critical infrastructures have a cybernetic component of enormous importance that can affect both the infrastructures themselves, as well as all other related industrial environments that depend on technology for their control and operation.
The enormous impact of the current pandemic has led to a forced acceleration towards telework solutions , paving the way for cybercriminals, who now have a greater radius of action, especially in what has to do with remote access solutions. that allow us to access our workplace from home and that are not always properly secured.
But what is OT ?, that great forgotten. And what differentiates it from IT? In the industrial environment we speak of Operational Technology (OT), that is, intelligent devices such as: sensors, probes, controllers, actuators, etc .; while in the corporate IT environment we refer to databases, document repositories, servers, etc. In addition, Operational Technologies are structurally different, since they are made up of a multitude of small devices spread over a wide space. Diametrically opposite to what happens with IT systems, which are usually grouped into CPDs.
Another big difference is that while in IT environments the confidentiality of information is one of the most important aspects that we must protect , in OT environments availability is the most critical factor . If we focus on the great technical differences that separate both worlds, we observe that the technological knowledge possessed by professionals in each sector is clearly different, facilitating the distancing between them.
From the field of cybersecurity we face great challenges. The adoption of new information technologies, together with the strong demand for connectivity, has caused technologies used in IT environments to become part of OT environments, significantly increasing the contact surface with threats in cyberspace.
Both the safety of industrial plants and critical infrastructures have been increasingly threatened in recent years. Above all, with the rise of different forms of cybercrime and cyberterrorism, with the proliferation of web access to SCADA systems, with the adoption of the cloud, mobile and BYOD (Bring Your Own Device) paradigms and with the confluence of IT technologies. in the OT field.
On many occasions, the criticality and specificity of the industrial environment does not allow the same countermeasures to be implemented as in a traditional IT environment. In fact, there are clear differences between the IT and OT fields, which justify the need to address the development and implementation of specific industrial cybersecurity programs that are aligned with the organization’s IT security policies.
In OT environments, potentially more vulnerable, the guidelines and policies that affect all areas related to cybersecurity must be developed under continuous improvement methodologies, since risks and threats are constantly changing and evolving. For this reason, either we increase the budget for cybersecurity in the OT sector or we directly converge IT with OT , aligning the security measures of both environments. This action entails an increase in exposure, by expanding the risk area and implies a complete redefinition of security measures and policies.
The dual nature of IT-OT that we have addressed, as a result of the digitization of operational technologies, exponentially increases cybersecurity risks. In this sense, the protection and availability of the facilities becomes essential , so as not to be doomed to situations such as that of the largest Japanese manufacturer of optical products Hoya Corporation, affected by a cyberattack at the end of February 2020, which caused an impact on the OT environment that ended up leading to a partial closure of its production lines.
Considering the high value of this type of assets, aspects such as:
It is important to start from the knowledge of the degree of exposure and vulnerability of the operating network. To do this, the first step is to perform a multidimensional analysis and network security audit . This analysis will allow us to ensure that the IT-OT convergence procedure is adequate. Once this step is taken, it is important to go deeper and carry out increasingly granular analyzes in order to collect the specific peculiarities of the environment and adapt it to the new security policies.
To achieve these objectives, early detection and the implementation of technologies that help increase the level of security through the application of safe controls and procedures is very important. But it is also true to follow best practices, as well as to use directives such as NIS , a European regulation that identifies the sectors in which it is necessary to guarantee the protection of networks and information systems, and establishes reporting requirements for cybersecurity incidents. .
The demand for connectivity has caused the technology used in IT environments to become part of OT environments, exposing some weaknesses:
The Internet of Things (IoT) is no longer a trend, it is a booming reality that poses great challenges in many aspects. One of them is the need to create user-level security profiles, specific for this type of hardware.
The standardization of IT technologies in the industrial field, the proliferation of web access to systems or the indiscriminate presence of the IoT, where almost any device has its Ethernet connection, are a handicap, because it is not always possible to deploy the same countermeasures as in IT environments. For this reason, factors widely overcome in IT are clear security gaps in OT environments, such as:
In order to minimize the impact of these types of threats, more and better procedures and specific policies for each type of environment must be addressed, such as:
In the Security Operations Center (SOC), in addition to monitoring all plant activity, prevention, defense, detection, response and recovery actions against cyber threats must be able to be addressed in a coherent and structured manner. Analyzing the events in search of suspicious activity that could be an indicator of a cybersecurity incident in networks, servers, applications, etc.
As with cybersecurity in IT, working committees have also been defined for the operational environment, which aim to develop specific standards for application in industrial cybersecurity . This committee is responsible for the development of the IEC62443 series of standards, which is the evolution of the standards developed by ISA99 of the International Society of Automation (ISA) .
At the state level to improve cybersecurity in critical infrastructures, the CNPIC and the National Cybersecurity Institute (INCIBE) jointly operate the Center for Response to Security Incidents and Industry (CERTSI) . Which plays an important role as a link between CNIPC and INCIBE with the Office of Cybernetic Coordination (OCC). This body operates as a coordinator for the exchange of information with the European Union.
Limiting cybersecurity to purely technical controls leads to neglecting aspects as important as organizational ones. Managing incidents, defining responsibilities or addressing requirements are vital aspects to avoid threats.
Strong cybersecurity protection measures applied to highly critical environments can lead to a false sense of security that makes us forget that there are many other threats that require the adoption of specific measures. Because most of the security problems almost always come from within the organizations themselves.
In this sense, industrial organizations need to avoid the distance between IT and OT in order to avoid security breaches. It is essential to prevent the exploitation of any vulnerability from ending up causing permeability between environments. Being the main objective to achieve a true convergence, bet on the joint response , improve the indicators of commitment and create a single command that coordinates our defenses against cyber threats . With the aim of improving the degree of maturity of the organization, and at the same time offering a higher level of protection to the facilities, where fundamental factors such as availability, integrity and confidentiality prevail. Putting above all the focus on the creation of new security policies that improve the deployment of protection measures.