Once upon a time, information technology (IT) and operational technology (OT) quietly lived lives of mutual disinterest: if it was a marriage, it was one of opposites that interacted rarely, didn’t network together or attend the same parties. IT did largely white collar jobs; OT did largely blue collar jobs – handling the hardware and software behind direct industrial controls.
Then these two had a small and talented, but wayward child, the Internet of Things (IoT), which kept clambering into factories and oil rigs, forklift trucks and gas turbines to report on their workings to, well, anyone who chose to listen. (In this somewhat stretched metaphor, as in life, immature systems spreading industry data from the rafters is a security nightmare…)
For better or worse – and most in industry welcome the birth of the IoT – networked IoT
devices interfacing with more classically IT systems are now increasingly the norm. As a result, IT, OT and the IoT are increasingly converging (let’s ditch the metaphors) into what some analysts have dubbed “cyber physical systems” that relay data from the physical back to the “cyber”, informing operators in near real-time of how processes are performing.
For example: the proliferation of low-energy sensors allowing remote management of/ predictive maintenance on energy infrastructure, from gas turbines to wind farms; with distant hubs able to predict when components are wearing out and need replacing before they break.
Rich Armour, a senior advisor to Nozomi Networks, a security firm that specialises in such converged cyber physical systems, knows a thing or two about the industry and some of the idiosyncrasies involved in trying to secure it.
He previously oversaw a sprawling physical estate as Chief Information Security Officer (CISO) at General Motors, retiring from GM in 2019.
He now works (in part) as an advisor to San Francisco-based Nozomi Networks, whose CEO Edgard Capdevielle led the company to reported 500 percent-plus revenue growth in 2019.
Capdevielle and Armour joined Computer Business Review for a call to talk about some of the unique challenges faced in securing converged IT/OT systems.
As Armour tells us, asset visibility is typically one of the first sticking points for companies looking to secure their networks:
“Inside General Motors, when we ran tests against some of our complex factory environments, we found that the vast majority of industrial control security vendors were not able to identify a significant proportion of the industrial control
systems we had in our factories. It’s a tough environment because of the huge variety of
industrial controls that exist out there: for robots to control motors, to PLCs to lifts, automated torque wrenches; the variety is almost endless. And in that, I think poses a significant challenge.
“The other dimension of it is that unless those controls and their network activity has been observed in a laboratory or testing environments, then it’s also difficult to develop signatures. And so there are a lot of challenges. And unfortunately, it is a critical part of the industrial control security function to certainly understand what assets are out there”.
Another issue is that sensors/networked infrastructure is often incredibly physically dispersed:
“GM has about 200 million square feet of manufacturing space.
“A typical factory would be four, maybe five million square feet. And so just the simple reality of how large these facilities are and how widely dispersed the control systems are, it makes physically inventorying them very, very difficult…
He adds: “You can imagine the massive sprawl of an oil refinery, for example. These control systems will be not only all over the the refinery campus, but they’ll also be, in some cases, very inaccessible locations: very high up in physical infrastructure. Sometimes they’re underground.”
That leaves many companies with a hugely laborious task when trying to identify assets.
As Nozomi’s CEO adds: “The need to patch systems is one of the fundamental questions of risk management; something that in a converged world what the CISO and security professionals need to evaluate and do.
“(But) in industrial controls this is extremely hard to do because even when asking fundamental questions… the answers are just not there because of the lack of fundamental infrastructure.
“There are people going around in trucks with Excel sheets to remote reservoirs or distribution substations everywhere in the country because these networks simply do not have the proper instrumentation…”
Visibility is Key
It’s not just the dispersed nature of these assets that makes them hard to secure. As
Capdevielle notes: “These are very long lived assets; physical assets that rely on networks that that are meant to last a long time. Over time, [it’s easy for businesses to] lose track of of what’s what, and who’s who. And having that visibility is extremely important for risk management, vulnerability assessment, cyber security, among other things, and automating it becomes key.
Nozomi’s market niche is in tools that aim to provide visibility, cybersecurity and scalability to support the full global scope of assets across cyber physical systems. As Capdevielle notes:
“Many will say that they can only afford five to 10 cybersecurity professionals that can only attend on SoC (security operations centre). So being holistic, supporting convergence, making sure that the industrial cybersecurity folks are versed on IT and IoT, and of course, that the IT and IoT guys have some context when it comes to the industrial world, which is a world that until today has been fairly foreign, is crucial to building security.”
Nozomi comes in by offering (as part of its product suite) tools that that can identify devices from a huge range of OT vendors, including legacy assets and automatically mapping network segments. At this point, as with IT counterparts, it aims to also map baseline behaviour and then use AI to track incongruities in traffic that could suggest intrusion/exfiltration.
These can be, superficially, “obvious” anomalies that might not otherwise have been detected. Is “Joe Bloggs” suddenly working on a SCADA system/OT network at 4am instead of 4pm? As Armour notes: “Well, that might be because he’s been working on some high priority project for his boss. But it might also be that he’s doing something that he doesn’t want others to see, so he’s doing it when there’s nobody else in the office environment at four o’clock.”
Yet for all the speciality of the sector, what becomes apparent in the conversation is that many elements of good security will be familiar to those working in non-industrial processes too: the basics of good security hygiene, regular patching, minimal privileges, etc.
As former GM CISO notes: “You’ll see a lot of issues stemming back to ‘accumulation of privileges. If you’ve been in the organisation for a few years, have moved to different roles and the organisation is not very good at eliminating your access privileges. Eventually you’re going to become pretty allpowerful in terms of your ability to access sensitive functions!”
Amid the surge to remote work driven by the pandemic, both are keen to emphasise that with an already broad attack surface for the maliciously-minded (and 2019 saw no shortage of industrial companies fall prey to ransomware attacks, for example) runs the risk of getting broader and more porous. As Nozomi’s CEO puts it: “ People are adding cameras and drones and all sorts of networked physical access, badge access [infrastructure].”
“The industrial world has a very strong physical on-premises, in-person [culture] that has never been challenged in the history of industrial infrastructure. And COVID-19 is forcing us to do a lot of things external, remote, virtual. And the industry is beginning to understand that lot of these things are actually OK to do remotely, if you do them right. And that’s extremely exciting.”