5 key challenges of implementing IT security tools in OT environments

cyber-security

As digital transformation and the convergence of operational technology (OT) and information technology (IT) continue to gain momentum, the vulnerability of critical infrastructure and OT systems to cyberattacks is escalating. Water treatment facilities, energy providers, factories, and chemical plants, which form the backbone of our daily lives, are all at risk. Breaching and manipulating OT systems can have severe physical consequences, endangering citizens, environments, and economies.

However, compared to its IT counterpart, the landscape of OT security tools remains underdeveloped. Experts point out a significant lack of confidence in the tools commonly used to secure remote access to industrial environments.

In the past, industrial environments relied on isolation, not only from the internet but also from other internal systems, as their primary security strategy. With the surge in cyber threats and the opening of OT systems to the outside world, the absence of OT-specific security tools has become an urgent issue. Consequently, IT solutions are often pieced together to address OT needs, but the results are usually subpar.

Here are five compelling reasons why IT security tools struggle to meet the requirements of OT and industrial realities:

1. OT prioritizes availability over confidentiality

While IT and OT aim to ensure confidentiality, integrity, and availability (CIA) of data and assets, they prioritize different aspects of this triad. IT places the highest emphasis on confidentiality, as it deals primarily with data protection, ranging from trade secrets to user and customer information. Conversely, OT’s highest priority is availability, as its processes involve operating physical equipment. For OT, availability is synonymous with safety, and any downtime can pose significant risks, implementing security measures challenging.

2. OT systems run on legacy systems that are always up

In IT, it is hard to fathom an environment running on outdated systems like Windows XP or aging mainframes. However, this is the reality in the OT realm. OT systems must operate continuously at full capacity for profitability and safety reasons. Consequently, OT components are designed for long life cycles. Most IT-based tools require downtime for installation, updates, and patching, which is simply not feasible in industrial environments where safety is paramount. Moreover, legacy systems often cannot communicate with modern security tools, severely limiting the effectiveness of IT solutions from the outset.

3. IT tools typically require a constant connection

IT security solutions necessitate external connections to enable data exchange between servers, applications, and users, supporting essential functionalities. However, OT systems often have specific requirements regarding when and how they can be connected to the internet, even in the age of digital transformation. Configuring IT tools to meet these requirements can be challenging. Although IT and OT systems can interface with each other without forming a permanent connection, it allows OT environments to leverage automation, production data, and digital transformation efforts while minimizing potential access points for malicious actors.

4. OT systems exhibit high variability

The TCP/IP protocol has largely standardized communication in the IT world. In contrast, the OT world lacks such consensus. OT systems employ various communication protocols determined by the original equipment manufacturer (OEM). For instance, if an OT operator purchases programmable logic controllers (PLCs) from different providers, each provider is likely to have implemented its approach to meet industry standards. Consequently, OT engineers must learn and maintain various types of software and protocols corresponding to each vendor. Additionally, compatibility issues exist not only between OT protocols but also between commonly used IT-based security protocols. It is improbable that any single IT tool can adequately cover the entire spectrum of OT use cases in a given environment.

5. OT systems are fragile

Due to their variability and constant operation, OT systems are vulnerable to even the most basic IT processes and security best practices. For instance, passive scanning alone can disrupt delicate OT systems, and scaling down scanning to offline systems reduces security coverage to an unacceptable level. Furthermore, standard IT practices like logon banners, which run on endpoints, can interfere with the auto-login process for critical OT systems. Achieving visibility in OT environments is also challenging, making predicting the consequences of deploying new tools difficult. Therefore, extensive testing and validation are necessary before implementing any new tool in an OT environment.

Conclusion

While strategy precedes tooling, IT and security teams operating in OT spaces must invest time understanding and embracing OT philosophies and needs. Collaboration with OT stakeholders is crucial for defining best practices. However, the selection of appropriate tools remains essential. The cybersecurity market may be overwhelming and deceptive. Therefore, IT and OT stakeholders must ask the right questions before committing to a specific tool or vendor.

The OT world deserves the benefits of modern security controls without compromising the safety of workers, operations, or bystanders. Adopting the right solutions will bolster security against future attacks and position security as an enabler of innovation rather than an impediment. By addressing OT environments’ unique challenges, we can ensure the integrity, availability, and confidentiality of critical infrastructure and safeguard our societies.