Considerations for merging your IT and OT environments into ICS
Posted by: Pascal Ackerman
Many organizations straddle the barrier between two different worlds: the Operational Technology (OT) world of physical machinery, manufacturing systems, SCADA, medical devices, and industrial equipment; and the IT world consisting of servers, storage, networking, and other devices used to run applications and process data. These two worlds used to be very separate and consist of two different skill sets; however, over the past decade or two, these worlds have been merging.
The convergence of IT/OT joins all of these business processes and controls and automation systems into one environment – the Industrial Control System or ‘ICS’. This has led to significantly easier management, maintenance, and reduced costs. However, with reward comes risk, and this process isn’t immune to that. When merging IT and OT, the organization’s attack surface widens. Machines and specialized systems that used to be siloed away from the internet are now accessible, and data that was previously available to a select few is exposed. We’ve already seen the effects of this over the last few years, as attacks on critical infrastructure such as energy grids, power plants, transportation networks, etc., are on the rise.
For organizations navigating the shift to ICS–or “industry 4.0” as it’s sometimes called–extra attention must be paid to how they manage and secure their production environments because the consequences of a cyber-attack could be catastrophic. Here are some things to consider regarding the security of your ICS environment:
Your ICS environment needs a unique security program.
As ICS environments grow more interconnected, they become increasingly complex, and greater care has to be taken in planning, building, and securing the environment. Starting with an accurate inventory of the OT environment’s systems and any IT systems they connect to is a necessary first step. Once you know what systems will be part of your ICS (including new systems or tools you may introduce as part of the migration), you’ll need to understand what security standards and frameworks will apply to your newly-formed or growing ICS. The odds that your organization will immediately be within full compliance or satisfactorily secure are low, but understanding the maturity of your new ICS security program will help you mitigate risks and plan out how to move towards a more secure environment.
You can’t build a secure ICS on the fly.
Building an ICS isn’t as simple as connecting an OT system to the internet and setting up a management pane. Most OT equipment wasn’t designed with cybersecurity in mind. It’s also likely that OT systems are running outdated operating systems without ongoing support, and there may not even be patches available to bring them anywhere near being “up to date”.
This means that as you migrate to an ICS environment, you’ll need to carefully consider how you architect your environment in order to mitigate risk. As you build, it’s likely that you’ll need to consider new security tools and processes to limit access to the newly-connected OT systems and control what can or can’t be done through their new connections. Planning your merger of IT and OT into an ICS will require the inventory mentioned earlier. It’s likely that you already have security tools and processes in place specifically for your OT systems or existing tools with integration points that can be used to reach your ICS security goals.
Your ICS environment will require a different approach.
One of the reasons OT environments were kept siloed and only accessed by trained experts was that even the smallest disturbances could lead to extended downtime, maintenance, and sometimes even physical harm and injury. As you move towards an ICS environment, the risks of improper access and misconfiguration can grow. Not only does the surface area available to attackers increase, but in a delicate production environment, small misconfigurations can lead to drastic failures. We’ve already discussed planning for the security of your ICS, but you also need to consider how you’ll assess your security controls, posture, and maturity after the fact. Real-world experience building, testing, and improving ICS environments is a must.
It’s understandable if all of this seems daunting. All of these considerations are interconnected, and tackling any one of them–let alone all of them at once–is an intimidating prospect.
That’s why today, we’re announcing our new ICS Security Services.
We’ve brought together our OT Penetration Testing, OT Security Program Review, and OT Security Architecture Review offerings to create a holistic approach to securing your ICS environment. This approach brings a multitude of benefits, as each of these offerings feeds into the next to improve your ICS security. Our experts across these three areas will work together to deliver actionable insights into your ICS environment’s security posture and point you in the right direction for improvement.
Whether you’re just starting your migration or already well on your way, to learn more about how we can help you secure your ICS environment, visit our ICS Penetration Testing, ICS Security Program Review, and Security Architecture Review pages, or contact us today. We look forward to working with you.
Pascal Ackerman
Senior Cybersecurity Consultant, Operational Technology,
GuidePoint Security
Pascal Ackerman is a seasoned industrial security professional with a degree in electrical engineering and with 25+ years of experience in industrial network design and support, information and network security, risk assessments, pentesting, threat hunting and incident response and forensics. After almost two decades of hands-on, in-the-field and consulting experience, he joined GuidePoint in May of 2022 and is currently employed as senior cybersecurity consultant of the Threat and Attack Simulation team. His passion lies in discovering and analyzing new and existing threats to ICS environments and he fights cyber adversaries both from his home base and while traveling the world with his family as a digital nomad.