Security risks of OT still stay under the radar too often

The protection of a company network stands or falls with the visibility of all the assets or devices connected to that network. Security tools play an essential role in this. Standard IT solutions are designed to map out IT assets. They monitor and protect, among other things, servers, laptops, smartphones and all kinds of network equipment.

That’s an important first step in terms of security, but offers no watertight solution for the operational technology (OT) aspect: machines, installations and robots of all kinds that are also connected to a network.

Standard IT tools fall short

“A large part of the OT assets of the network are invisible to an IT security solution,” says Nick Wuyts, OT security specialist at Proximus NXT. “Although IT and OT often interact with each other, operational technology still remains a world of its own. Automatically controlled machines such as PLCs and robot arms use very specific, often outdated protocols, because the machines are in service for a long time. They don’t always actively communicate with the network and are simply not designed with cybersecurity in mind.”

Companies thus arrive at the sobering conclusion that their cybersecurity is not as strong as they think. “Standard IT security tools miss up to 30 percent of the operational technology. To put it bluntly, up to 30 percent of the assets are invisible to the security system, and thus unprotected.” Companies are very often not aware of this.

“I was recently with a client who was convinced that his OT security was in good shape. A demo with our solution provided visibility of all the assets, including the unmanaged and unknown. That is just what’s important, because if you don’t map out those unmanaged and unknown assets, you get a false feeling of safety. A company thinks that it has 99 percent of its assets mapped out whereas, in reality, it’s only 70 percent or less.”

Nick Wuyts, Cybersecurity Product Manager at Proximus NXT

Path of least resistance

That produces a risky situation, because, what you don’t see, you can’t secure. Cybercriminals who aim to penetrate a company via its IT network quickly hit a wall there, after which they opt for the path of least resistance. Very often that path leads through the less well protected OT. “On average, one in four OT assets contains a critical vulnerability; one in five is even end-of-life. Without visibility of those assets – and so without good protection – your company is an easy prey.”

Crucial and vulnerable

It’s rather remarkable that OT systems pose such a high risk of cyber incidents. Those OT systems are, after all, crucial for business continuity. If a production line stops, for example, that immediately results in loss of turnover. In the context of OT, problems with security often also lead to safety risks; consider the risks that arise in an OT incident in a chemical plant, a gas pipeline or a power plant. So it can involve much more than just a production line that stops in a factory.

The risks to OT assets don’t always come from outside either. “It could just as well be your own employees or technicians from a maintenance firm who plug a router into a machine or an installation. A firewall can do nothing about that, because the connection takes place within the network itself.”

“External connections, like those of maintenance technicians, must be well secured,” explains Wuyts. “A secure remote access system helps monitor who has access and what they do, so that you, as a company, get a better handle on that risky access. Without the right monitoring those connections disappear under the radar and constitute a perfect gateway for a supply chain attack.”

Passive monitoring

There are many OT-specific security solutions on the market. Proximus NXT uses Armis in the context of OT security. That platform brings together IT, OT and IoT and offers overall visibility. The aim should be to have a complete picture, as a company, of the network and the risks it runs. OT devices don’t always actively communicate to make their presence known. “Consequently , a passive solution is needed, to map out those passive assets too and so not overlook any risks. We make use of the existing network traffic for this, without active scans that would otherwise disrupt the systems.”

More than asset management

In addition to asset management and visibility, it’s crucial to set up risk analyses on a regular basis and apply network segmentation. “It helps companies identify vulnerable devices, such as systems with critical vulnerabilities or equipment that is end-of-life and no longer receives OTA updates. Segmenting the assets in this way reduces the possible impact of an attack.”

Although IT, OT and IoT are, in principle, separate worlds, each with their needs in terms of security, a platform like Armis simplifies the exact security infrastructure needed. That is the case thanks to, among other things, integration with other security tools, such as Fortinet and Palo Alto Networks. “Armis also offers possibilities for compliance reporting and risk assessments, so that the platform ultimately offers much more than a standard tool for asset management.”

Nick Wuyts, Cybersecurity Product Manager at Proximus NXT

Complete overview

“Real safety begins with a complete overview of all assets, IT, OT, managed, unmanaged and unknown,” Wuyts concludes. “Because without visibility there is no control. Strategic monitoring and continued optimization of the tools used: that remains the message.”