Attacks
on
critical
infrastructure
and
other
OT
systems
are
on
the
rise
as
digital
transformation
and
OT/IT
convergence
continue
to
accelerate.
Water
treatment
facilities,
energy
providers,
factories,
and
chemical
plants
—
the
infrastructure
that
undergirds
our
daily
lives
could
all
be
at
risk.
Disrupting
or
manipulating
OT
systems
stands
to
pose
real
physical
harm
to
citizens,
environments,
and
economies.

Yet
the
landscape
of
OT
security
tools
is
far
less
developed
than
its
information
technology
(IT)
counterpart.
According
to
a
recent


report
from
Takepoint
Research
and
Cyolo,
there
is
a
notable
lack
of
confidence
in
the
tools
commonly
used
to
secure
remote
access
to
industrial
environments.

Figure 1: New research reveals a large gap across industries between the level of concern about security risks and the level of confidence in existing solutions for industrial secure remote access (I-SRA).

The
traditional
security
strategy
of
industrial
environments
was
isolation
–
isolation
not
just
from
the
internet
but
also
from
other
internal
systems.
But
now,
with
OT
systems
opening
to
the
world
and
cyberthreats
surging,
the
lack
of
OT-specific
security
tools
has
emerged
as
an
urgent
problem.
In
this
void,
IT
solutions
are
often
cobbled
together
in
an
attempt
to
meet
OT
needs
but,
as
you
might
expect,
the
results
are
usually
lackluster.

Security
solutions
designed
for
IT
environments
simply
can’t
satisfy
the
demands
of
OT
and
industrial
realities,
for
several
key
reasons.

Reason
1:
OT
prioritizes
availability
over
confidentiality

While
IT
and
OT
both
seek
to
ensure
confidentiality
(the
protection
of
sensitive
data
and
assets),
integrity
(the
fidelity
of
data
over
its
lifecycle),
and
availability
(the
accessibility
and
responsiveness
of
resources
and
infrastructure),
they
prioritize
different
pieces
of
this
CIA
triad.

• 
  IT’s
  highest
  priority
  is
  confidentiality.
  IT
  deals
  in
  data,
  and
  the
  stakeholders
  of
  IT
  concern
  themselves
  with
  protecting
  that
  data
  —
  from
  trade
  secrets
  to
  the
  personal
  information
  of
  users
  and
  customers.
• 
  OT’s
  highest
  priority
  is
  availability.
  OT
  processes
  operate
  heavy-duty
  equipment
  in
  the
  physical
  realm,
  and
  for
  them,
  availability
  means
  safety.
  Downtime
  is
  simply
  untenable
  when
  shutting
  off
  a
  blast
  furnace
  or
  industrial
  boiler
  tank.

For
the
sake
of
availability
and
responsiveness,
most
OT
components
weren’t
built
to
accommodate
security
implementations
at
all.

This
marks
a
fundamental
difference
in
the
very
DNA
of
IT
and
OT
environments,
which
immediately
renders
IT
security
tools
challenging
to
implement.

Reason
2:
OT
systems
run
on
always-up
legacy
systems

For
someone
living
in
the
IT
world,
it
may
be
difficult
to
imagine
an
environment
that
still
runs
on
Windows
XP
or
an
eighties-era
mainframe,
but
that’s
the
plain
reality
of
the
OT
world.
Whether
for
profit
or
safety,
OT
systems
are
always
up
and
running
at
full
capacity.
This
is
why
OT
components
are
designed
for
much
longer
life
cycles.

Almost
all
IT-based
tools
require
downtime
for
installation,
updates,
and
patching.
These
activities
are
generally
a
non-starter
for
industrial
environments,
no
matter
how
significant
a
vulnerability
may
be.
Again,
downtime
for
OT
systems
means
putting
safety
at
risk.

In
addition,
the
legacy
systems
that
power
the
OT
world
generally
cannot
communicate
with
modern
security
or
authentication
tools,
limiting
the
effectiveness
of
these
platforms
from
the
very
start.
Without
a
security
solution
like
Cyolo,
which


retrofits
legacy
applications
to
support
modern
security
protocols,
IT
tools
will
be
severely
limited
in
their
ability
to
secure
OT
systems.

Reason
3:
IT
tools
almost
always
require
a
connection

IT
security
solutions
usually
require
external
connection
because
servers
and
applications
must
exchange
data
with
each
other
(and
with
users)
to
perform
their
essential
functionality.
OT
systems,
by
contrast,
often
have
specific
requirements
for
how
and
when
they
can
be
connected
to
the
internet
(yes,
even
in
our
age
of
digital
transformation).
IT
tools
can’t
always
be
configured
to
meet
these
requirements.

The
nuance
is
that

IT
and
OT
systems
can
interface
with
each
other
without
forming
a
permanent
connection.
This
way,
OT
environments
can
be
positioned
to
achieve
the
benefits
of
automation,
production
data,
and
other
digital
transformation
efforts
without
creating
unnecessary
access
points
for
malicious
actors.

Reason
4:
OT
systems
are
highly
variable

The
IT
world
has
largely
standardized
around
the
TCP/IP
protocol,
but
the
OT
world
lacks
such
consensus.
OT
systems
use
a
wide
variety
of
communication
protocols,
which
are
often
determined
by
the
original
equipment
manufacturer.

For
example,
if
an
OT
operator
purchases
programmable
logic
controllers
(PLC)
from
several
different
providers,
each
provider
has
likely
taken
a
different
approach
to
meeting
IEC-61131
standards.
Therefore,
OT
engineers
have
to
learn
and
maintain
as
many
types
of
software
and
protocols
as
they
have
vendors.

Even
within
OT,
protocols
are
frequently
incompatible
with
each
other,
and
they
are

definitely
incompatible
with
common
protocols
used
in
IT-based
security
tools.
It
is
doubtful
that
any
IT
tool
will
cover
the
entire
spectrum
of
OT
use
cases
for
a
given
environment.

Reason
5:
OT
systems
are
delicate

As
a
function
of
their
variability
and
always-on
nature,
OT
systems
are
easily
disrupted
by
the
most
basic
IT
processes
and
security
best
practices.

• Even
  passive
  scanning
  can
  knock
  fragile
  OT
  systems
  offline,
  and
  by
  the
  time
  scanning
  is
  scaled
  down
  and
  restricted
  to
  offline
  systems,
  security
  coverage
  shrinks
  below
  an
  acceptable
  level.
• Logon
  banners
  that
  typically
  run
  on
  endpoints
  will
  break
  the
  auto-login
  process
  for
  critical
  OT
  systems.

Because
visibility
is
harder
to
achieve
in
OT
environments,
it
can
be
difficult
to
predict
the
consequences
of
deploying
a
new
tool.
For
this
reason,
OT
systems
generally
require
more
extensive
testing
and
validation
before
a
new
tool
is
implemented.

OT
environments
deserve
OT
solutions

It’s
often
said
that
strategy
precedes
tooling
—
and
this
is
true.
IT
and
security
teams
working
in
OT
spaces
must
take
the
time
to
understand
and
embrace
OT
philosophies
and
needs,
and
collaborate
with
OT
stakeholders
to
define
best
practices.

That
said,
the
right
tools
still
matter
in
a
big
way.
The
cybersecurity
market
can
be
noisy
and
misleading.
Together,
IT
and
OT
stakeholders
must
ask
the
right
questions
before
committing
to
a
specific
tool
or
vendor.

The
OT
world
deserves
the
benefits
of
modern
security
controls
without
risking
the
safety
of
workers,
operations,
or
bystanders.
Not
only
will
the
right
solutions
harden
security
postures
against
tomorrow’s
attacks,
they
will
position
security
to
contribute
to
innovation
rather
than
stand
in
its
way.

To
learn
more
about
the
top
challenges
currently
facing
OT
security
professionals,


read
the
complete
report
from
Takepoint
Research
and
Cyolo.