Securing the Operational Technology (OT) - The Challenges

OT - Overview

Operational Technology(OT) is generally technology used in the manufacturing or operational floor. The OT has evolved considerably in the recent years from pure mechanical technology to data-driven technologies like Robotic Process Automation (RPA) leveraging IOT, Machine Learning and Artifiial Intelligence. The impetus from the Industrial IOT (IIOT) brings more and more automation capabilities and the connected behavior into the manufacturing floor. Thus the adoption of IT and related technologies in OT is now the common norm and so the need for alignment and convergence with the IT function. 

IOT sensors are deployed everywhere, inside a manufacturing floor, or along the gas pipelines, inside a moving automobile, to monitor the stock movements, etc. Though these dispersed IOT devices perform small functions, the data it produces and the decisions taken based on sucgh data are critical and thus it is being realized that the OT could lead to critical security issues, depending on the size, and critical nature of such enterprise.  

The adoption of IIoT and related technologies brings many benefits to businesses such as smart machines and real-time intelligence from the factory floor - but it also increases the attack surface and requires continuous connectivity between IT and OT. The differing culture and mindset between the IT and OT functions, combined with few other factors often leads to conflicts. 

Hackers and Cybercriminals are now looking at critical infrastructure systems as the targets.  Motivations include holding systems hostage for a ransom, stock price manipulation, denial of production operations, etc. For example, the hackers may take control of your car when on a high way and demand a ransom, which could be life threatening. Similarly, Hackers may get hold of the Energy Grid and shut down the power supply for a region or even nation as a whole. The connected nature of these devices and systems involved in the modern day OT poses serious challenges as they get hooked on to the IT owned network infrastructure, wireless access points, and mobile networks.

Securing the OT

The introduction of new technologies to drive improvements such as production and supply chain efficiency and asset management has led to closer and more open integration between IT and shop floor systems. But the increasing connectivity of previously isolated manufacturing systems, together with a reliance on remote supporting services for operational maintenance, has introduced new vulnerabilities for cyber attack. Not only is the number of attacks growing, but so is their sophistication. As OT security becomes a widely discussed topic, the awareness of OT operators is rising, but so is the knowledge and understanding of OT-specific problems and vulnerabilities in the hacker community.

It’s true that the systems and devices involved in OT are often based on the same technologies as that of IT and as such many of the threats they face are exactly the same. However, it is an open secret that OT security is not the same as IT security. While securing OT systems requires an integrated approach similar to IT, its objectives are inverted, with availability being the primary requirement, followed by integrity and confidentiality. There are certain other important differences as well that mean that the OT infrastucture can not be managed as an extension of the IT infrastructure

Here are some of the areas that makes OT different from IT and thus pose a challenge for the IT Security experts:

1. Visibility:

From the perspective of the organizational units responsible for IT Security function, OT has been somewhat off the radar. This is so, because, the IT function is not involved in the evaluation and selection and procurement of the OT systems. More so, as such OT systems come with a dedicated-networked IT system(s), which could mean even isolated data-centers being setup within the manufacturing floor without the knowledge of the IT function.  Until recently, or even now in certain cases, the IT systems involved in OT are treated as an integral part of production machinery rather than computerized information systems, so the ultimate responsibility of its operation and maintenance, regardless of the cause of potential failure, was assigned to the OT function and not IT function. In most cases, the OT staff often don’t know what types of IT, or IoT devices or equipment that they have as part of their OT ecosystem. 

2. Skill Gap:

One of the biggest challenges facing the industry is deciding who is responsible for OT security - should it be the IT or OT function? Given their background and resources, in many cases IT security teams are being asked to take ownership of coordinating security for OT. However, they typically lack OT specific skills. Defining the security controls / processes for OT systems require indepth knowledge on the OT systems, so that the interests and priorities of the OT function is also taken care of. The cybersecurity industry is projected to reach 1.8 million unfilled roles by 2020. The added complexities of a converged IT/OT security environment could amplify perceived barriers to entry, as organizations struggle to manage the aging workforce of their plant teams with the Millennial generation of new cybersecurity talent.

3. Availability and Safety:

For a Manufacturing company, the production line is very important and its smooth functioning always is very important. Companies lose revenue when their production line is shut down for maintenance, be it planned or unplanned. Nobody wants to disturb OT equipment because any downtime can turn into millions of dollars in lost productivity, highly vocal, disgruntled customers and regulatory fines. Machines must reach a high OEE (overall equipment effectiveness). There is no time to allow IT-style updates and patches that take down equipment.

In many cases, where OT systems are involved in delivering essential services, such as electricity or water, or maintaining safety systems at chemical plants or dams availability is a significant parameter. Even momentary non-availability could lead to catastrophy in certain cases. Enabling high availability of OT systems and maintaining the confidentiality of some sensitive information processes by those systems require additional security controls. Not only are many of these now-connected OT system components are quite vulnerable to compromise, a failure in one of these also has the possibility of causing a catastrophic effect on human life and property. 

4. Processes:

Safety and security for employees and customers have always been top priorities for the OT function and the processes and guidelines are usually defined keeping that in mind. IT function doesn’t even factor plant or employee physical safety in, except where physical access systems are under their domain. IT’s top priority is to protect the data. OT’s top priority, however, is to protect the availability and integrity of the process with security (confidentiality) coming last. At the same time, the OT system components designed for direct control, supervisory control or the safe operation of manufacturing processes,  could turn out to be a safety hazard, even if any component or subsystem  involved compromised. Business systems are also critical but their failure is unlikely to result in the uncontrolled release of hazardous materials or energy. 

5. Legacy: 

It is not uncommon that the computer and related software systems used as part of the OT are used over a decade without being replaced or made any change. These computers and softwares are designed for certain specific functions of interfacing with the other plants and equipments involved in the manufacturing process. It largely depends on the plant or equipment vendor to come out with software and related IT hardware enhancements, otherwise, such systems may not be compatible with the upgraded IT hardware or the OS. Consequently, such systems would be vulnerable to a wide range of cyber-threats that have already been mitigated on the systems used in IT function. This is more so

6. Disparate Technologies:

Until recently, or even now in most cases, the OT architectures run on a separate and isolated infrastructure and as such they have been traditionally isolated from the Internet. One of the reasons for this is because these systems are often hard wired to work with a plant / equipment and to receive and process signlas received and disseminate instructions back to various components. Some OT systems are already only supporting obsolete, insecure operating systems. OT system vendors also do not feel obliged to increase the security capabilities of their systems. Something as benign as an active system scan can cause these devices to fail, which can have serious if not catastrophic results.

System-dedicated networks, multiple domains and dedicated supporting systems require more resources to achieve a maturity level comparable with IT. It also greatly increases the complexity in monitoring and maintaining security levels. The sophisticated nature of OT infrastructure technologies means that most IT security and threat intelligence solutions don’t have visibility into, let alone the ability defend against attacks on critical infrastructures. This creates a challenge in defining and implementing coherent security policies across production plants

7. IIoT Impact: 

The Industry 4.0 revolution is having a great impact on the manufacturing environments. It offers significant opportunities for improving production effectiveness; in particular, based on continual, online information about manufacturing processes and equipment. However, the utilization of new IoT technologies also has an impact on security. It’s not just about networks of course, there are loads of components, including things like sensors and actuators (transducers) and ‘smart things’, fog nodes,(industrial and intelligent) IoT gateways, IoT platforms and so forth. And for IT some of these components are “different” from the cyber security perspective they are used to by the way. New protocols (including wireless) or mesh network architectures increase the number of potential access points to the network and require a different approach to security.

8. Culture:

The IT function responsible for maintaining and securing the Information and related Resources, help ensuring the data Confidentiality, Integrity and Availability aspects and in the process protect corporate information and related assets including networks from cyberattacks. They're less familiar with the OT space, and often display little interest in knowing what their counterparts do to keep it safe and operational. In contrast, OT function monitors and fixes issues in highly complex and sensitive industrial plants with maintaining operational safety, reliability, and continuity as the top priorities. They don't deal or work with IT function, and certainly don't want them to get involved in their operational issues.

Each group is concerned that the other side will wreak havoc in their environment. When there is a need to secure OT against cyberthreats, plant engineers worry that if IT team members get involved, they'll compromise system safety and stability. Unsanctioned changes to these systems might cripple the plant, cause an explosion, or worse. These concerns are justified. After all, when it comes to OT, IT staff members are in uncharted waters. At the same time, the IT function is concerned that vulnerable OT networks will introduce new threats into IT networks, threatening corporate assets, data, and systems.

Conclusion:

As industrial organizations begin to connect their machines to the network, the differences in security requirements for IT versus operational technology (OT) are becoming more important to understand.

There were no good practices and formal regulations for manufacturers on how to provide even minimal security protection on medical devices. 

IT and OT teams are discovering the need to work together in order to deploy cybersecurity solutions throughout the enterprise; from headquarters to remote locations, and the factory floor. Hackers are going after intellectual property, financial data and customer information. CIOs report that intellectual property can constitute more than 80% of company value. Now is the time for OT and IT leaders to develop strong partnerships to promote operational efficiency, safety and competitive advantage.

Neither OT team members nor IT team members are experts in defending OT systems against emerging cyberthreats. Because OT networks were previously disconnected from the external world, engineering staff never had to deal with such threats. Meanwhile, IT staff members who deal with cyberthreats on a daily basis don't fully understand how these new threats will affect OT systems.  Nevertheless, both sides must cooperate, because neither group can protect industrial systems singlehandedly. Given the divergent cultures, technologies, and objectives of IT and OT, the two groups must overcome a significant divide, including mutual suspicion.

To ensure IT and OT collaboration, business-level oversight and leadership is required. More and more organizations are taking senior, experienced engineers from OT business units, usually from under the COO, and moving them under the CIO hierarchy. This interdisciplinary model combines expertise and roles that straddle and unify both sides of the IT-OT fence. Some organizations have taken this one step further. Instead of aligning IT roles under the CIO, they're creating a new C-level role to facilitate this management strategy. 

The higher up the organizational ladder that IT-OT convergence decisions are being made, the better the chances for success in bridging the gap.

The Promise and Peril of IoT

The Internet of Things can be defined as below:

The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected.

As we can see today, there are many things that we use in our daily livelihood are becoming smarter as they have embedded sensors and related electronics and algorithms, so thay they collect data in real time and convert the same into useful information. The most common smart things that we see now range from tracking devices, cars, refridgerators, security cameras, ovens and even dustbins. The Healthcare industry is leading in adopting the IoT devices and we have devices which are worn under the skin, that on the positive side help address many of the health concerns.


The IoT ecosystem primarily has three things: the device itself, with necessary sensors to collect data; the network that the devices use to share the data with the back end systems; and the back end system which apart from applying various analytical and algorithmic processes on the collected data also manages the devices, like rolling out updates, patches, etc. Certain devices may not have the ability to connect to the internet, in which case, the devices reach out to the back end through intermediate broker devices, like smart phones.

IoT is here to Stay

More and more IoT devices are coming out and will soon be everywhere and experts predict that the number can grow to 50 billion by year 2020. The IoT will undoubtedly be beneficial, but not without any perils. The pervasive interconnectedness of the IoT devices will also help the businesses in better understanding customer behavior and adopt appropriate business and marketing strategies targeting the specific customers. While the businesses like healthcare service provicers may make the most out of this IoT push, it poses many concerns ranging from data security to life safety of those who either directly or indirectly use such devices.

As the benefits seem to outweigh the drawbacks, it is very likely that IoT is here to stay and the concerns have to be addressed as it matures in the coming years. Let us examine the Promises that IoT era is about to bring in and also the Perils that come along.


The Promise

Healthcare

As mentioned earlier, healthcare providers are among the earliest to adopt the IoT. The wider deployment of electronic medical records (EMRs) and deployment of telemedicine technology that relies heavily on the type of remote data collection needed IoT to take it further and this convergence is expected to fuel the growth of IoT. With IoT, patients can submit their vitals from home without having to personally visit their physician and thus experiencing an enhanced and timely care, which could be life saving many times. This also helps in healthcare providers innovate further and come up with preventive care plans. Typical IoT devices that we see now are the fitness trackers, smart watches and other wearable devices like smart shoes.

Automobile

Next to Healthcare, Automobiles makers have shown greater interest in leveraging the IoT and thus the cars are becoming smart with capabilities like driverless cars, parking assist, switching on the A/c remotely, etc. IoT, if not already, will enrich the in car experience of the driver and passengers. The applications include enhanced in-car infotainment, improved safety controls and improved remote maintenance. For example, the car tyres are getting smarter with the ability to notify the tyre pressure in real time and even extend it further to automatically inflate or deflate the tyre on the go. The cars rolling out today already have some level of smartness built in, giving an enhanced safety and driving experience.

Manufacturing

The IoT brings revolutionary changes to society, economy, and technology, in such a manner that no one can just ignore to leverage it for its benefits. Manufacturing companies for that matter are seriously working to leverage IoT to: gain enhanced visibility over the production process; link the production to the business processes; and build responsive monitoring processes that improves the efficiency and quality of the products and services. Application of IoT in the above areas will lead to significants benefits like, securing and monitoring the movement of goods within and outside the factory, improving the quality of the products, preventive maintenance and upkeep of the plant & machinery, etc. When implemented correctly in every stage of the manufacturing process, IoT will be a significant benefit to employees on the manufacturing floor to the shippers and finally to the customer.

Retail

Retail industry would not want to be left out in this race of adopting the IoT as it has the biggest potential to leverage for a better business results. Being in direct contact with the end consumers, retailers can make use of in-store sensors and can track smartphones throughout the store and record path-to-purchase data that can later be used to optimize store layouts. Check out process can be made easier with smart shopping bags, so that the moment an item is dropped into the bag, the same is added to the order making the billing process a lot easier. IoT is likely to be very useful in fraud prevention, like theft of inventory, etc. Early adopters will be positioned to more quickly deliver IoT-enabled capabilities that can increase revenue, reduce costs and drive a differentiated brand experience. The IoT will be a disruptive force in retail operations.

Other Benefits

Energy sector is adopting IoT with smart meters and grids to gather real-time data for remote monitoring of resource consumption, malfunctions, etc. Needless to mention, IoT enables buidling of smarter homes with smart-connected home appliances and thermostats giving an ability to the users to remotely monitor and manage. IoT is also entering our homes in the form of internet-connected lightbulb, thermostat, door lock, washing machine or oven you can control from inside or outside your house.  IoT has the power of transforming our lives by offering the needed sensing, connectivity and intelligennce to improve our wellbeing. 

Having seen the some of the promises, some of which are already real, let us now check out the dangers that come along.

The Perils

With IoT devices, consumers are often exposed to newer risks and concerns that these new generation devices and gadgets bring in. The concerns include their own safety, possible effects on networks used apart from the data protection and legal issues.

Another concern for the businesses is the amount of data produced by all IoT devices. The enormous data produced by various sensors must be transmitted over the networks, needing high performance networks and stored calling for the storage and related infrastructure. The volume of data managed by enterprises between 2015 and 2020 is expected to grow 50 times year-over-year. The concern is not just on the volume, but also on the quality and security of the data. The legal issues around the data ownership, accountability and responsibility cannot be ruled out as well.

Security & Privacy

IT professionals are no longer just protecting data, circuits, and transmissions, but need to focus on the relationships between “things”, “service to things” and “things to people.” Safety must be ensured along with availability, confidentiality and integrity. IoT devices might expose vlunerabilities, exposing an easy way for hackers to get into networks and databases of personal data. While manufacturers are responsible for the security of their products, organizations and end users are equally responsible deploying and monoitoring within their network. 

The ways and means of securing IoT is unclear as the industry is still evolving with thousands of start ups coming with cheaper and basic connected devices, ignoring security and safety in mind. The concerns around security and privacy stems out basically at three levels. The first being from the device itself. The device containing sensors to gather data and to perform certain actions should have a mechanism securely identify and authenticate the host system, so that it respond to the authorized hosts only and not to any. The second being the network used for sending and receiving data. Most of the IoT devices use the wireless protocols like bluetooth, to reach out to an intermediate device for further connectivity with internet. Securing these networks is very important as well to ensure data protection. The third is the Back End, where the huge volume of data gathered are stored for making it into more meaningful information for further actions.

The Internet of Things can be a complex market with multiple nodes, and businesses should aim to simplify this process. There’s no better way to assure a customer of the simplicity and security, than communicating regularly. It might seem like a rudimentary thing to do, but the true test of a successful business is to ensure that there’s a process in place amidst all that clutter. 

Other Concerns

Today's connected cars contain a multitude of computers collecting data, from driving habits to location data to media or entertainment use. With connectivity, data collected by the vehicle’s computers are sent to a manufacturer or third-party and data is received as well in the form of command & control or as updates to the programs & algortihms. In addition to privacy concerns, these technologies potentially allow hackers to remotely access a vehicle’s control systems and thus impact the safety of the human life

The consumer behavior is being used to the advantage of the retailers. For example, your trousers might get horrified by your weight gain and in turn will have the TV showing contextual ads about new fad diets, the fridge selling you low-fat yogurt, etc.

By getting smarter, the things get expensive with a shorter life span. For instance, your mattress may not need replacing every couple of years, but the smart mattress with a sensor inside may need a maintenance and replacement sooner than that. For cheaper connected devices like the kettle, toaster, waist belt, light switches and door knobs; expect replacement of these components to become a new, regular expense.

The current generation kids are born with smart devices on hand and are extremely addicted to digital gadgets and the smartphone notifications keep them busy staying away from in-person socilaization, leading up for a complete digital burn-out. 

Internet of Things: What Strange Things Can Happen

It was about 6 years back, by when we have started to see WiFi enabled digital cameras and we were wondering what this has to do in a digital camera. But with that, the digital cameras were able to upload the captured images automatically to the cloud based photo albums. Later came in GPS equiped digital cameras, which attaches the location to the captured images. Of course, with smart phones equiped with higher resolution cameras, the digital cameras are on the downfall. That is just a well known example of how a 'thing' or a smart thing can connect to a network and share useful data for a purpose. So much have evolved since then and we now see a world of possibilities to have all the 'things' connected.


Researchers see a lot of benefits by making things smart and inter-connecting them. The networking technologies are also evolving at a brisk pace, offering various improvements over the wireless technologies and protocols. We can see this trend advancing further and may mature in about two decades from now. Looking further, in line with my blog on Human Interface Technology, even humans can remain connected, and that will render human disabilities a thing of the past century.


If you followed this year’s CES, it is evident that the future is all about connected devices. We could see everyday devices equipped with sensors and connectivity to work together, understand what we’re doing, and operate automatically to make our lives easier. Here are some of real world examples of Internet of Things:


A smart refrigerator that can read the embedded tags on the grocery items that are stored in it and then using the supported backend platform on the cloud, identify the items and fetch its details as to date of manufacture, expiry date, quantity, etc. Thus the fridge may alert the consumers about the state and stock of such items. With the kind of wearable gadgets that we see now, these alerts can be through such devices too. It is left to your imagination to what extent this smart capability can be extended.


Medical and emergency care is another area where the smart 'things' play a very useful and life saving role. For instance, a connected car can call emergency services faster than a mobile phone. Again, with the help of embedded or worn smart gadgets, the hospital can get to know the patient history as the patient gets into the hospital and can get ready for the emergency services thereby saving precious time, which can be life saving. Check out this interesting video. Check out this video that IBM has made out describing how it is growing fast and could invade into the everyday life of human beings.


Extending this further to the daily routines of a business executive, the possibilities are endless and here are some that are close to reality, if not already real:

• Your smartphone once it hears a hint about a meeting in a conversation, it will in the background look up your calendar and will pass on the busy / free information. If the executive uses a glass, then he would be seeing the schedule as he talks and thus facilitates the scheduling of the meetings.
• The smart alarms will be smart enough to consider information as to what time did go for sleep, the schedule (both personal and official) for the following day and thus will intelligently decide the wake up time in the morning and triggers the alarm.
• Depending on the traffic conditions, your car will intelligently suggest alternate routes to reach the office or such other scheduled meeting venue and if needed, automatically inform the meeting organizers about the possible delay or may seek rescheduling of the meeting.
• As you drive back home, you just remember that you need to pickup some drugs from a drugstore. Your smart car will already know this and will identify a store that stocks the drugs that you need and that is on the route or closer to the route that you drive. It can even place the order with the store and let the store keep your items ready for delivery and you just need to pick up enroute.
• Needless to say, your car will be smart enough to perform a health diagnostics of itself and will decide on a best date for its own garage visit so that your schedules are not impacted.
• These smart things will know about your presence and which device is in touch with you to send out alerts. For example, if you are at home watching TV, you may see your TV showing alerts from your washing machine and similarly, when you are at work, your smartphone would be used to show these notifications.
• Here are some more ways the 'Internet of Things' can impact your daily life.

Coming back to the household, you are watching your favorite action movie with surround sound and you did not changed your smartphone from a silent mode back to a ringing profile. You don't have to worry, your smartphone knows what you are upto and over a period would have learnt by itself, as to which of the calls you would want to answer at this situation and accordingly either rejects the call by answering the caller appropriately. If it is an important call that you would n't want to miss, it knows it already and will tone down the TV audio volume and thus draws your attention to the call and you don't have to reach out to your phone, your TV will take over the call from your smartphone. To extend this further, depending on the profiles of other members at the house, which the house already knows through its sensors and networks, your smart phone will decide whether to route the call on to the TV or not.


We can now visualize the possibilities and it is endless. The smart things will have built in learning capability and will keep learning from its master's behavior to perfect its services. This trend will lead us to a situation where the things might by themselves or under the influence of hackers attempt to take over human beings as portrayed in some of the recent science fiction movies. On top of this, hackers will also be leveraging these smart abilities to hack into these connected networks and could do whatever they have been doing with the connected systems now.


Here is how the hackers can intrude into your digital lifestyle:

• We have already seen reports of a smart refrigerators sending out spam emails.
• By hacking into your house network, hackers may get to know how many members are home or if there are none inside the home, which information will be useful for them to plan their burglary attempts, etc.
• Your TV may refuse to play your favorite channel and will rather play content that the hackers prefer you to watch.
• Your car may drive to a place that is different than where you wanted to visit. On the same lines, hackers can execute traffic diversions and cause traffic jams as portrayed in the movie Die Hard 4
• All your orders for home supplies may be hacked and deliveries may happen elsewhere, while you would have paid for it. And of course, your house network will still acknowledge for having received the deliveries, while it is not actually.
• The impact of hacking into the emergency service network could be huge and life threatening.
• Your smartphone can be hacked to refuse critical business calls and thus causing revenue impact to your organization.

IDC anticipates that more than 200 billion connected devices will be in use by 2021, with more than 30 billion being autonomous devices. Cisco’s Internet Business Solutions Group (IBSG) predicts some 25 billion devices will be connected by 2015, and 50 billion by 2020. How will having lots of things connected change everything? Find the answer in the infographic. With all this, Internet of Things is coming and will be here to stay soon. Whether we, the humans are ready to take on this evolution remains to be seen.