Can Converged Information Technology (IT) and Operational Technology (OT) be Secured?

The short answer? No.

Upon recent review of a NIST/NCCoE project guideline for backup/recovery of manufacturing networks, the scope was realistic but frank, pessimistic – clearly when IT/OT intertwine an attack is inevitable. Their example started with a business either already breached or was inevitable. The network architecture of this "hypothetical" scenario relied on software based security. It employed use of an Industrial Demilitarized Zone (IDMZ) which enables remote monitoring and management (RMM), Cloud, etc., capabilities, but dramatically increases cyberattack surfaces. Its predecessor, the air-gap, was historically successful because of its physical and logical network segmentation. Unfortunately, many have bucked the air-gap, connecting their OT to IT which quickly complexifies security – businesses need recovery tools because a breach is all but guaranteed.

Historically, IT and OT environments were isolated by default (OT predates cyberwarfare and cybercrime by a considerable margin). However, as the internet became more democratized, capable, commercial, and dangerous, there was an understanding amongst manufacturers of the intrinsic lack of OT cybersecurity; many devices and equipment could not support patching, and updates could cause interruptions in production, etc. It was and still is common for these environments to have equipment so expensive they must be maintained for decades instead of being replaced, especially difficult to justify replacing if OT works as-is. However, concurrently to the commercializing of the internet, there was an effort of many to help businesses secure those transformative capabilities – a formidable challenge awaited.

As it stands today, there appears to be a broad, innocent misunderstanding of compliance frameworks and subsequent solutions (products) needed. This has necessitated a Herculean effort from industry and government to provide distilled versions of compliance and education on cybersecurity. This has been an uphill battle as manufacturers of all sizes have been increasingly tempted by specialized capabilities and services which require the internet. These capabilities have lead to justification for compromising the security of an air-gap, and the trend of IT/OT convergence. This unfortunately exposes the insufficient defense of OT security products to the robust offense and community of cybercriminals. Even just a cursory look at the growing frequency and financial impact of cyberattacks highlights the mismatched resources and capabilities of the cybersecurity industry and the impotence of cybersecurity guidelines to effectively communicate.

According to the National Cyber Security Alliance, 60% of small businesses that are hacked will go out of business within six months. Therefore, it is evident that most organizations are unprepared for a cyberattack, and also have not tested their backups, or backups are impractical.

If a criminal in say Russia or China wants to perform some "unsanctioned penetration testing", they can with little effort cheaply buy ransomware and breaching tools off of the dark web. If businesses can be shuttered by one person using readily available exploits, a reexamination of what is really valuable and how to practically and effectively protect that value is needed.

However, even with an air-gap, attacks are always possible and a fast recovery is needed — even non-cyber, physical failures such as fires, cut cables, etc. can cause downtime; all backups must be tested and regular monthly backups with test servers and machines are recommended so recovery is well understood. But, there is only one recorded instance of an air-gap being penetrated (Stuxnet in Iran's Nuclear Program), which required four 0day (never before seen) exploits. If a new Stuxnet is an SMMs biggest concern, well... regardless, having a framework for recovery shows good forethought and fiduciary duty to protect the company's assets, and is generally far easier to implement than cybersecurity compliance.

"Yes, we know you'll be breached. Here's how to recover." doesn't have the same ring to it as "Yes, we know you'll be a target. Here's how to secure your valuables." – but at least it's a start...

Technology now exists (NetThunder Spark) where backups, even with isolated systems, can be performed without downtime and automated recovery is possible without being at the mercy of any outside cloud providers (which are often prohibitively expensive and download time is slow). Furthermore, if any public cloud based systems are used (which is strongly recommend against), all cloud assets should have a local backup as these cloud assets can be attacked. The backup/recovery setup should allow an easy method of “going back”, and drills are needed to build confidence in that process. While software based segmentation can help, physical/hardware segmentation should always be preferred.

Manufacturing should have never moved away from provable security architecture. The assumption that a breach is inevitable, performed with little creative and technical effort, is simply too bleak. Maybe it can be prevented with a more digestible and practical guide, but it's always been possible for businesses to have multiple networks like internally facing and isolated OT, and externally facing IT. Furthermore, factories always have staff on site – remote access is unnecessary and dangerous. Imagine for a moment an alternate reality where OT remained isolated. Theoretically, those capable of developing 0day exploits would have to focus on very large enterprises with the ROI to justify their effort, and cyber criminals that rely on crude, pre-programmed ransomware would have to focus on other industries. Instead, businesses are justifying RMM and cloud because they either don't understand the risks and the tech, or they are big enough to weather an attack.

If square one was starting with physically segmented OT, located in a secure facility, then a breach would require "0day" exploitation. However, maintaining true physical and logical segmentation is easier said than done. Without additional staff or automation to manage that segmentation, maintaining an air-gap is burdensome, impractical, or even impossible for SMMs. Stakeholders don't want to deal with or understand the tech – they just want things to work. Now, manufacturers can take advantage of NetThunder's technology to automate IT and OT infrastructure, dramatically reducing their attack surface by enabling them to easily manage physically segmented networks.