Securing the Future of Industrial Automation: The Crossroads of IT & OT
By Anthony Eich on September 24, 2021
Executive Summary
Industrial Control Systems (ICS) are devices used to maintain operability of machinery and equipment. They are small devices with computer with operating systems known as firmware. They are designed to perform specific jobs, such as controlling heating and air conditioning systems, or machines that are part of a large manufacturing facility. These devices have been in use for several decades and have become integral parts of our national infrastructure. As technology continues to advance, new ways to implement these devices are being found, and as with most new technological developments, network interoperability is being integrated. Unfortunately, many of these systems have not been developed with cybersecurity in mind, which has left gaps between systems that have created vulnerabilities that can be exploited by those with the knowledge of how to do so. With the demand for more decentralized control, the need for a solution to these system gaps is obvious. Fortunately, there are organizations that are dedicated to solving the disparity between industrial control systems and network security. With the guidance that is being formulated, policy and best practices can be integrated into future development in order to ensure a higher standard for security in hopes of deterring and defending against would-be attacks.
Background
A recent webinar presented by the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) discussed the topic of cybersecurity in Industrial Control Systems [1]. Today Industrial Control Systems are more automated than ever before, with network connectivity allowing for management and control of devices from a distance. This represents a convergence of Operational Technology, such as ICS devices that control Heating, Ventilation and Air Conditioning (HVAC) systems, and traditional Information Technology (IT). This convergence is seen as a necessary move towards the future of industrial systems, however, there exists a gap between the two systems that needs to be bridged in order for integration to be complete and secure. Operational Technology engineers in the past have not necessarily been trained on the functionality of the networks that they are using to automate the control devices that they install and operate. On the flip side of that coin, Information Technology workers may not be trained or familiar with the simplified yet intricate operating systems and firmware that are embedded in ICS devices, making management from a central location risky. For example, it would not be wise to have a strictly IT trained individual managing the temperature controls for an industrial crucible, with little understanding of the machinery and process that is involved in such a dangerous operation. Conversely, a worker that is not properly trained in the fundamentals of network security could leave a door open for a malicious actor to take control of a system and cause potentially catastrophic damages. ASHRAE, in conjunction with Trane Technologies Inc., are working together to build that bridge between OT and IT, through the education and promotion of cross-training to facilitate the merging of technologies into a homogenous system that is both operationally sound and technically secure.
Impact
The Covid-19 global pandemic has accelerated the convergence of OT and IT [1]. Since many facilities are now falling into lockstep compliance for the health and safety of workers by maintaining social distancing protocols, the move to automate systems and control them from afar is becoming imperative. The need for these systems to be secure and protected from cyber attacks is now seen as a matter of growing importance. Events such as the Colonial Pipeline ransomware attack in late April 2021 have helped to bring this necessity into focus [2]. The traditional view that ICS security is an impediment to productivity, is being replaced with concern for keeping control of these systems out of the hands of malicious actors. Industry leaders in both environs of OT and IT are recognizing the increased threat. One report by Dragos Inc. suggests that in 2020 cyber-criminal groups focusing attacks on ICS systems tripled [3]. These cyber criminals take advantage of systems that have been designed to maximize operational efficiency, with little consideration for security and IT best practices. In many instances, ICS devices that may be considered to be top of the line for the job that they perform, are accessed by computer systems that are outdated and insecure due to budget constraints or technological limitations. In order to harden these systems, companies like Trane are moving forward by integrating security and IT into their planning of facility systems [1]. The result is a more secure environment. The implementation of this planning comes with a higher price tag, but it considerably mitigates the potential loss of life and property that could be the result of a less secure system. Once these systems are up and running, they do need to be operated and maintained. Trane and ASHRAE are also teaming up to create a workforce that is both OT and IT proficient, with training programs that emphasize a forging of the two traditionally separated vocations.
Significance
Now that the realization that Operational Technology needs to be more secure has become more mainstream, organizations are taking steps to implement methods, protocols, and device designs that take this into consideration. Communication between IT teams and Facilities Managers is a big part of the equation. Design teams need to make provisions for security part of the planning process. Devices manufacturers need to be vetted and ICS controllers should be tested and have a means for patching and upgrading firmware. Maintenance schedules should include not only the checking of the physical operations and abilities of a device, but also the updating of firmware and security credentials is imperative. When installing devices, IT and OT security best practices should be followed, such as restricting physical access to controllers, and isolating control networks from publicly accessible networks. Documentation of the processes is a vital part of creating the communication bridge between OT and IT operators. The United States is one of the most highly network connected countries in the world, and it is clear that many Advanced Persistent Threat (APT) and other organized crime groups are going to continue to attempt to exploit any and all vulnerabilities to that network. As the trend towards connectivity continues to grow, the practices to create fundamentally secure industrial control systems will become more and more important to the safety and security of our Nation’s infrastructure.
References
[1] Alger, J. (2021, 9 16). BAS & Cybersecurity. Retrieved from ASHRAE Journal: https://event.on24.com/eventRegistration/console/EventConsoleApollo.jsp?&eventid=3375518&sessionid=1&username=&partnerref=&format=fhaudio&mobile=&flashsupportedmobiledevice=&helpcenter=&key=9A55262298759DC60AAB1780A95FBB84&newConsole=true&nxChe=true&newTa
[2] Turton, W., & Mehrotra, K. (2021, 6 4). Hackers Breached Colonial Pipeline Using Compromised Password. Retrieved 9 21, 2021, from Bloomberg: https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
[3] Waldman, A. (2021, 2 24). Dragos: ICS security threats grew threefold in 2020. Retrieved 9 21, 2021, from TechTarget: https://searchsecurity.techtarget.com/news/252496808/Dragos-ICS-security-threats-grew-threefold