CyberX: In The Worlds Of IT and OT, IoT Solution Providers Are The Ones Who Can Bridge The Security Gap
When solution providers need to patch an enterprise customer's Windows machine, it can be a quick and simple process. That same process, however, could lead to a significant loss of revenue for a manufacturing customer.
As industrial organizations begin to connect their machines to the network, the differences in security requirements for IT versus operational technology (OT) are becoming more important to understand, and that's where solution providers come in, said Phil Neray, vice president of industrial cybersecurity at CyberX.
"Resellers who want to expand into OT security realize that it doesn't work to merely extend IT security tools," he told CRN. "The number one thing that the channel needs to do is be aware that these differences do exist and look at the platforms of vendors who are specializing in OT security, rather than trying to adapt an IT platform to OT."
[Related: 10 Blockbuster Acquisitions That Helped Companies Get Ahead In IoT In 2017]
Solution providers with IT knowledge need to understand key differences in machines on the OT side and how they impact security requirements.
The process of patching and upgrading is one of the biggest differences in the IT and OT worlds, said Neray. On the IT side, regular patching and upgrading to the latest version of Windows, for instance, is common and encouraged. But on the OT side, patching causes downtime, which companies cannot afford, and upgrading to the latest version of Windows isn’t always possible and requires rewriting of the SCADA application, said Neray.
"To get around that you need to push industrial vendors to support more modern versions of Windows and put in place compensating controls to monitor environments for anomalies and prevent breaches," said Neray.
But there are other differences between IT and OT security that solution providers on the IT side will need to take into account. For instance, many are used to dealing with standard IP-based protocols such as HTTP, HTTPS and STP on the IT side, but OT networks have their own proprietary industrial protocols, including DNP3, Modbus, GE SRTP and Siemens S7.
"The protocols running on the OT networks are very different than those on the IT side," Neray said. "An IT security company needs to build an understanding of both these protocols into a product … most of them don't have the expertise and have not done that."
Another key difference lies in the analytics and scanning tools used. For example, an IT security product uses behavioral analytics and machine learning to find anomalies in connected devices, but the algorithms underpinning an offering for OT are not the same, said Neray.
Meanwhile, it's also common for solution providers to use vulnerability scanning as a viable tool to help keep customers secure, but that won't work in an OT environment, he said. On the OT side, vulnerability scanning tools will interfere with the normal operations of industrial control systems and cause downtime.
"This is very common and many IT networks do this on a daily basis because it helps them stay current on patches," said Neray. "But if you take the same approach on the OT side, scanning devices, it will cause downtime."
IT solution providers also need to understand the first steps they need to take when working with OT customers. They need to help customers create an inventory of what they have on their OT network and what the topology of their network looks like, according to Neray. After that, solution providers need to help their customers implement segmentation wherever possible, so if an attacker gets into an OT network it has limited ability to cause damage.
Finally, continuous monitoring is a critical step for to ensure that an OT network is free of vulnerabilities. From there, leveraging industrial control system threat intelligence will help in planning incident responses.
Jeff Miller, chief technologist of smart manufacturing at Avid Solutions, a Winston-Salem, N.C.-based systems integrator, said the channel has an important role to play in breaking down and understanding IT versus OT security – and communication and education on both sides is critical.
"A lot of companies rely on us to be the liaison between IT and OT – we need to understand both sides, and that's the bridge we can provide," he said.