IT-OT convergence: Organisations needs to improve overall security

Sukhbir Sandhu, Managing Director, ASEAN, Forescout

EITN: Is efficiency the only reason that IT and OT systems are being connected/converged these days?

Sukhbir: IT and OT systems have traditionally functioned separately, with each having its own network, goals, and specifications. However, it has now become commonplace to see a confluence of these networks as they offer tangible benefits including, but not limited to, operational efficiencies for businesses across a broad range of industry verticals.

The IT/OT convergence empowers organisations to improve processes in various ways and thus create a significant competitive advantage by bridging the gap between physical and digital capabilities. While efficiency is a key driver of IT/OT convergence, there are many other compelling reasons why organisations should look into connecting these two systems such as:

Opportunities for automation and reduced costs

  • IT/OT convergence enables organisations to streamline and optimise their business without having human operators as the bottlenecks. This convergence will allow professionals to predetermine actions based on specific conditions and/or have sensors in place to transmit information to an actuator – no longer needing employees to monitor every process and react to every situation manually.
  •  With more automation opportunities presented, this will also lead to businesses having fewer systems to procure and maintain (getting rid of redundant systems), enabling teams to react to problems faster before wasting more resources or causing more damage.

Improved flexibility, visibility, and operational standards

  • With IT/OT convergence allowing businesses to constantly collect data, it creates the opportunity to optimise workflows, recognize patterns and enable leaders to make better-informed decisions and improve operational performance.
  • With the business environment constantly evolving, systems are also made more agile and can react more quickly to market changes.

Enhanced security

  • IT-OT convergence is not merely an integration of technologies, but also teams and processes. Thus, with the gap between cybersecurity and physical security being filled, organisations can potentially improve their overall security and protect operational assets and data.

EITN: What is automated security, and is it possible?

Sukhbir: Automated security is most certainly possible, and widely used today. Implemented properly, it allows organisations to automatically detect, investigate, and remediate cyber threats, sending the appropriate alerts to human security teams.

As attack surfaces continue to expand and cyber threats become increasingly sophisticated, human teams are often overwhelmed and unable to effectively manage, process and attend to data and alerts. This is especially so amid Southeast Asia’s ongoing shortage of cybersecurity talent. This is where security automation tools come in – to help administrators keep up with their responsibilities. Many security tools and systems use automation to accelerate threat detection, removing false positives as well as enrich and prioritise alerts in accordance with the risk they possess to the organisation in real-time.

EITN:  Moving forward, do you see OT continue to be insecure by design?

Sukhbir: There is still a tendency to downplay vulnerabilities within OT systems. Showcasing the scale of the issue, Forescout uncovered more than 50 vulnerabilities affecting devices from major OT vendors in 2022, all of which stem from insecurely designed functionality. OT vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors. These vulnerabilities could serve as attack vectors for threat actors on OT networks, opening the doors to potential credential theft, remote code execution, firmware manipulation, and ultimately, disruption of critical services.

Despite cybersecurity becoming an essential business requirement, the focus remains overwhelmingly placed on the protection of IT networks. Many organisations today continue to operate with inadequate OT security frameworks, impacting their ability to properly protect critical functions governed by these systems.

The challenge is increased by current trends such as the IoT revolution. Having traditionally worked in isolation and designed with a focus on functionality rather than security, OT systems often lack basic security features and defences. The reality is that a successful intrusion into networks controlling critical infrastructure like an electricity grid, oil rig, or emergency response services could have catastrophic results.

EITN: Could ransomware attacks on OT systems occur, if OT was not converging with IT?

Sukhbir: Ransomware attacks in its modern form are unlikely to happen on traditionally air-gapped OT systems. While risks remained from malware carried on USB flash drives, the isolation of OT systems meant that the impact on the broader organisation is likely to be limited in scale.

However, the need to remain competitive against the backdrop of an increasingly digital and less human capital intensive business environment means that the IT/OT convergence is needed or even essential for success. Production environments today are commonly characterised by hundreds of digital systems and interconnections that provide business benefits.

With industrial environments increasingly dependent on digital systems for production, security teams need to adopt a holistic approach to asset discovery, assessment and governance that helps avoid downtime and ensure regulatory compliance.

EITN: Are mitigation techniques for OT threats the same as for IT threats? If yes, or no, how are they different, or how are they the same? What are the typical challenges in detecting OT threats?

Sukhbir: While attacks on OT systems are making the headlines, most attacks begin with threat actors gaining access to enterprise networks through IT and IoT assets before moving laterally.

For modern enterprise environments with thousands of interconnected devices to monitor and control operations that were once manual, it will be key for security teams to have the requisite visibility and insight into device context, enabling them to effectively respond to threats.

The complexity involved in monitoring these interconnected devices can be greatly reduced by automating and orchestrating security operations across all assets on a single platform. Automation can benefit areas such as:

Device Context – Automation enables organisations to maintain up-to-date information about all their cyber assets as soon as they join or leave the network. Network context is key to understanding what the device is, what it is connected to, and where it is located. For example, this context enables security teams to discern between a personal computer running Windows vs. a Windows based machine responsible for operating a lift.

Orchestrated Workflows – Automatically triggering remediation, such as executing a script, fixing a missing agent, or triggering a patch, is key to staying ahead of threats. Automated workflows can enforce policies and trigger pre-set responses such as isolating vulnerable devices until they can be remediated.

Accelerated Response – Cyberattacks have become increasingly automated as well, so responding to incidents at machine speed is critical to preventing, mitigating, and recovering from a breach. Automating threat detection alongside the use of multifactor risk scoring can prioritise alerts to the risks and threats that matter most.

These can broadly deliver the following benefits:

  • Ensure existing security products are installed, running and up to date.
  • Provide insight on device, user and network context between different IT and security products and enable security teams to identify process operations issues early on to avoid downtime.
  • Automate system-wide policy enforcement across disparate solutions.
  • Accelerate response actions to inform operators and contain identified threats, mitigating risks in a timely manner.

EITN: How does visibility technologies help?

Sukhbir: Visibility and monitoring solutions can provide rich information into the depth and breadth of a network, helping organisations eliminate cybersecurity blind spots. Having an accurate, detailed, and up-to-date inventory of devices connected to the network allows security teams to fully understand what devices sit within their network environment and how they are interacting with each other. Some basic principles include:

  • Knowing the state of your network environment:
  • How are devices interacting with each other? What protocols are being used? 
  • Does every device need to be on the same network?
  • What is the current software version compared to what you have deployed? 
  • If there are changes to be made, how will this impact any of the above?
  • Disabling access to services or software not needed. This could be local to the endpoint or upstream by using network segmentation.

These principles provide the context necessary for accurate segmentation of devices, allowing security teams to assign appropriate security policies that prevent intruders from moving laterally to other networks or devices.

EITN: Please share the megatrends that you see shaping up in SEA and Malaysia.

Sukhbir: OT systems are increasingly crucial in key infrastructure projects such has national or state utility plants or manufacturing. We are seeing the importance to focus on strengthening the protection of Critical Information Infrastructure (CII) against cyber-attacks. 

Forescout’s research team, Vedere Labs, conducted an analysis of the cyber threat landscape and identified several megatrends that are likely to be applicable to businesses in Southeast Asia. One of these trends involves the rise of ransomware, which is currently being spotlighted by high profile attacks on organisations such as AirAsia, Singtel, and globally, Colonial Pipeline. United Nations data has identified ransomware as the most prominent malware threat in Southeast Asia, while leading digital economies in the region such as Malaysia have issued advisories warning of increased ransomware attacks.

Ransomware threats are evolving in complexity, with Vedere Labs’ research uncovering that attacks on ransomware and IoT, two of the largest cybersecurity threats in recent years, are converging. This has resulted in attacks moving beyond IT workstations and servers, with threat actors looking for vulnerabilities in connected IoT devices such as IP cameras, VoIP, and video conferencing systems to exploit for initial access into an organisation’s network. This has implications from an OT perspective, as threat actors could access IT networks via vulnerabilities in connected devices and move laterally to OT systems.

Forescout has observed a growing prevalence of malware, especially destructive wipers for sabotage or to destroy evidence. These types of malwares typically overwrite or encrypt critical files such as the master boot record of a system. Malware groups are also targeting insecure-by-design native capabilities of OT equipment. Vulnerabilities stemming from persistent insecure-by-design practices as well as inadequate attempts to fix them are set to continue posing challenges for cybersecurity.

As Southeast Asia’s digital transformation continues, organisations will thus need to continuously invest into and improve their security posture to safeguard against increasingly sophisticated threats.