The current trend of automation and data exchange in industry, through the development, use and integration of cyber-physical systems, the Internet of things, cloud computing, artificial intelligence and other enabling technologies is expected to bring tremendous benefits in the economy, including improved productivity and efficiency, better flexibility and agility, and increased profitability. However, it also comes with increased cybersecurity risks, deriving primarily from the integration of Information Technology (IT) and Operational Technology (OT). The main reason is that until recently OT systems were designed to operate in physical isolation from Information Technology IT networks, therefore no security measures were thought to be really necessary. As an example, user authentication or data integrity mechanisms are not present in many OT systems. However, the digitalization of such OT systems and their integration with enterprise IT systems exposes them to threat actors acting remotely, even over the Internet, and to attacks that were simply not possible to launch in the past.
Gartner predicts that by 2025, cyber attackers will have weaponized OT environments to successfully harm or kill humans, and that the financial impact of attacks against OT systems resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.
It is, therefore, important for organizations whose digital transformation involves IT/OT integration projects, to engage with such projects and carry them out in such a way that the end result will enjoy the desired cybersecurity levels. Note however that, as in all cases of a major shift in computing paradigms, a number of cybersecurity challenges,additional to those common when integrating IT systems only, should be expected to arise. These are due to some inherent characteristics of OT systems, that differentiate them from IT systems:
- Some of the components of OT systems, e.g., sensors, controllers, actuators, interface directly with the physical world and, in contrast to IT systems, perform only a few specific actions. As such, they do not need the general computing power of a computer or even of a mobile phone, and therefore they tend to have limited computing resources.
- OT systems are mostly real-time systems, therefore the time in which computations are performed is important in ensuring the correct operation of the system.
- OT systems have typically a much longer lifecycle than that of IT systems. This mismatch introduces compatibility problems when IT systems or components need to be updated.
- OT systems started employing IP-compatible network and communication protocols recently. A huge volume of what would be considered legacy OT systems,in terms of the communication protocols they employ, exists.
- OT systems are diverse,and they extend from modern land, sea, and air vehicles to medical devices, to industrial control systems. Different standards, requirements, communication technologies, and time constraints apply to such systems, forming a complex landscape, especially when OT systems interconnect to form systems-of-systems, as for example in the case of the power grid.
- As OT systems interact with the physical world, it is equally important to operate safely for humans and the environment as is to operate securely. Therefore, the concept of risk in OT systems differs from that in IT systems.
An IT/OT integration project will present both technical and organizational cybersecurity challenges.Some of them will be common to other similar initiatives; these can be alleviated by using publicly available resources that describe suitable practices. Cybersecurity technology products for use in integrated IT/OT systems from several vendors, mostly providing monitoring and situational awareness services, do exist.However, the mere use of such solutions will not suffice to secure integrated IT/OT systems. Instead, a holistic approach encompassing technology, people, and processes, and systematically addressing all stages in the lifecycle of a cybersecurity project, such as that described by the NIST cybersecurity framework, needs to be followed.
A necessary prerequisite before engaging successfully with such a process is to ensure that both IT and OT stakeholders communicate and collaborate closely towards overcoming pre-existing barriers and aligning objectives. This in turn necessitates the knowledge and use of a common language, a condition which more often than not should not be assumed to hold. For example, it is unlikely that IT staff will be familiar with the operation of PLCs, as is also unlikely that OT staff will be actively involved with cybersecurity incident response procedures. Thus, the need for a pre-project training and team-building component emerges. Such a component should be tailored-made to suit the specific needs and profile of the enterprise in question.
Many enterprises that have successfully carried out projects integrating IT and OT in the context of their digital transformation have identified knowledge gaps in the process, that cannot be covered by the traditional consultancy services. In such cases, effective collaboration with research institutions may prove to be mutually beneficial.
