Organisations are becoming more reliant on real-time data from their industrial operational technology (OT) systems and they are being connected to company networks so that they can provide real-time data on critical systems and infrastructure. 

This has dramatically increased the risk profile of OT systems as cyber security protection at the device level has not kept up.

Point security solutions working in isolation provide inconsistent security coverage and increase operational deployment and ongoing maintenance complexity with different reporting dashboards, increasing the overall total cost of ownership (TCO).

For the CISO, OT device visibility blind spots make it hard to assess the threat surface and report on compliance. Many industrial organisations do not know all of their OT or IoT devices and therefore cannot implement appropriate prevention, detection or response capabilities. 

Also, many OT environments contain legacy systems that cannot be updated and therefore rely on network security controls for their protection. Additionally, the lack of network segregation and threat inspection within OT environments places the most critical systems at greater risk.

Speaking at a roundtable, organised by iTnews Asia on Securing the modern OT and IoT environment in the age of digital transformation on August 15, 2023, Palo Alto Networks JAPAC Field Chief Security Officer, Alex Nehmy, set the tone of the discussion by noting that IT and OT are more connected than they’ve ever been before.

“So, the threats that OT was safe from (previously) are now very real risks,” Nehmy noted.

Most organisations, when it comes to OT or even IoT, don’t have the necessary controls in place to protect these critical assets and many organisations don’t have visibility into what assets they have hence they don’t segregate them and keep them secure, he said.

Wide range of views

Top industry leaders from different industry sectors shared their views and experiences on this important subject in an engaging discussion that lasted for nearly three hours.

Nehmy noted that OT devices are typically purchased and maintained by plant managers with the help of original equipment manufacturers (OEMs).

The problem starts when these devices connect to the network. Teams responsible for network security do not understand the protocols used by these devices and hence it is a nightmare to devise the right security policies for these critical devices. When these devices are connected to the network, it creates a crucial weakness in the security profile.

Since network security is only as good as its weakest link, Nehmy added that there is an increasing incidence of threat actors writing malware that specifically targets OT and mission-critical assets as a means of entry into an organisation’s network.

He said the problem has been amplified post-pandemic as more organisations have been forced to grant remote access into their industrial environments, not just to their staff working remotely but also to third parties, who help to manage and maintain these critical digital systems.

Many OT environments are now supported by remote staff and third parties that require remote access. This has extended the OT attack surface to these remote parties, further placing the security of critical OT systems at risk.

“So, the threats to these industrial systems have never been higher. And if we look at industrial organisations, these assets are at the heart of the organisation, they must be protected,” Nehmy said.

Regulations driving data collection

Sharing his perspective, DFI Retail Group CIO, Ian Loe, noted that regulations are driving companies in the retail sector, such as his own, to collect data.

“In Singapore, grocery retailers (DFI runs Cold Storage, Giant and Market Place, among other supermarkets) have to record temperatures of their refrigeration equipment for storage of fish and other products”, he said.

In the past, Loe noted, the temperatures were taken manually.

“But now we have to have network-connected thermometer refrigeration devices,” he said.

Loe noted that traditionally, fridges and other equipment used in the retail sector were part of non-IT procurement, hence IT was not involved until much later.

“As a result, visibility, from an IT security perspective is gone because we do not have any access or understanding of the underlying sensors and the type of security they have and yet these devices connect to the network,” Loe said.      

This is something that is being addressed with IT getting involved in future smart and (network) connected retail tech equipment procurement.

Palo Alto Networks Systems Engineering Manager, Tan Yong Chen, said that in his conversations with customers, he saw that in many instances the attitude is that securing OT devices “was not my problem”.

He noted that this approach may not work in the long term as it is likely that the government would mandate security requirements for OT and IoT devices.

“I think we should look at a more holistic view into the organisation securing the company network as a whole and not waiting for things to happen,” Tan said.  

Nehmy noted that studies have shown that IoT devices make up about 25-30 percent of the endpoints within an organisation.

“These devices create a hidden attack surface. Organisations don’t know what devices they have or their security posture and they also haven’t segmented them. These devices are just sitting there, waiting to be compromised,” he added.

Sharing her views, DHL Group’s Executive VP and Global Head of IT Services, Supriya Rao Patwardhan, said that it was not a question of whether there would be a major security incident involving OT and IoT devices but the question is when it would happen.

“OT has kind of slipped in very quietly into every inch of the shop floor right into how we operate. And it was never really considered and consulted decision,” Rao Patwardhan said.

Education is key

Talking about how DHL is tackling the security problem, she noted that, before going into a panic mode, DHL started with a lot of education, “with our business community to bring them to understand what does this mean”.

“It’s sometimes good to create a little panic because it catches their attention. And I think over some time we’ve (DHL) just built on that. Are we there yet? No yet,” she added.

She agreed with Loe’s point about procurement decisions being based on commercial considerations or features.

“And they don’t even know what kind of sensors or what kind of specifications are built-in or what’s the capability of the systems to protect themselves from being hacked.

“And strangely enough, when we started to go back to the salespeople who sold us those things, they also didn’t know,” she added.

Rao Patwardhan said that the only way to tackle the issue was to focus on network security.

“One of the things we’ve done is through procurement, because obviously, as DHL we procure a lot. There are lots of companies who would like to be our suppliers. So, we use that leverage to build into our procurement contracts, a security code of conduct on what we expect from our suppliers. And you have to sign up for it if you’re a supplier,” she said.

Rao Patwardhan added that this mandate requires a fair amount of diligence on the suppliers’ part, “but it at least gives us the assurance that our partners are looking at it or giving it the same priority”.

“And I would expect that this should become an industry standard that when you buy things for mission-critical operations, you should always have some clauses in there that apply regardless of what type of equipment you’re buying because they’re part of your supply chain.”

Defence in-depth approach

Nehmy said the best solution to securing a myriad of OT and IoT devices was a defence in depth approach.

“If you are a large organisation, it is difficult for you to keep track of how many sensors you have from different manufacturers and there is no way that you can ensure they’re built with security in mind.

“So, the network provides the central layer to segregate, prevent threats, monitor traffic and provide visibility to identify attacks, and also configuration weaknesses and vulnerabilities as well,” he added.

This layer, Nehmy said could be, for example, the OT landing zone, the IoT landing zone and, in DFI’s case the temperature sensor landing zone, making sure they’re in secure zones with the least privilege protection built around them.

He said the network is the “perfect place” to do that.

He added that Palo Alto Networks recommends a zero-trust approach to its customers.

“So least privilege, let’s take a risk-based approach. Let’s not secure everything that doesn’t matter. Let’s take the critical systems and put them in a secure zone and put the maximum level of protection around them.

“Let’s have least privileged access and have a User ID to only allow specific users in and also have an Application ID to only allow specific applications in.

“And let’s use Device ID to only allow access to specific devices and have the least privileged access to these most critical systems.

“The rest of the systems if they get hacked, for example, if it’s an audio-visual system, it probably doesn’t matter. But if it’s a certain mission-critical sensor device, let’s protect it like it’s mission-critical,” Nehmy said.

Security exists to support business objectives

He added that it was worth keeping in mind that security is there to support the organisation and support the business’s objectives.

“And, that’s why an air gap generally doesn’t work, because it doesn’t allow that flow of data, and so we need to maintain a balance between least privilege while allowing the business to do what it does.

“We need to say, yes, you can do this. Yes, you can do that. But let’s manage the risk within our risk tolerance,” Nehmy said.

With the wide selection of attendees from various industries like utilities, retail, infrastructure and other areas, there was a wide range of sharing of both experiences as well as problems being faced with OT and IoT devices.

The consensus was that while it would be impossible to secure every OT and IoT device within an organisation, the security should and can be implemented in the network layer with a zero-trust, least-privileged approach.