the convergence of it and ot

1

THE CONVERGENCE OF INFORmaTION TECHNOlOGy aNd OpERaTIONal TECHNOlOGy.

a NEW INdUSTRIal REVOlUTION.

2

EXECUTIVE SUmmaRyHistorically, industrial processes and the technology that supports their operation (Operational Technology (OT)) have been isolated from connectivity with the outside world. However, in recent years an increasing number of industrial processes, utilities and factories have become interconnected with each other and their Enterprise LANs. In the hope of increasing efficiency, driving cost savings, improving decision making capability and enhancing competitiveness, Information Technology (IT) previously only found in Enterprise Networks is now being implemented within industrial networks. As a result, industrial systems are now exposed to risks and dangers that were never considered in their original design: the threat of malware and cyber attack.

In this white paper we will evaluate the exciting business benefits that are driving the convergence of IT and OT, and consider the challenges that IT and OT managers may face when setting out to secure the converged network.

a NEW INdUSTRIal REVOlUTIONAs the twenty-first century rolls before us, how many people stop to wonder where everything that makes our lives possible, actually comes from?

Who provides our water? The electricity? The chemicals? The oil, the gas…?

We accept that our modern life is powered and made possible by the output of multiple industrial processes that provide the products and resources we require and the energy we consume. Apart from those who work in these industries, few, if any of us, give it any further thought.

Yet, perhaps we should.

Thanks to the growth of the internet, the cloud, the flourishing ubiquity of IP (Internet Protocol) based communications and the desire to share information and connect everyone, everything and everywhere together, a revolution is taking place around us, that will have significant impact upon us all.

BAE Systems Applied Intelligence

32

SEpaRaTE WORldSEver since the industrial revolution, new industries have spawned and developed: processes have been made more efficient, productivity from industrial processes has grown, efficiencies have increased, and new services, utilities and products have fuelled the development of all our societies. To monitor, manage and oversee these industrial processes, industrial control systems (ICS) and operational technology have been implemented which ensure that these industries operate day in, day out, continuously producing the services, utilities, fuel, chemicals and manufactured goods that we need.

Traditionally most OT has existed and operated in silos, isolated and not connected to each other or the outside world. Although the OT managers may have been responsible for running specialized technology peculiar to each of their industries, one thing they have all shared in common has been their focus on the integrity, efficiency, reliability and safety of the systems they control.

Then along came networking and the Internet Protocol (IP).

In the cities, people sitting in offices became connected together, began to share information, and started working with computers. Specialized software and business applications began to revolutionize the world of business and commerce, and companies grew and flourished. Experts in IT became the gurus who understood how computers connected together, how the software and hardware of company networks functioned, and how LANs and WANs could enable companies to share information between each other.

In the head offices of the companies who run the industries we depend upon, IT managers oversaw the growth of interconnectivity between their employees and systems, and implemented, managed and ran the IT infrastructure upon which all Corporate and Enterprise networks now depend.

And then came the internet.

Suddenly, the world was connected. Within a few short years, individuals, employees and companies the world over, were IP enabled. This made it possible to communicate with each other, to share information, to do business in a global, virtual environment that broke down barriers and facilitated further, rapid growth.

Two separate worlds had developed:

•The world of Operational Technology that drives, manages and controls the industries upon which we depend

•The world of Information Technology which enables our businesses, the internet and our ability to share data and information

In companies that own and manage large industrial operations, the Enterprise networks of the corporation had until recently been separate from the industrial plants and processes that were core to their business, with little or no virtual or physical connectivity between them, and very little direct control.

4

SECURITy CONSIdERaTIONS IN THE SEpaRaTE WORldS OF IT aNd OTThe worlds of IT and OT have evolved with different considerations and priorities.

•Whereas IT systems are designed to connect with each other, industrial systems were isolated and locked-down

•In an IT network, components are typically deployed with an expected lifetime of between three to five years. In an industrial network, devices/components may be expected to last from between five to twenty years, perhaps longer

•IT systems are designed with the capability for regular updating and maintenance, whereas with OT systems, maintenance windows and the ability to upgrade and replace components are far rarer: once operational, they often run continuously with minimum scheduled downtime – every second offline can cost the operating company thousands of dollars

•Information security has long been defined by the need to preserve the confidentiality, integrity and availability of information. Over many decades, other properties, such as authenticity, accountability, non-repudiation and reliability have also been included. Many frameworks and approaches have evolved for IT security but almost all have either explicitly or implicitly put confidentiality ahead of all other attributes. OT designers on the other hand are driven to ensure that their plants and process controls are safe, efficient and continuously available. With some industry-specific exceptions, confidentiality of data is not a major cause for concern for OT.

“To Converge or not converge, that is the question…” Advantages & Disadvantages

The ability to share and connect disparate systems and data processors together using networking technology based upon the IP protocol has changed our world. For businesses, bringing people, systems, and offices ‘online’ (i.e. connected via IP routable networks) has facilitated communication and data sharing that has enhanced productivity, cut product development and delivery timescales, shortened problem resolution cycles, enhanced competitiveness and brought tremendous operational efficiencies.

For companies that own industrial concerns, and whose businesses are still segmented into the two distinct domains of IT and OT, there are also significant advantages that could potentially be gained by increasing the connectivity between IT and OT, and gradually converging the domains together:

•Increased efficiency

•Enhanced productivity

•Enhanced profits

•Greater control.

OT facilitates the real-time processing of vast amounts of data, which enables automated control systems to make decisions and issue local commands that regulate, control or change the industrial processes they manage. In a non-IP enabled industrial system, management systems are not provided with the real-time feedback data that helps them construct a global view of operations.

However, if it were possible to introduce IT technology into OT systems, such that the information flow between management and supervisory control systems could be enhanced, supervisory networks and management systems would have far greater control: the more timely, accurate information they would receive would assist them in making more effective decisions. IT would also enable them to have a greater, more accurate and real-time view of multiple geographically dispersed industrial systems and to respond more powerfully to any change in a process that may occur, or as required by real-time world events.


54

an Industry View on Convergence: Oil and GasThe business requirements driving convergence in the different vertical markets vary from one industry to another. As an example, let us look at the Oil and Gas market, for which the convergence of IT and OT is seen as offering significant benefits that could help address some of the many challenges this sector is now facing.

In response to all of these challenges, wherever possible, the Oil and Gas industry is seeking to imbed greater connectivity into its operational structures. This would provide components, systems and people the ability to communicate and share information with each other in ways not possible before.

In particular, utilization of electronic and information technology within OT systems, facilitates greater centralized control, safety and security monitoring.

The development and implementation of systems which will provide real-time information to improve business performance, and greater automation of industrial processes, are now central to the vision of the ‘digital oil fields’ of the future.

Within the Oil and Gas sector, it is becoming increasingly harder to access the new and remaining oil and gas reserves, creating significant new challenges:

•TheneedforimprovedOperationalexcellence. The increasing difficulty that companies are experiencing in profitably extracting oil and gas from existing fields, naturally fosters a greater focus on efficiency and effectiveness in production. Within the industry this is driving a culture of high performance and changing the way the business is managed

•Capitalprojecteffectiveness,skillsshortageandchangesinworkingcultures. With access to what is termed ‘easy oil’ (and gas) becoming rarer, the scale of the projects being undertaken and the investments being made to acquire natural resources from more challenging fields has increased. The scale and complexity of the projects introduce new safety and security challenges, along with the problem of recruiting sufficient workers willing to work in hazardous, remote locations, where a skills shortage has become a global issue. The skills shortages in local populations leads to a high degree of foreign workers

•Oilandgasreservereplenishment. The continued pressure to find new oil and gas reserves leads to more oil and gas operations in offshore and remote locations, all of which are more difficult to protect

•Businessresilience. With the increase in the physical and cyber security threats faced by the industry, there is now greater awareness of the need to ensure operations are resilient and demonstrate a suitable degree of system redundancy.

6

THE INEVITaBIlITy OF CONVERGENCE For many companies, not just those in Oil and Gas, convergence between IT and OT domains is inevitable: it may not have happened yet, but the potential benefits it will offer cannot be ignored, especially if competitors are already embarking on a convergence program and threaten to benefit from their actions – other companies cannot afford to be left behind.

For many companies, convergence is already happening, for example:-

•Components of Industrial processes (PLCs, HMIs, Historians) are being made IP aware, facilitating remote control and management directly by OT managers and for upgrading and maintenance by third party vendors

•Remote workers in the field are being equipped with laptops that can communicate with the control systems or the corporate network, increasing productivity and enabling decisions to be made faster, and significantly reducing capex and opex costs

•Control systems (SCADA/DCS) are being implemented that communicate with HMIs, PLCS, MTUs, RTUs and Historians using protocols based upon TCP/IP, which will also be able to communicate directly with corporate networks

•Management systems in the Enterprise are establishing links to view data in the historians in the supervisory and industrial systems

However, increasingly, there is a realization that convergence brings risks and costs of its own, and ultimately, there is the possibility that the benefits gained could be outweighed by the new risks introduced.

In consideration of the fact that hitherto, many industrial systems were intentionally isolated, what is the cost of the added security that needs to be applied to make new interconnected architectures safe to operate?

What would be the cost of a cyber attack, loss of service or a disaster which could be caused by the enablement of such connectivity?

Increasingly, there is a realization that IT/OT convergence brings risks and costs of its own that must be addressed.


76

CONVERGENCE: WHaT aRE THE RISKS? The more exposed to external systems and the outside world an industrial system becomes, the greater is the threat that OT is exposed to, and the greater is the risk of operational disruption. From the experience of those IT managers tasked with securing the Enterprise network, the greatest risk now facing IP enabled OT networks or OT networks that touch and link to external IP-enabled systems, will undoubtedly be the threat of malware or cyber attack. In addition, there is a greater risk of an individual with ‘insider’ knowledge using his skills to manipulate a system to detrimental effect. Furthermore, there is also the risk of a process error or unintentional numerical error propagating through a system and causing damage: within a normal IT environment, such process errors may have limited effect, however in the converged network, IT process changes require greater planning and must be planned carefully with due consideration for the OT environment into which the IT has been deployed, understanding that the OT technology surrounding it can be very sensitive to the rebooting of servers, installation of software or the application of patches.

Historically, communications between elements of control loops in industrial systems were enacted using non-routable protocols. There was no consideration for IP networking between industrial network components and different sites. As such, the vast majority of malware, which made use of IP, could not propagate in the core of industrial systems: isolation effectively meant protection.

Unfortunately, once devices become IP compatible and communication between network components is made possible, within any two hierarchically flat networks that connect together, almost every device within both or all networks are now exposed to each other: if there exists a single possible entry point for malware to penetrate a system, that ingress point becomes the Achilles’ Heel of all networks that touch each other. Once inside, the malware or attacker will have the capability to spread or penetrate further.

Security experts in the world of IT operations have long since been forced to accept that malware now has the ability to touch and connect to almost any network-connected element in the world. In addition, despite any and all cyber security precautions that they may put in place, the reality is that if someone wants to perpetrate a successful cyber attack against a piece of IT, they will succeed: it is only dependent upon how long they have to do it, and the amount of resource they have to apply to the task. Where the motivation is high, they will find a way.

It is important that OT managers now begin to share this reality, because it will also apply to them too: for the converged network, the risks that IT and OT share are now both similar, not necessarily in how an attack may be perpetrated, but that at some time or other it will be attacked.

Furthermore, cyber attackers identify and target the weakest links they can find. For legacy industrial systems which were previously not connected to the outside world and were built without considerations for cyber security, in a converged network, OT may often contain the weakest link. Hence, the focus of the cyber attacker may shift away from the Enterprise to the weakest links within OT, where he/she has greatest chance of success.

It is important that OT managers now share this reality: it is inevitable that some cyber attacks against OT systems will be successful.

8

SECURITy FOR THE CONVERGEd NETWORK In many industrial networks, convergence is already happening, either by plan or unintentionally, through the innocent upgrading of existing components with IP enabled devices or the intentional implementation of IP connections between different areas of a network.

Whereas it is right to be cautious and concerned about the increased risks that convergence between IT and OT will bring, the good news is that security solutions which are appropriate for the environment of the converged IT and OT world already exist.

Nevertheless, there are several significant challenges in navigating a safe path to the implementation of secure converged IT and OT networks.

EdUCaTING EmplOyEES aNd OT WORKERS Historically, OT and ICS have emerged and evolved from a time when the risk of cyber attack was minimal or non-existent, and networks were isolated, locked-down, and remote. Pre-convergence, in the world of OT, cyber attacks and malware threats were not considered, because there was no clear and present threat to consider.

In the world of IT, it took many years of education and awareness generation to make employees security conscious, helping everyone to understand the risk of cyber attacks and malware. There will be similar challenges in educating those who work in OT and industry, made more complex by the fact that the systems and the attack vectors may be different.

The first main challenge is therefore for those involved in convergence to become aware and knowledgeable about the full extent of any risk that convergence may expose them to: even though they may be familiar with their increased risk profile, it is possible that lack of awareness of the full extent or the nature of the cyber threat could lull some engineers into a false sense of security. In fact one of the challenges of security professionals targeted with helping to implement and strengthen cyber defences in OT and ICS, is that many managers of ICS could still be unaware that components of their industrial processes could be vulnerable to attack, without full understanding of the vectors by which they could be attacked or how malware could impact their systems.

Furthermore, in securing OT, it will not simply be a case of taking security systems designed for IT and mapping them and implementing them in OT networks. Security architectures for OT will need to be carefully considered - for example, the role of a firewall in IT networks is clear, yet their applicability in OT networks should be carefully evaluated: other solutions more akin to the needs of securing communications between network areas within industrial systems may be more appropriate.

When considering how best to secure OT, consideration must be given to understanding what the critical processes and systems are, and what threats they face. By prioritising these, security controls which are implemented must address the threats most relevant to an organization, system or process.

As security managers start to raise awareness internally, they may encounter a resistance to change, with attitudes of employees and industrial workers needing to be altered through education and awareness generating campaigns. As awareness of the issues is increased, companies will need to encourage (and later enforce) adherence to strict security processes and industry guidelines that will be introduced.

Initial resistance to change is understandable. Particularly where uninformed workers are highly motivated to do their job but see new security procedures and devices as counter-productive steps taken to prevent them doing what they are paid to do.

For those working in OT and designing new systems, cyber security has to become a primary consideration. Where recent legislation and guidelines have been introduced, they must be followed (e.g. Utilities NERC CIP for power generators and suppliers/NEI 0809 for Nuclear Power facilities). For other previously unregulated industries (Oil and Gas/Manufacturing etc.), new security standards and procedures specific and appropriate to each industry will have to be agreed and implemented, and become a part of all daily considerations. e.g. the NIST Cyber Security Framework, a voluntary cross industry framework that is being adopted by the non regulated industries in response to a presidential executive order.

as security managers start to raise awareness internally, they may encounter a resistance to change. Education about the threat is critical to overcome this.


98

THE CHallENGE OF HOW TO maKE Old INdUSTRIal NETWORKS SECURE Once a system, factory or process is built and tested, and is operational, it quickly embeds itself into the critical structures of the organizations that operate them. When this happens, it is common to let them run, and run, and run. Some factories, systems or processes have been running for ten, twenty, even thirty years, sometimes without interruption. Some ICSs, factories and utility plants currently operating may still have the same systems (and lack of security) in place that they were originally commissioned with.

In some industrial processes, systems or part of systems have been designed and supplied as bespoke, turnkey solutions by vendors, with complex commercial arrangements covering supply chain responsibilities for processes, design, installation, commissioning, ongoing service and upgrades. Making changes to these solutions to make them more secure, could involve discussions with multiple partners and complex legal considerations, taking significant time and resource to implement. Change, even for the better, may not be easy.

As a result, many industrial systems and processes critical to company and often national interests are currently dependent upon a great deal of ageing and vulnerable systems: many of these systems cannot simply be taken offline to improve or upgrade them because of the significant loss of revenue that lost production would incur, and they cannot be replaced by more modern equipment because the cost would be prohibitive.

This creates several problems, as discussed below.

Applying Patches to known Vulnerabilities

As those in the world of IT already know, the vast majority of malware and cyber attacks are launched by exploiting vulnerabilities in software systems. The necessity to patch networks for known vulnerabilities with authorized software patches is well recognized by IT security professionals: remove the vulnerability, and the risk is immediately reduced. However, in many live industrial processes, there are two main hurdles to applying patches.

First, in critical systems, patches can only be applied in specific maintenance windows during which processes may be interrupted. Often the time allowed and the urgency of other issues requiring maintenance, means that patching may not happen, or is delayed.

Secondly, with old systems, and systems which have operated continuously for long periods of time, there is a reluctance to touch them at all, because of the very real possibility that if an old system is interrupted, and stopped, it might not start again.

Thirdly, before a patch should be applied, it should be approved and tested, either by the vendor, or the OT manager, or both. In the world of IT, patches would first normally be tested in a laboratory testbed, or test network. In the industrial world of OT, this is not as simple to do: being able to recreate a truly representative system on which to gauge the impact of any patch represents a significant challenge. And without prior testing, how can an OT manager be sure a patch won’t break their systems?

In these circumstances, it becomes a risk trade-off: what is the risk that a system left unpatched will be hit by malware, versus the risk that by trying to secure the process/ system, you actually break the very process you are trying to secure?

patching OT networks becomes a risk trade-off: what is the risk that a system left unpatched will be hit by malware, versus the risk that by trying to secure the process/system, you break the process you are trying to secure?

10

Reluctance to change existing systems

The lack of awareness of security issues, coupled with an understandable reluctance to alter systems and industrial processes that have worked for many years, can lead to situations where new technology is attached to or overlaid on top of pre-existing systems. New technology is simply “bolted on” to the network, without due consideration of the risks that the new technology may introduce to the systems already in place.

WHO IS RESpONSIBlE FOR SECURITy aNd WHERE?As the worlds of IT and OT converge, who will be responsible for the security in the different parts of the wider network? Will organizations set up one new group tasked with cyber security for the whole organization, including interfaces with partners/suppliers, or will there remain a divide between those responsible for IT security and those responsible for making OT secure? Will there be consultation between the two groups? Will they hold separate budgets? Clearly, those in IT who have been mitigating the cyber risk within their Enterprise networks and IT operations have years of valuable experience to share with those in OT.

And between these groups, who will manage the security risk posed by the supply chain: the wording of contracts and legal documents that cover the business engagements between the OT customer and equipment and services supplier? And who will work with the supplier to ensure that their solutions are technically fit for purpose, safe and secure to implement and use within the unique ecosystem of each industrial system?

If the groups remain separate, where will the demarcation lines be for responsibilities and budget spend?

On a final note in this brief discussion, we should address the question of resource and budget allocation; even if the responsibilities between security groups are defined, consideration must be given by executive managers to ensure that sufficient resource and budget will exist for those who need it. If not, convergence may take place, exposing security weaknesses that even with the best intention, no one will have the ability or resource to fix.

Executive managers responsible for convergence must ensure that resource and budget exists for securing both IT and OT.


1110

SUmmaRy aNd CONClUSIONIn this white paper we have looked at the two worlds of IT and OT, examined their history, and discussed the benefits and issues that arise through convergence of those worlds.

For those working in the IT and OT industry, we are entering an exciting but challenging time.

Convergence will bring great benefits and competitive advantage to businesses that understand the key issues and take steps to resolve them. These steps include:-

•Recognising that whilst the primary security concerns in IT and OT are different - confidentiality in IT versus availability and integrity of systems in OT - the cyber threat now extends to them both

•Educating business leaders and employees to the nature of the threat that their systems are exposed to and the potential business impacts that could result from a security incident

•Identifying the appropriate technologies across the IT and OT estates that will secure data, protect critical systems and processes and successfully mitigate the risks faced by both environments

•Ensuring that there is clear accountability for those responsible for security and systems across IT and OT in the converged network, and that they have the resources and funding to carry out their tasks.

In the next white paper in this series we will look in more detail at the specific security issues created by the convergence between IT and OT systems and will examine in more detail the nature of the threats we face.

To learn how BAE Systems Applied Intelligence can help your company improve your security posture, and to learn more about new solutions we have developed to protect critical national infrastructures, industrial systems and processes, please contact your local BAE Systems representative.

Follow the link below for more information on IndustrialProtect™:

www.baesystems.com/industrialprotect

aBOUT USBAE Systems Applied Intelligence delivers solutions which help our clients to protect and enhance their critical assets in the connected world. Leading enterprises and government departments use our solutions to protect and enhance their physical infrastructure, nations and people, mission-critical systems, valuable intellectual property, corporate information, reputation and customer relationships, and competitive advantage and financial success.

We operate in three key domains of expertise:

• CyberSecurity–helpingourclientsacrossthecompletecybersecurityrisklifecycle

• FinancialCrime–identifying,combatingandpreventingfinancialthreats,risk,lossorpenalties

• CommunicationsIntelligence–providingsophisticatednetworkintelligence,protectionandcontrols

We enable organizations to be more agile, increase trust and operate more confidently. Our solutions help to strengthen national security and resilience, for a safer world. They enable enterprises to manage their business risks, optimize their operations and comply with regulatory obligations.

We are part of BAE Systems, a global defense, aerospace and security company delivering a wide range of products and services including advanced electronics, security and information technology solutions.

CYN

EUW

PEN

_BEA

U08

14_I

TOT_

v1

Copyright © BAE Systems plc 2014. All rights reserved.

BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England & Wales (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. No part of this document may be copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of BAE Systems Applied Intelligence.

Cyber Incident Response

Certified Service

Victim of a cyber attack? Contact our emergency response team on: UK Freephone: 0808 168 6647 Australia: 1800 825 411 International: +44 1483 817491 E: [email protected]

Formoreinformationcontact:BAESystemsAppliedIntelligence 265 Franklin Street Boston MA 02110 USA

T: +1 (617) 737 4170 E: [email protected] W: www.baesystems.com/ai

www.twitter.com/baesystems_ai

www.linkedin.com/company/baesystemsai

the convergence of it and ot

Documents