The basic premise of Dale Peterson’s article “How to be an OT Visionary” was to look at what is happening in IT and assume it will arrive in OT five years later. He provides a range of great examples from Antivirus to virtualization, and I would wholeheartedly agree with his sentiment. We have been told many times that agents won’t work in OT only to demonstrate for the past dozen years, that in fact they work quite well and are much less intrusive than other methods of gathering information if tuned appropriately for ICS.
One of the clearest “coming attractions” for OT is the application of traditional IT Systems or Security Management into the industrial controls environment. For nearly 20 years, IT teams have applied foundational techniques such as hardware and software management, secure and sustainable configuration management, patch management, user and account management, etc. These processes – and the tools they use to automate them – have not only delivered improved security of IT systems, but have also ensured improved reliability, lower operating costs, and better customer satisfaction with IT as an organization.
Robust IT Systems Management is conducted comprehensively, regularly, and with statistics on compliance and outliers. It provides the basis for much of the security within the IT realm – from ensuring updated security patches, to proper network rules in firewalls, etc.
These tools, techniques, and processes are missing from almost all OT environments. Organizations and their OEM partners build cyber security systems to last 20 or 30 years. Upgrade cycles are measured in decades, not three-year refreshes or monthly updates. There are many good reasons for these approaches given the unique processes and sensitive devices involved. But, in most cases, these computing devices – servers, workstations, switches, PLCs, relays, sensors, etc. are not “managed” in a typical ITSM model.
We see this clearly in our assessments of these industrial environments – unpatched systems, device configurations with significant insecurities, many dormant and insecure users and accounts, failed or non-existent backups, and at the foundation a fundamental lack of accurate and deep asset inventory. The focus in most industrial organizations is the process itself rather than the management of the computing devices that control that process. Ease of operation is the primary driver, enabling the technicians to reduce the cost and complexity of the process.
The Need for Greater OT Systems Management
Over the next five-to-ten years, OT needs to adopt the core elements of IT Systems & Security Management. To date, most industrial organizations have relied on network protections for their OT systems – firewalls or data diodes, the mythical “air gap”, network anomaly detection, or IDS/IPS. No one would debate the value of these initiatives in a defense-in-depth model. However, the next five years will make these defenses less and less effective, requiring a push to greater OT Security Management programs. Several trends and events drive this change:
Increasing IIOT/ Industry 4.0 connectivity between industrial operations and the internet
Organizations have trialed and proved connected plant initiatives for a decade. In the past three years or so, organizations pivoted from trial to wide-spread adoption and the “wave” is gaining steam. Based on multiple analyst views (Gartner predicts the enterprise IOT platform market will grow to $7.6 billion in 2024), these initiatives are set to grow dramatically over the next five years. Whether it be OEMs connecting to wind turbines to regularly update the programs or monitoring the flow of fluids through a valve to tune for maximum output, we already see these connections occurring. As connectivity explodes, network protection alone will grow increasingly untenable as a solution to OT security.
Increasing public vulnerabilities in OT equipment
In our recent ICS Advisory Report, we found a 75% increase in CVE’s in ICS-CERT advisories between 2019 and 2020. This growth highlights the growing research into the vulnerabilities of these industrial-specific software and embedded systems. Moreover, this is just the tip of the iceberg as the software supply chain risks from the underlying components of these systems are hardly identified at all yet. The reality is that OT systems’ reliance on “security by obscurity” is falling away as the curtain is pulled back. This will require a much more robust, IT-like, endpoint management capability of these systems.
Increasing regulatory pressure
Over the next three years, almost every developed country, and many developing countries, will implement rigorous security requirements that apply to OT systems. From the US Department of Defense’s recent CMMC standard to the UK’s RIIO2 standard to Qatar and other locations within the Middle East. The trend is to greater regulatory oversight of the world’s critical infrastructure. We have seen how these regulations impact utilities in North America with the NERC CIP requirements which essentially require true OT endpoint systems management – patching, configuration management, user and account control, backup management, etc.
Increasing pressure from CISO/Board of Directors
As all of these changes occur, boards of directors place more emphasis on securing the OT environment. This is not surprising given the potential financial impact of these attacks –see the results from Merck, Maersk, Norsk Hydro, and more recently at many organizations involved in the supply chain for critical COVID vaccines. Insurance companies are pressuring companies to ensure all systems are protected. Therefore, CISOs put greater emphasis on OT. They expect the same type of security capabilities and systems management as they achieve in IT, which will drive greater push for OT Systems and Security Management.
The Future of OT Cyber Security
So, what does this mean for OT leadership? How will it impact the “leaned out” operational excellence achieved over the past 15 or 20 years? What is the impact on the day-to-day jobs of the Instrumentation and Controls techs?
In short, a coming tidal wave of new requirements, reporting, and security responsibilities on the computing equipment that runs industrial operations. Why do we call this a “tidal wave”? Because we have seen it. The North American electric utility industry over the past dozen years has adopted an increasing set of requirements of OT systems management. Is NERC CIP perfect? Of course not. It has many areas that may not deliver a great ROI on security.
But would we expect the regulatory requirements around the rest of the world to be significantly more efficient? Probably not. In addition, these were established before the presence of IIOT and cloud, before the increasing numbers of endpoint vulnerabilities, etc. As those areas grow, the need for endpoint management will grow ever greater.
The reality is that most OT environments do not manage these endpoints. Therefore, as these new requirements emerge, most will be relying on manual tasks to gather critical reporting for the C-suite or regulators. Most will be using different OEM tools to try to patch systems manually or with an inefficient approach of the system by system. Most won’t have automated asset inventory or vulnerability assessment to provide real-time visibility, so will rely on manual teams to gather this information into spreadsheets, etc.
We often hear forecasters talk about the coming risk from hackers, and this is real. But the real coming risk is the operational costs in keeping up with the necessary OT systems management to ensure security in connected, vulnerable, regulated environments.
OT Endpoint Systems Management
As Dale Peterson said, to predict the future of OT, just look at IT and add on 5-10 years. The future is clear: It involves a greater and greater need for endpoint systems management of OT computing equipment. The challenge is that doing this efficiently and effectively does not happen overnight.
Verve has a decade of experience helping organizations adopt efficient OT endpoint systems management. This begins with a truly robust asset inventory. But an inventory is only the foundation of a true OTSM program. It also includes efficient and OT-safe vulnerability management, patch management, configuration management, etc. This integrated and automated approach can reduce the labor requirements by 70% over traditional manual methods. As this tidal wave approaches, we encourage industrial organizations to begin to map out their OT endpoint management roadmap. We look forward to helping.