While working with clients on the rollout of a new regulation, there was an interesting presentation I saw that showed that the Operational Technology (OT) and the Internet of Things (IoT) had device counts well above the numbers normally associated with what Information Technology (IT) Teams supported. The presentation showed OT/IoT had 3 times the device count supported by IT, was typically managed outside of IT security teams, and had about a tenth of the security budget.
Traditionally, such systems were managed separately. They could be physical control systems managed by a facilities team, SCADA systems operated by plant management teams, and even medical instrumentation managed by a clinical IT group or subcontractor at a hospital.
Why were they managed separately?
IT grew from the back office and principally supported business processes and was often very similar across a wide range of industries. HR, payroll, financials, CRM, ERP, email, telephony, and other forms of collaboration were the primary use cases and were quite rightly viewed as critical resources by the C-Suite.
SCADA, CAD/CAM, and CNC technologies began development before the Internet, becoming both ubiquitous and the domain of manufacturing engineering organizations. As a result, it was deployed separately from IT and was often on an isolated network (with no external access). A similar path emerged in other industries, with facilities teams (physical plant management, A/C, etc.) and security (CCTV, access doors, alarm systems, etc.) leading the charge.
Why address this now?
Initially, it was felt that keeping these systems isolated protected them. With no access, they were pretty much impregnable. However, two major trends in the industry have emerged:
- Stuxnet revealed that isolated systems could be targeted. Stuxnet uses a malicious worm to embed itself in systems looking for SCADA systems and PLCs (Programmable Logic Controllers). When found, they could manipulate these systems to destroy industrial equipment and perform other malicious acts.
- Everything is moving to the Internet Protocol (IP), and many previously isolated systems find themselves on WiFi or are otherwise connected to corporate networks.
For example, in modern hospitals, IT teams, facilities, and clinical technology teams often share closets and sometimes share networking resources but often have no common security views or budgets.
In the face of ransomware, malicious hacking, Intellectual Property theft, data theft, and privacy concerns, it is now paramount that chief security officers, risk officers, and CISOs address these issues with a common strategy.
Network architectures and security strategies exist to support tighter access and control of all systems and data today. Encryption in transit and at rest can protect data and privacy concerns.
NetCraftsmen, a BlueAlly company, has implemented Security by Design in many industries providing a methodology to segment environments to protect infrastructure and lock down access to critical systems. The case study linked to above illustrates a Payment Card Industry (PCI) example, but we have worked extensively with clients in the financial, healthcare, utility, and government markets.
Having the right partner who can help you navigate your way through all the choices is key. Contact us to see how our experts can help with your security strategy or other IT challenges.