15 Apr 2024
by Trevor Dearing

Why you should rethink OT security for the Cloud era

Guest blog by Trevor Dearing, Director of Critical Infrastructure at Illumio #techUKOTSecurity

Securing operational technology (OT) has never been more important. The race to digitalisation to improve operational efficiency and reduce costs has put transformation initiatives like cloud migration, automation, and industrial IoT (IIOT) at the top of the agenda.  

But as organisations migrate systems to the cloud and connect IT and OT for operational gains, they are also exposing themselves to new risks. 

In this blog post, we’ll explore the threats against OT, why traditional security methods aren’t working for OT in the cloud, and how Zero Trust Segmentation can help. 

The rise in manufacturing OT & Cloud threats  

The threats facing OT are not new. The European Union Agency for Cybersecurity (ENISA) cautioned last year that the convergence of IT and OT would present ripe opportunities for hackers to disrupt critical services like transport. What's different now is the sheer magnitude of opportunity, compounded by the accelerated pace of vulnerability detection thanks to AI advancements. 

Take manufacturing for example. According to Illumio’s Cloud Security Index, 92% of manufacturers are already running high-value applications in the cloud and 97% say a cloud breach would impact their organisation (43% of which said normal operations would be impossible). Having stringent security controls is crucial in hybrid or multi-cloud setups because it’s easier for breaches to spread. 

Just recently, the NCSC released new guidance for migrating Supervisory Control and Data Acquisition (SCADA) systems to the cloud – guidance that should be welcomed across industries. The problem is many SCADA systems were originally designed years ago without security in mind and were therefore never intended to be connected to the cloud. This of course means they are vulnerable to an attack and operational downtime.  

Understanding the risks 

As alluded to above, there are two prominent challenges when it comes to securing OT: legacy technology and the rapid adoption of IIoT. Many control systems still operate on outdated versions of standard operating systems that can't be easily updated with the latest security patches. At the same time, organisations are increasingly adopting IoT technologies that run in virtualised or cloud environments. This means that traditional network-based security approaches are no longer adequate.  

The problem is made worse by the fact that these devices provide mission-critical services, making them valuable targets for attackers. And threats can come from anywhere: phishing attacks, brute-force attacks, malicious insiders as well as direct attacks on OT devices.

Why traditional security approaches no longer work 

Trust-based security models like PERA (Purdue Enterprise Reference Architecture) focus on separating the environments into functional layers using firewalls, but that model fails to protect today’s complex hybrid, multi-cloud environments. Everything is now communicating, so protecting only the network is no longer sufficient.   

Newer OT control systems use standard operating systems like Linux and Windows which means that the embedded security features can be used, such as enabling native firewall functionality. This provides the opportunity to protect each individual system from the risk of lateral movement within a trusted network. 

A unified, asset-centric approach is required for all systems to effectively protect against ransomware and other attacks targeting converging IT and OT systems.  

The role of Zero Trust Segmentation in IT and OT convergence 

The first step to securing IT and OT convergence is to understand risk. That means working out what in your environment will cause you the most problems if it fails or is compromised, and what bad actors are most likely to attack. For example, the biggest risk for a manufacturer will be anything that stops the manufacturing process, whereas for an energy provider, it could be something that disrupts the energy supply.  

Next, it’s important to identify all your devices and systems and understand what and how they are communicating. Once you know that, you can understand how a compromise could affect other connected assets and define security policies to protect them.  

One approach that has risen to the forefront is Zero Trust Segmentation (ZTS) - a key component of modern Zero Trust strategies. ZTS involves dividing the IT network into small segments based on verified identity, which can include regions, locations, test and production environments, and even individual workloads. This restricts lateral movement, ensuring that infected endpoints or security vulnerabilities in individual applications no longer pose significant risks because attackers cannot advance to critical assets like industrial and facility controls systems.  

Breach containment technologies like ZTS are crucial for quickly containing ransomware attacks and preventing small security breaches from turning into major cyber disasters.  You can see how heating manufacturer NIBE is using ZTS to build resilience.  

Don’t forget the supply chain 

Finally, don’t neglect supply chain security. Industries like manufacturing are highly susceptible to supply chain risks. With numerous partners, suppliers, and service providers, there are countless connections that threat actors can exploit to bypass network defences.  

As you move toward Industry 4.0 and seek integration in the supply chain, you must be vigilant about potential security vulnerabilities. While a streamlined supply chain offers significant efficiency and cost savings, for attackers it can be an attractive and easy way to cause mass disruption. Adopting a Zero Trust strategy with Zero Trust Segmentation at its core is a necessity.  

Learn more about how Illumio protects IT and OT networks, Illumio protects IT and OT networks and our five-step asset-centric model to secure IT and OT connected devices  here.


techUK’s Operational Technology Security Impact Day 2024 #techUKOTSecurity

techUK’s Cyber Programme is delighted to be holding our first securing Operational Technology (OT) security impact day to showcase how cyber companies are helping organisations to secure their OT and navigate the convergence of IT/OT systems.

Find all the insights here!

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more

Join techUK's Cyber Security SME Forum

Our new group will keep techUK members updated on the latest news and views from across the Cyber security landscape. The group will also spotlight events and engagement opportunities for members to get involved in.

Join here

Upcoming Cyber Security events

Cyber Security updates

Sign-up to get the latest updates and opportunities from our Cyber Security programme.

 

 

 

 

Authors

Trevor Dearing

Trevor Dearing

Director of Critical Infrastructure, Illumio