Getting IT & OT to speak the common language of IIoT vulnerability management
Manufacturing executives probably don’t think of renowned Irish playwright George Bernard Shaw when planning Industry 4.0 and Industrial Internet of Things (IIoT) deployments. Maybe they should.
Shaw’s famous quip about England and America being "two countries divided by a common language," captures the differences between corporate IT and production OT, or Operational Technology, departments. While both IT and OT teams are acutely aware of the cybersecurity challenges for successful IIoT implementations, how each department addresses those threats is based on different priorities and requirements.
IT staff are accustomed to managing endpoint hardware and software to ensure dynamic, low-latency, high-throughput and secure data access for authorized users across the network. Their counterparts in OT are focused on maintaining predictable "if it ain’t broke don’t fix it" processes and less latency- and throughput-sensitive communication between high-availability machinery, sensors and control systems to keep the production line running. McKinsey & Co. has called the differences the IT/OT "last mile" and a barrier for companies trying to convert IIoT pilot programs into enterprise-wide deployments. The challenge comes in getting the two teams to understand each other’s operational language while using common, policy-driven vulnerability management practices adapted to their environments.
Patching over differences over patching
One of the most common last-mile differences is in patch management. Keeping current with software patches is considered good standard cybersecurity hygiene. It’s also a basis for establishing shared IT/OT policies and practices.
For IT staff, patching and updating software is a well-established procedure as regular and expected as "Patch Tuesday." It’s frequently automated either by software vendors, such as Microsoft’s Windows Server Update Services (WSUS), or increasingly through unified endpoint management (UEM) systems. Patches can be pre-configured and tested, then deployed overnight with systems automatically powered up, rebooted and shut down before users arrive the next morning. The process may also allow for system rollbacks and troubleshooting when patches cause unexpected problems. The priority is to ensure continuous availability to users while preventing unauthorized data access or theft.
Things are more complicated in the OT world where a March 2019 report by Kaspersky Labs found evidence of attempted attacks on nearly half of process control systems, usually targeted at disrupting production or for industrial espionage. OT staff recognize the need for patching at least as much their IT brethren but their ability to respond is constrained by complex, multi-vendor environments in continuous operation. McKinsey reports that a typical medium-sized plant may have more than 200 pieces of equipment from suppliers using different configurations and protocols.
In the 2018 SANS study "Industrial IoT Security Survey: Shaping IIoT Security Concerns", 56 percent of respondents cited patching difficulties as one of their biggest security challenges. Because of the need to maintain production and workplace safety, only 40 percent of respondents said they applied patches, preferring to wait for more complete software updates to justify interruptions.
For example, OT staff can’t routinely take control systems offline for patching and rebooting at a chemical plant or food processing facility operating 24/7. In addition, legacy operating systems for some industrial control systems may be as old as Windows NT, and redundant devices and specialized applications may require updating directly by vendors for whom secure remote access is not possible or practical. Instead of "Patch Tuesday," OT staff must plan and test patch and update deployments often weeks or months in advance.
The SANS study also captured the resulting differences in OT, IT and corporate management perceptions of IIoT security. While 93 percent of executives and 83 percent of IT departments thought their companies could adequately secure the IIoT infrastructure, just 64 percent of OT departments felt the same.
Converging on policy-based vulnerability management
As Gartner, IDC, and others have reported, the scale of both the IIoT opportunity and the cybersecurity challenges facing IT and OT requires companies to define more cohesive security architectures and policy-based procedures. Devices in industrial production must be recognized as endpoints just like PCs, laptops or smartphones. In fact, many of those OT devices already are PC-based. This enables companies to design uniform risk management policies and procedures to identify vulnerabilities at an early stage.
In that framework, patch management becomes part of the broader function of vulnerability management commonly handled by UEM systems. That includes automated discovery, mapping and inventory of all network endpoint configurations in both IT and OT environments. All IIoT devices are regarded as edge devices on which automated scanners can identify and classify potential vulnerabilities based on current CVE lists. Appropriate patches can then be configured for automated deployment based on device uptime requirements and the severity of the risk.
UEM systems also address other common IT/OT vulnerabilities using endpoint-specific monitoring and configuration management. That includes setting precise controls on data access and encryption for removeable media like USB drives, which the Kaspersky study identified as the second most common threat to production systems after unsecured ports.
In addition to specific procedures, a converged policy-based approach enabled by UEM defines functional responsibilities and lines of collaboration for IT and OT. Challenges remain, including replacing or retrofitting legacy systems and sensors to fit into an IIoT world. But patch management is a prime example of an area where IT and OT can speak the common language of consistent vulnerability management practices that recognize the operational requirements of each environment.
Armin Leinfelder is Director of Product Management at baramundi Software AG in Augsburg, Germany. He previously served a software developer, product designer and business process management consultant for companies including BancTec, Beta Systems Software, Kleindienst Solutions, and Manroland. He has a degree in Mathematical Economics from the University of Augsburg.