Convergence of OT and IT systems sees moves to improve security
As information technology and operational technology increasingly converge it presents new challenges for organizations needing to keep their systems secure.
There's also been something of a shift in the focus of attacks with more emphasis on causing business disruption and damaging reputations.
Trevor Dearing, director of critical infrastructure solutions at Illumio, says, "There's a decline in the volume of traditional ransomware type attacks, and an increase in disruptive attacks. So we saw the UK Post Office, we've seen hospitals in France being disrupted. We've seen some energy things going on in Germany and in Belgium, so that sort of disruptive attack has been has been growing. And so there's a there's an amount of concern on two sides, one of which is protecting the existing traditional OT environment and the other is on the back of a lot of business transformations going on."
Legislators have begun to take notice of this trend too and the EU, UK and World Economic Form have all recently published documents aimed at setting out policies and increasing awareness of the need to protect critical infrastructure and other organizations.
The WEFs Cyber Resilience Pledge, announced last year, is based on principles established for the oil and gas industry. A number of major organizations have signed up and it aims to encourage collective action to boost cyber resilience.
In January this year the EU saw the introduction of the NIS2 Directive. This is aimed at improving cybersecurity with a number of initiatives. These include the creation of a cyber crisis management structure (known as CyCLONe), increasing harmonization surrounding security requirements and reporting obligations, and encouraging member states to introduce new areas of interest such as supply chain, vulnerability management, core internet and cyber hygiene into their national cybersecurity strategies.
In the UK last month the government set out a new strategy to promote cyber resilience across the health and care sectors. This sets out five key pillars to minimize the risk of cyber attacks and other cyber security issues, and to improve response and recovery following any incidents.
Part of the problem is that digital transformation initiatives require information from OT systems that have traditionally been air-gapped or are using older operating systems that are less easy to protect. This requires a different approach.
As Dearing points out:
You can start to put micro perimeters around each of these devices to keep them separate. Now, you can do that only if those devices will support that function, which means they've got to run Linux or a run version of Windows newer than 2008. But a lot of systems out there that are running Windows 7 and XP can't do this.
There's the beginning of a shift to focusing away from network based security needs areas to asset security. This has become framed as zero trust segmentation so it's like micro segmentation with visibility and least privilege access, which is really the model for industrial IoT security in the future.
Image credit: Gorodenkoff / Shutterstock