Raj Sharma Sr, Operating Technology Security Director, GSK
Chris Sullivan, CEO, Nymi
The Colonial Pipeline breach of May 6 was the fourth attack on a US energy company in the last six months. Coincidentally, on May 12, the US government released its long-awaited Executive Order on Improving the Nation’s Cybersecurity. Together, these two events dramatically underscore the severity of the cyber threats we are facing today. More specifically, there is an urgent need to update our security strategies to enable digital transformation to continue. We see this clearly in the IT and OT environments of our public and private sector institutions as our nation wakes up to the critical need to address the dangerously growing IT/OT conundrum.
So, how did we get here?
Connections are good
Once upon a time, Operational Technology (OT) networks were segregated from all other networks (such as IT) — specifically to increase reliability. This made good sense, given that networks were not as reliable as they are today and like Christmas lights, companies didn’t want (or couldn’t afford) one blown fuse taking out the whole strand.
Fast forward to the present day and much has changed. Enterprise Resource Planning (ERP), Digital Transformation (DX), the Cloud, and most recently, the need to work remotely have combined to drive companies further along the path of connecting their OT networks with the goal of eliminating operational silos, increasing visibility, and making their employees’ lives easier. In this sense, connections are good.
Connections are bad
OT networks control critical operations and infrastructure like manufacturing plants, transportation networks (trains and planes), nuclear power plants, and so on. IT networks are used for email, cloud apps, legitimate web browsing and, as a result, are vulnerable to countless known and unknown attack vectors from virtually any place in the world. When we connect OT to IT, we make them equally vulnerable. So, connections are also bad.
Here are just three examples out of thousands where adversaries likely compromised credentials on IT networks, and then pivoted to OT through such a connection, resulting in catastrophic business and societal consequences:
• June 2017 – An attack using Petya malware was directed at the Ukrainian government and spread into the IT networks of many global companies. In the case of pharmaceutical giant Merck, it quickly spread to the manufacturing lines (OT), taking them offline for weeks. The company reported $1.3 billion in losses.
• February 2021 – A US city water department was breached, and attackers increased the amount of sodium hydroxide (NaOH) in the system by 11,100%. NaOH is used in very small quantities to control acidity, but at these massive levels, it becomes a highly caustic drain cleaner (check the Drano under your sink). Fortunately, the change was noticed and corrected immediately.
• May 2021 – Colonial Pipeline suffered a ransomware cyberattack that shut down 45% of the fuel supply for the Eastern US for a week and caused extensive ripple effects including the panic buying of gas.
The trillion dollar question
So... What do we do? The obvious answer, being implemented around the globe, is re-segmentation.
In principle, this means:
• “Air Gapping” high-risk networks
• Prohibiting traffic between any secured (OT) environments and the Internet
• Restricting connections to only required systems and ports
• Prohibiting any trust relationships across network lines that would permit a compromise on an open (IT) network to a locked-down (OT) network
• Prohibiting password re-use across networks and/or domains
But in practice, these controls cannot be implemented in most environments:
• Data must flow for the enterprise to work
• There is no way to enforce password re-use restrictions
The reality of the matter is that enterprises and agencies are realizing that locking-down OT is not at all simple. How do you continue to take advantage of the benefits of IT/OT convergence? What do you do with shared printers? Cloud services? Remote access? Can workers function effectively in such an environment? How many strong and unique usernames and passwords can one person remember without re-use or writing them down?
As seen in the examples above and reported in the Verizon Data Breach Investigations Report (VDBIR) every year since its inception, lost, stolen, or compromised identities are at the root of the vast majority of OT breaches. In the words of Bret Arsenault, Microsoft CISO, “Hackers don’t break in. They log in.”
What we need is a safe, secure, and simple way to ensure that the user at the edge of the network (local or remote), is actually the person you need them to be. To do this, we need presence, non-repudiation (can’t be copied), and collusion/coercion prevention and detection (for example, biometrics to activate and on-body detection to continue use). From an employee perspective, this must all be wrapped in a beautiful and simple user experience that’s connected to everything (IT, OT, doors and floors, vending machines, printers, DX initiatives, health and safety). People have already experienced the ease and convenience of connection and when we take it away to make strong security their responsibility, they will get fatigued and fail.
As more and more operational technology (OT) devices are connected to IT networks, and as more and more threats attack our borders, the more we realize and must accept that we are caught in the middle of a connection paradox and the only way out is through a deliberate approach to connecting workers that prioritizes security, privacy, and best UX principles all at once.
A better way to manage IT/OT convergence
In conclusion, the old way doesn’t work. We know better than to live with unsecure connections between IT and OT. It’s time to replace the fragmented, risky, cumbersome, and reactionary approaches that are currently being used with an approach that’s built on a comprehensive connected worker platform. This will enable organizations to proactively resolve the IT/OT conundrum by managing and connecting their data, systems, and workers in a safe, secure, and simple manner. Take a look for yourself.