The role of the SOC when undertaking IT/OT convergence

Traditionally separate components within a business, information technology (IT) and operational technology (OT) infrastructures are increasingly becoming converged.

A key motivation for this shift is cost reduction. By bringing IT and OT together, complexity can be removed, and management overheads reduced.

Another motivation is improving security. OT infrastructures tend not to have the same level of protection in place as IT infrastructures, so the logic is that bringing these together will improve this situation and make them more resilient to cyber attacks.

Organisations are also looking to achieve performance improvements from IT and OT convergence. Data from OT systems can more readily be shared with IT applications, streamlining operations and increasing productivity.

For example, real-time production data can be shared with inventory tracking and ordering software. This can allow supplies to be ordered as these are required to ensure consistency of output.

IT versus OT

While the convergence of IT and OT can deliver business benefits, it also creates some significant challenges. This is because the two technology types are very different.

IT infrastructures are very much focused on information management and comprise equipment that can complete a range of different tasks. There is also widespread usage of virtualisation which abstracts applications and databases away from the underlying hardware which tends to be replaced every three to five years.

VIEW ALL

OT infrastructures, on the other hand, are focused on controlling physical processes and the equipment used is purpose built for particular tasks. Virtualisation is not used, and hardware tends to be in place for anywhere between 10 and more than 30 years.

Many OT infrastructures have also been designed and built based on the Purdue Model. This model dictates how the infrastructure should be segmented into a number of layers from basic control functions through to the overlying network and enterprise applications.

OT security gaps

Because of the way it differs from IT, an OT infrastructure can present some significant security gaps. These can cause big issues for the business as these could lead to attacks and disruption.

One challenge occurs when there are so called “invisible assets” within the OT infrastructure. These assets may not be connected using the TCP-IP protocol and so can’t be monitored using conventional tools.

Another challenge arises when there is no tracking of configuration changes in production equipment. This can lead to changes being made that go unnoticed by the security or IT teams.

Further issues are being caused by the rapid digitisation of many underlying processes. While this is designed to make these more flexible and efficient, it can also open these up to potential supply-chain attacks.

If attacks against OT infrastructures are successful, they can have a range of potential impacts. Machinery can be remotely stopped or started, potentially causing damage or wastage. Data and control can also be compromised thereby resulting in significant disruption and loss.

Improving security in a converged OT/IT environment

There are a range of steps that can be taken to improve the level of security that exists within a converged OT/IT infrastructure.

The first is to undertake a comprehensive inventory audit to identify the OT components that are currently in place. This should cover all components regardless of the communications protocol they are using.

The next step is to put in place a method to collect data about each of the identified component. This data needs to be gathered on a consistent basis and should ideally be handled through automation.

The gathered data then needs to be contextualised and enriched with important details such as the processes it represents, its location, ownership and level of criticality to overall operations.

Once these steps have been completed, it’s then time to manage the overall attack surface. Identify the points through which an attacker could gain access and ensure measures are put in place to close these off.

The role of the SOC

When it comes to using a security operations centre (SOC) to monitor an OT infrastructure, organisations have two choices. They can either use the same SOC for both OT and IT or establish separate facilities.

This second option is likely to be challenging as there is a chronic shortage of experienced OT security professionals on the market. It also means the organisation will end up with two security teams which may add to complexity.

However, if the IT SOC is simply handed responsibility for OT security, they could find themselves hamstrung with a lack of detailed knowledge. All required measures may not be put in place leading to unwanted security risks.

The best approach is to develop a single team comprising both skill sets. Team members can learn from each other and extend their skills and knowledge in both areas.

By creating a single, multi-skilled SOC team, a business will be best placed to prevent attempted cyber attacks on both its IT and OT infrastructures. When the two are converged, it makes even more sense.

Joanne Wong is the vice president, international marketing APAC and EMEA at LogRhythm.