Why OT Gives Security Professionals Anxiety

What keeps you up at night? For Industrial Internet of Things (IIoT), or operational technology (OT) security professionals it can be the potential negative business outcomes a security issue can have on critical operations. And with the explosion of connected devices in enterprise environments, there’s even more cause for concern as these threats are difficult to see, let alone combat.

Forescout Technologies, Inc. recently commissioned a survey that unveiled some of the major challenges Line-of-business (LoB) leaders and IT teams face, and why they are feeling anxious about securing critical IoT and OT devices.¹ According to the survey, over half of respondents said they have anxiety due to IoT/OT security challenges, with LoB leaders admitting to higher anxiety levels (58 percent) than IT (51 percent).

Enterprise organizations cannot defend what they cannot see, and they certainly can’t tackle today’s most advanced threats if they are scrambling to find the right tools, resources and policies for accurate protection. OT devices including connected valves, pumps and other connected infrastructure are often left out of the security equation. When these devices are left insecure, a cyberattack could result in a physical safety issue or catastrophic damage to an entire organization.

However, when security efforts are supported top-down (starting with the board of directors) and the right visibility protections are in place, IT and LoB teams can potentially have full visibility into OT and IoT devices on their network—and perhaps sleep a bit more soundly.

OT Security: You Can’t Secure What You Can’t See

Almost half (48 percent) of respondents stated that improving awareness and visibility of their connected devices is a top priority and their next step. But, how can IT and LoB teams build a strong security posture when they don’t know what they are securing in the first place?

To gain visibility into OT infrastructure, LoB and IT teams need a solution that is able to understand the profile of the devices on the network (including each device’s owner, purpose, policies, and more). Then, teams can use the same solution to classify and control the right security measures for each device to maintain constant cyber hygiene. If an OT device is acting out of character (such as requesting data or performing tasks out of the ordinary), automatic security controls will trigger a response to determine if the actions are malicious or not.

Added Dimension: The Internal Third-Party Threat in OT Enterprise Environments

There’s also the threat of internal third parties. OT enterprise environments are highly critical to the business, yet the equipment used is typically based on proprietary, legacy technology. Third-party devices bring a lot of unknown threats—potentially resulting in gaping holes in the network where ransomware, distributed denial of service, botnets or other attack methods can come through.

This is not to say third-party contractors are malicious; they are just entering an organization to do their jobs—completely unaware of the risk they might cause. For example, a third-party contractor may come to install an OT device such as a connected energy switch. They temporarily connect to the network—without security processes in place on the connected device and without the knowledge or visibility of the security teams. When a third party is temporarily connected to the network with an “invisible” device, IT and LoB teams cannot see it and therefore cannot protect it. The device could be riddled with vulnerabilities that, if taken advantage of by an adversary, could cause harm throughout the entire industrial OT environment.

As you can see, there are extensive reasons why OT is an area that needs further exploration from a security perspective and why security and LoB leaders have anxiety about the topic. Visibility across the entire network, not just the “carpeted area,” is becoming increasingly critical for organizations as security issues in OT could expose the business overall.

In my next post, we’ll discuss how internal relationships between IT and LoB operations often expose organizations to more risk, and how senior leadership needs to pay attention to this critical collaboration.

To learn more about Forescout security for IoT and OT, visit Forescout’s IoT solutions page and OT solutions pages.

¹ Fail To Plan, Plan To Fail, a commissioned study conducted by Forrester Consulting on behalf of Forescout, November 2017