Resolving the IT/OT Connection Paradox

Good and Bad Connections

Once upon a time, OT networks were segregated from all other networks, such as IT — specifically to increase reliability. This made sense, given that networks weren’t as reliable as they are today, and like Christmas lights, companies didn’t want — or couldn’t afford — one blown fuse taking out the whole strand.

Fast forward to the present day and much has changed. Enterprise resource planning (ERP), digital transformation (DX), the cloud, and most recently, the need to work remotely have combined to drive companies further along the path of connecting their OT networks with the goal of eliminating operational silos, increasing visibility, and making their employees’ lives easier. In this sense, connections are good.

OT networks control critical operations and infrastructure like manufacturing plants, transportation networks such as trains and planes, nuclear power plants, and so on. IT networks are used for email, cloud apps, legitimate web browsing and, as a result, are susceptible to countless known and unknown attack vectors from any place in the world. When we connect OT to IT, we make them equally vulnerable. So, connections also are bad.

Here are just three examples out of thousands where adversaries compromised credentials on IT networks, and then pivoted to OT through such a connection, resulting in catastrophic business and societal consequences:

• June 2017: An attack using Petya malware was directed at the Ukrainian government and spread into the IT networks of many global companies. In the case of pharmaceutical giant Merck, it quickly spread to the manufacturing lines (OT), taking them offline for weeks. The company reported $1.3 billion in losses.
• February 2021: Cyberattackers breached a U.S. city water department and increased the amount of sodium hydroxide (NaOH) in the system by 11,100%. NaOH is used in very small quantities to control acidity, but at these massive levels, it becomes a highly caustic drain cleaner (check the Drano under your sink). Fortunately, the change was noticed and corrected immediately.
• May 2021: Colonial Pipeline suffered a ransomware cyberattack that shut down 45% of the fuel supply for the Eastern United States for a week and caused extensive ripple effects, including the the public’s panic buying of gasoline.

The reality is that enterprises and agencies are realizing that locking down OT is not at all simple. How do you continue to take advantage of the benefits of IT/OT convergence? What do you do with shared printers? Cloud services? Remote access? Can workers function effectively in such an environment? How many strong and unique usernames and passwords can one person remember without re-use or writing them down?

As seen in the examples above and reported in the Verizon Data Breach Investigations Report (VDBIR) every year since its inception, lost, stolen, or compromised identities are at the root of the vast majority of OT breaches. In the words of Bret Arsenault, Microsoft CISO, “Hackers don’t break in. They log in.”

A useful approach is a safe, secure and simple way to verify the user at the edge of the network — local or remote — is actually the person you need them to be. To do this, we need presence, nonrepudiation (can’t be copied), and collusion/coercion prevention and detection. An example of this is biometrics to activate and on-body detection to continue use. 

From an employee perspective, this must all be wrapped in a simple user experience that’s connected to everything — IT, OT, doors and floors, vending machines, printers, DX initiatives, health and safety. People have already experienced the ease and convenience of connection and when we take it away to make strong security their responsibility, they will get fatigued and fail.