As the names imply, operational technology (OT) and information technology (IT) have different origins. OT exists to manage operations – specifically, physical operations in various sectors of industry that have benefited from automation and mechanization. By contrast, IT exists to manage information. That is, it records, stores, arranges, analyzes, and presents information in digital form for individuals and organizations.
IT devices are not sector-specific, and they tend to be less expensive than their OT counterparts. As a result, they’re far more widely used – and thus, they have a much higher need for protection against security breaches.
In other words, the number of people carrying laptop computers around is much higher than the number of people carrying programmable logic controllers (PLCs) every time they leave their workplaces. As a result, there are more people thinking about how to secure their laptops against cyberattacks than there are people thinking about how to beef up cybersecurity measures for PLCs and the machines they control. Furthermore, there are more cybersecurity providers looking for ways to protect computer users than there are cybersecurity providers looking for ways to protect PLCs and other components of OT systems.
Increasing Need for OT Security
For years, the gap in interest between cybersecurity for IT and cybersecurity for OT didn’t matter much. After all, IT systems were far more likely to be connected to the internet, which was the source of most cyberattacks, than OT systems were. Instead, OT systems were likely to be air-gapped – that is, physically isolated from the internet, with no direct means of linking to wider networks that might serve as a point of entry for a malicious actor.
This isn’t necessarily true anymore. OT operators now have the option of adding connected devices to their systems in order to minimize expenses and improve performance. They may, for example, pair Industrial Internet of Things (IIoT) sensors that generate data on power-intensive manufacturing processes with an analytics solution that can parse the data to determine how to take advantage of off-peak pricing for electricity.
If they do, they stand a chance of realizing major gains in the form of lower costs and higher efficiency. But there’s a trade-off. They’re also putting themselves at risk of a security breach because the IIoT sensors and analytics solutions that generate these gains rely on being connected to the internet, which may offer multiple points of entry for cybercriminals that specifically target OT systems.
The best way to guard against such a breach is, of course, to introduce cybersecurity solutions into OT systems. But how exactly does this help?
Key Components of Cybersecurity: Threat Detection and Response
One of the key components of an effective cybersecurity solution is threat detection and response. If your team is deploying OT Security, you are likely incorporating some form of Threat Detection.
In the simplest terms, cybersecurity solutions are supposed to remain on guard, figuratively speaking. They should be scanning OT systems, checking for deviations from the norm, reporting their findings, and issuing alerts whenever concerns arise.
In other words, cybersecurity solutions begin with detection. They are responsible for conducting automated (i.e., passive) scans of every part within an OT system to determine whether any anomalies or signs of a threat are present. They must compare what they find against what they expect to find. They must check what they observe against cyberthreat intelligence – that is, external reports about the characteristics of new or rising threats. And they must report what they encounter so that users can verify that requirements are being met.
Beyond detection, cybersecurity solutions proceed to the response stage when problems are detected. They generate alerts that inform key personnel of these problems, then teams follow set strategic protocols about what to do next and how best to prevent a repetition of the incident. These alerts help security teams decide whether the threat is serious enough to warrant initiating an active scan, in which humans lead the hunt for signs of a threat, or even calling in specialists to mount the most vigorous response possible without compromising operational priorities such as minimizing downtime.
Visibility: Foundation of Threat Detection and Response
In short, threat detection and response is crucial. If cybersecurity solutions don’t have the capability to look for threats and respond to threats, they simply can’t do the job of protecting OT systems. Accordingly, OT operators should look for ways to ensure that their solutions perform these tasks optimally.
One of the best things they can do in this process is make the effort to eliminate blind spots and maximize visibility. Detection involves scans, and scans are more effective when they cover every single part of an OT system – every machine, every component, every sensor, every connection, every interface, and so on – since you cannot secure what you can’t see. They also benefit from maximum packet visibility – that is, the ability to see what kinds of data are (and have been) moving through the system.
Network TAPs (test access points) help operators achieve this visibility. They collect complete data on the traffic flowing through OT systems, and they do a better job of it than switched port analyzer (SPAN) ports. Network TAPs do not drop packets and are more likely to be available throughout the systems being scanned, as legacy switches and SPAN retention can make it difficult for threat detection tools to access the data. They’re also useful when setting up the asset inventories that serve as baselines during active and passive scans – and avoiding disruption of systems while doing so.
Looking to add TAP visibility to your threat detection deployment, but not sure where to start? Join us for a brief network Design-IT evaluation or demo. No obligation - it’s what we love to do.
