I am often asked,
What does it take to build a resilient operational landscape..?
What is the secret sauce to securing operational technology against mal-intentions..?
Well for starters, acknowledging the fact that operational technology (OT) is as prone (if not more) to security threats as information technology is a good starting point. OT lives it life behind closed doors of manufacturing setups and is often treated as a poor cousin especially when it comes to auxiliary investments and security. However the advent of new age concepts such as IoT, connected devices, autonomous and Industry 4.0 among others, is ensuring that OT gets it due share of limelight. On flip side, attackers too have identified that there are spoils to be exploited and hence the increase in number of attacks on OT.
Here are a few starting points to ponder
Are you allowing to run shop floor terminals old version of OS..?
When did you last security audit your shop floor..?
Is there a security posture defined at all for OT…?
How often are you testing the ring fenced network..?
The biggest single point of failure continues to be retrofitting security once the OT landscape is designed. Security needs to be a design consideration and not a tick in the box as far as OT is concerned – which brings back to the point of adopting a security posture.
With organizations embarking upon their journey of adopting Industry 4.0; the very design principles of Industry 4.0 namely Interoperability, Transparency of information, Technical assistance & Decentralization of decision making provide viable opportunities for attackers to exploit. These principles demand that you interweave IT closely with OT, make loads of data available & provide autonomy to machines for course correction in order to deliver the desired benefits. These tools in turn become levers of attack. The situation becomes much adverse and dangerous since it not only poses threat to intellectual property & operational efficiency, but also renders control to equipment that may harm life or limb if compromised.
My mantra, treat OT at par with IT when it comes to security. OT needs to be looked through the same lens of security with due importance on the 3 Aces of Access, Authentication & Authorization.
Safeguard the mode of access: Say the operations are down and need immediate rectification. The support partner is not on site and needs to be able to access remotely. What do you do..? Opening the network with unguarded access is the most chosen option since the focus is to restore operations at the first instance and think about everything else later. Scavengers have their eyes and ears open to such opportunities and pounce on them to implant malicious code & plan deep attacks much later in the timeframe. It is worthwhile to notice that advent of AI has pushed network traffic inspection leaps ahead and now provides predictive capabilities instead of erstwhile reactive options – evaluate their applicability and utilize them
Don’t compromise on authentication: We insist on strong authentication when it comes to intellectual property & prime applications, why should it be any different for OT. It becomes even more important in machine to machine communication scenarios since everything is happening on the fly without any human intervention. Placing due importance on the identity of the asset demanding access is prudent, even if it means investing those few more milliseconds of processing time
Limit authorization: In continuation to the aforesaid instance, granting unrestricted authorization to mend the problem seems a very natural choice thus leaving the landscape vulnerable. Automated attacks especially the ones focusing on denial of service or locking out the landscape that can bring the operations to a grinding halt; trust us to make such choices. The same applies to connected machines. Adopt a need to know basis approach – so what if it’s a machine..?
While ZERO TRUST may sound like a Utopian state, there is no harm making an endeavor to move towards it.
How much should we invest in it..?
How much is too much..?
.. they ask.
Well the answer is simple & lies in another question – you are buying life insurance, what do you think your life is worth..?
Dhaval Pandya is the CIO & CDO at JSW Paints Private Limited, Mumbai – a startup within the billion-dollar JSW business conglomerate. He reports to the CEO and is a part of the Core Leadership Team. He is involved in all the strategic initiatives and discussions across the functions. His vision is to deploy technology that can provide a sustainable competitive advantage in the long run & enable business of the future. He participates as an expert, speaker & panelist at various forums to deliver thought leadership around providing a point of view, evaluation, applicability & futuristic potential of various levers in information technology and digital.