IT/OT Security Convergence And Risk Mitigation - Damian Ehrlicher, Chair & CEO at ProtectedIT
OT security has been a blind spot in many organizations for far too long. With the new remote workforce explosion, this blind spot has seen even more growth because many companies are now focused on other areas of their network. The attack surface has grown exponentially, and the OT blind spot has unfortunately been pushed to the back burner once again.
The IT/OT convergence was in full swing prior to Covid-19, and we see that is still happening at a quick pace with some organizations, but the gaps that exist on the OT side are still extremely prevalent. Most organizations are still not patching or upgrading at the recommended rate they should, thus the threat landscape has continued to grow due to the exposure increase of internet risk and the focus within organizations.
Fortinet CISO Rick Peters noted in Industry Today that "nine out of 10 surveyed organizations said they'd experienced at least one OT system intrusion in the past year — that's up from 19% in the year prior. What's more, 68% of those organizations experienced at least three or more intrusions — up from last year's 18%." This was in 2019; there are more people working from home in 2020. In every endpoint, there are additional entryways for malicious attackers to access your environment.
Malicious threats are not going to decrease anytime soon.
The traditional approach to this space has been network and endpoint security and risk mitigation in case of a breach, but the separation of IT and OT networks and their underlying security programs creates additional workstreams for security operation centers and network operation centers that actually create new problems. This has given malicious organizations the ability to target the weakest links and go unchecked due to poor focus.
IT and OT security have had to merge in order to meet market demands. The convergence of these networks was growing, but I am noticing that more and more teams are very tactical in this market and have lost focus on these attack surfaces as of late. There is myriad products and services that can help organizations mitigate these risks, but they need a correlated programmatic approach that combines these very distinct networks and applications. The approach for the combination of these distinct paths is easier said than done, but the application seems to be the biggest gap for OT security.
Traditionally, OT security focus points are network and endpoint security, but the applications need to be pushed to the forefront.
OT application security is very segmented in the market, and while there are solutions in the market for it, it's not being addressed as much as it should be. Most of what we are seeing is that manufacturers are addressing the issue on releasing updates and patching upgrades, but due to the fact that some of these applications are in containers or part of an application stack that isn't critical to the day-to-day business, it's all being pushed to the back burner within many organizations.
In 2019, Amit Yoran, the CEO of Tenable and former U.S. national cybersecurity director, told CyberScoop that much of the cybersecurity industry "has fed and continues to feed, to a large extent, off of fearmongering." However, Yoran recently bought an OT-focused security company, stating, "For every company in every industry, OT is now part of the modern attack surface. CISOs are being asked to secure OT systems alongside IT but lack the necessary visibility and technology to manage and measure OT cyber risk in the same way as IT risk."
Yoran sees how important this is to the new threat landscape and understands the combination "to deliver the industry's first unified, risk-based view of IT and OT security," calling it a "game-changer." I'm sure in due time, you will see more and more companies try to get this convergence into a single view, and the cybersecurity industry is starting to address this on multiple levels.
Not everything is doom and gloom.
There are several companies that are coming up with new ways to mitigate risk, and these technologies are seeing a lot of traction and adoption with the IT/OT convergence space. Runtime application self-protection (RASP) is the evolution of two precursor technologies, web application firewalls (WAF) and static application security testing (SAST), as well as related technologies. WAF solutions, also known as Layer 7 firewalls, were the first industrial-scale solutions for application security.
Now, we see this evolution growing with application memory firewalls to protect memory at the application level, which outlines the proper performance of any application, down to the memory level. These firewalls can immediately recognize and prevent deviations that fileless attacks and fileless malware can cause. This can eliminate many of the OT blind spots such as zero-day attacks, fileless attacks, buffer overflow attacks and exploits, stack smashing, DLL injection and execution, return-oriented programming (ROP), ROP gadgets, side-channel attacks, corruption of configuration data, and Spectre and Meltdown protection.
Virsec CEO David Furneaux has stated that the company's goal is to protect critical applications at the deepest levels of process memory by stopping "sophisticated threats, vulnerabilities and attacks, in a far more effective way than other solutions on the market." These novel approaches to the OT security landscape can help mitigate some of your risk, but at the end of the day, it comes down to process, procedure and technology.
All three are a necessity in this new cyber world we live in. Implementing the technology is the easy part of the equation; the hard part is driving the behavior and processes to get the full ROI. For mature security programs, this may be easier said than done if they are stuck in their ways or more focused on compliance.