Operational technology (OT) networks control a wide range of critical operations and infrastructure, from manufacturing facilities to transportation networks and energy plants. While IT and OT systems have previously existed separately, the evolution of technology and industry has brought the two together in a trend referred to as IT/OT convergence.
Information Technology (IT) networks connect people to the Internet for necessary general purpose use. The integration of IT and OT networks has helped organizations across multiple sectors eliminate operational silos, gain visibility, and make their employees’ jobs easier. This convergence of systems is at the core of the connected factory concept, for example. The advantages are potentially endless and are only just beginning to be explored.
But there’s a hitch. “IT networks have a lot of inherent risks because they’re connected to the Internet,” explains Chris Sullivan, CEO of Nymi. “When you connect OT to IT, you’re exposing your OT networks, which could be critical for any number of reasons; they might be controlling a power grid or water supply – whatever it may be, you’re exposing that infrastructure, as well the entire population of people who depend on those infrastructures.”
Hackers understand this and are increasingly attacking critical infrastructure and seizing the OT networks for ransom. In May, a breach of the US’s Colonial Pipeline grounded the operations of a company that delivers almost half of the East Coast’s fuel. Earlier in the year, hackers tampered with a water treatment facility in Florida, raising the amount of sodium hydroxide in the water supply to toxic levels before an employee spotted the incident just in time.
Both examples show all too well that while cyberattacks originate and occur in the digital space, they can have a hugely significant and potentially deadly impact in the physical world. The conflict lies in the fact that a beautifully integrated OT ecosystem that is better for business and employees necessarily exposes that ecosystem to greater risk.
The business and societal consequences of such an attack can be catastrophic. Production stoppages in the pharmaceuticals industry, for instance, are highly costly. In 2017, an attack directed at the Ukranian government also found its way into the IT networks and manufacturing lines (OT) of pharmaceuticals giant Merck. With the company offline for weeks, a loss of $1.3bn was reported.
Such OT-related attacks appear to be increasing as well. “It’s only going to get worse,” says Sullivan. “The adversaries are going to get more sophisticated. As defenders, we need to think about what we can do to continue to harden these networks yet, at the same time, continue to open them up.”
Re-segmentation is not a viable solution
In response to the conundrum, many companies consider the re-segmentation of IT and OT as the best solution. This involves ‘air gapping’ high-risk networks, restricting connections, and prohibiting traffic. But where does this leave remote access, cloud services, and enterprise resource planning (ERP): each now a critical aspect of an enterprise’s operation? Re-segmentation would represent a big step backward, and above all, is simply not viable in many environments. According to Sullivan, “There’s too much business value in connecting networks and there’s no turning back.”
By segmenting IT/OT and introducing tighter security controls, organizations are also putting the burden of strong security on the backs of their employees. “When you increase controls, you do not necessarily increase security. If you put too much security burden on the workers, they’ll get fatigued, become prone to human error, and find a way around it,” notes Sullivan.
Lost, stolen, and compromised identities are at the root of the vast majority of OT breaches. Organizations require a safe, secure way of detecting presence, non-repudiation, and collusion/coercion. Rather than locking down OT networks and giving up all the benefits of integration, a connected worker platform that prioritizes security, privacy, and user experience is the right way to redefine IT/OT convergence so that a paradox no longer exists.
As the threat of OT breaches rises, and the need for digital transformation grows, better security strategies are needed. The Nymi Band™ provides a connectivity paradigm shift to a wearable biometric-based platform that connects workers across multiple environments in a Zero Trust and Privacy by Design framework that employers and employees can confidently embrace. This connected worker approach empowers companies with the right security and user experience measures to successfully navigate the IT/OT connectivity paradox and continue safely on the journey of digital transformation.