Increase in IoT and IT-OT Convergence Demands New Approaches
Non-traditional IT systems security needs to account for all the ways, points of entry and reasons for devices and machinery associated with work today to access your network and the Internet in general. For more than 30 years, IT departments and Security Operations Centers (SOCs) have developed consistent, evolving plans and protocols to serve and protect traditional systems — such as personal computers, workstations and servers housed internally.
But today, virtually every vertical relies on devices other than PCs and servers. These other devices and systems also need network access and potentially offer up more targets for hackers and other bad actors. In manufacturing, operational technology (OT) and production systems are being optimized digitally as part of Industry 4.0 initiatives. In retail operations, point-of-sale systems need connectivity. For healthcare organizations, medical devices are increasingly becoming IoT compliant to offer real-time data and analysis. Embedded scanners and tablets are essential in wholesale, logistics and warehouse facilities.
Each of these technologies comes with their own IP addresses. It means each also offers a potential doorway for security breaches. Each of these technologies is also critical to the success of the business they operate with, but they often cannot be secured in the same way as the traditional IT infrastructure.
When working to improve non-traditional IT systems security, it’s important to consider three areas:
-
Understanding the challenges involved
-
Identifying key considerations
-
Developing a comprehensive strategy
Today we’ll explore those topics and how they relate to securing the ever-changing IT environment that organizations find themselves operating in.
Understanding the Challenges of Non-Traditional IT Systems Security
The first step in creating a strategy for improving cybersecurity — regardless of system or type of industry — is to conduct a risk assessment audit. Before you can figure out how to protect your network, you need to know how many points of entry are using it. With a complete overview of your technology profile, you’ll learn exactly what it is tied to and relying on your network, what devices make up this profile, and what they’re all doing. From scanners used in the warehouse, point-of-sale stations and the PLCs, ICS and SCADA systems used in manufacturing you need to know what, and how much, you need to protect.
It’s also important to note that, especially in the case of OT or SCADA systems, that you’ll be dealing with older technology. The mechanical elements and processes used to control the functions in an oil and gas production facility or power plant for example, are designed for decades of use. These come with older hardware and software components that — because of their essential nature — are not often taken offline for upgrades. Or in some cases these components are incapable of being upgraded due to the age of the operation system, processor power or memory limitations.
Non-traditional IT systems security is also challenged by a lack of consistent patches or updates. In regular IT circles, it’s a simple matter of life that regularly scheduled patches are expected and typically conducted on a routine basis — ’Patch Tuesday’ is well-known for a reason. Most individuals know how, and the importance of, conducting regular patch updates to their personal electronic devices like smartphones, laptops, and tablets. However, this is not the regular course of action for OT or other manufacturing-centric systems like ICS. Older technology is not the only area lacking proper patch support. Televisions, phone systems used in your lobby, even items like coffee makers and fish tanks, now come with Internet connectivity and thus open a door to potential malicious acts. Each of these devices offers a place for hackers to gain entry to the rest of your network.
But even as the exposure to potential cyber attacks continues to grow with the reliance on digital connectivity, the usual solutions can’t be relied upon. While IT and OT are converging in their reliance on network security, the same security solutions cannot and should not be simply copied over. With IT, security is part and parcel to its every-day function; the focus is after all on the information and protecting it. With OT and other non-traditional IT systems, security is not top of mind; maintaining productivity and operation are the primary concern.
Key Considerations for Non-Traditional IT Systems Security
As stated earlier, the goals for IT — where security is at the forefront of implementation — and OT and other non-traditional forms of information technology are drastically different. IT and OT are typically housed in entirely separate departments with different leadership and different scopes of responsibilities.
This divide leads to the first and most important consideration when devising non-traditional IT systems security: Collaboration. It should become a point of focus that cybersecurity is everyone’s responsibility and shouldn’t remain solely in the realm of the IT department, especially with the rise of IoT and OT systems needing network access — and thus opening the door to more threat points.
Getting alignment on security goals and reducing potential friction between the two sides is one step in the process. Producing meaningful discussions about how to tailor specific security solutions for both sides is another. By communicating, common ground can be found, and solutions can be fostered. For example, because availability is the ultimate driver for OT, perhaps needed cybersecurity upgrades can be implemented during a period of scheduled downtime for other preventive maintenance. Open collaboration enables these kinds of fixes more easily.
A second key consideration lies in embracing creative, or non-traditional security solutions as well. Examining network-based technologies could help wall-off older OT elements. The use of internal firewalls can segment more vulnerable components, such as those that would no longer be vendor supported if installed with anti-virus technology.
The use of Network Detection & Response (NDR) and Network Access Control (NAC) technology can add a layer of defense — and detective presence — to elements like OT and ICS that might be impacted with more protective cybersecurity measures. With CIOs now more responsible for OT and non-traditional IT systems security as everyone embraces a more digital footprint, the need for further creative solutions will grow.
Developing a Comprehensive Strategy
With the unique elements of non-traditional IT systems security understood, the threats presented and key considerations pinned down, it’s time to pull it all together strategically. It is here where the efforts of a Chief Information Security Officer (CISO) and Security Operations Center (SOC) will be essential.
One important role for any CISO is facilitating the collaboration needed between IT, OT and other stakeholders. They’ll need to be able to navigate some of the internal battles and technical problems that could arise when trying to devise solutions that cover multiple departments with different goals and leaderships. Your CISO should be a leader in alleviating these competing priorities and finding common ground for previously completely separate divisions within the organization.
It’s also essential to have a fully capable SOC, or third-party managed security service provider (MSSP), to execute a strategy that encompasses all the IT systems you’re dealing with. Hackers and cyber threats don’t take the weekends off, or recognize normal business hours. It’s a 24/7/365 proposition that now also includes an incredible array of locations — from individual homes to the local coffeehouse and even the smartphone in your pocket.
An informed and engaged CISO, and a properly allocated SOC or MSSP will give your organization the best chance to lead the discussions and find the creative solutions needed to safeguard the many non-traditional IT system security needs of today. Defending and monitoring your network properly, and responding quickly when threats arise, are critical to success in this area.
TRG Delivers Security Solutions
At TRG, we’re committed to “Making Technology Simple” — specifically within enterprise mobility, point of sale and payment processing solutions. With the industry’s most comprehensive suite of lifecycle management services, our Unified Endpoint Management (UEM) Support will help you fully optimize your enterprise mobility program across a broad range of devices and operating systems. Our Onsite Services are tailored to each customer’s requirements and are backed by our expert technicians.
TRG also works as an extension of your team to provide a suite of solutions to monitor, advise, alert and respond to information security threats 24/7/365. With TRG, you don’t just get recommendations and security product suggestions — you get direct access to the collective expertise and experience of our seasoned information security professionals.
TRG’s IT security is
powered by MRK Technologies, a sister company of TRG under the TruWest Companies umbrella. MRK Technologies brings decades of experience, and the people, process and procedure to deliver unparalleled results.
Connect with TRG to learn more about improving non-traditional IT systems security and how we can implement solutions to protect your organization’s data and operational integrity.