Connectivity between IT and OT calls for a thorough security approach

By Eric ten Bos, co-founder & technical lead of the Thales Cyber OT Convergence Center (OTCC)

For some time now, the cybersecurity sector has been stressing the fact that an increasing number of organisations will be faced with tightened security rules. Not only because of the NIS2 Directive and the successor of the Network and Information Systems Security Act (WBNI). But mainly because cyber threats are becoming ever more complex and attacks ever more professional. Information systems remain vulnerable, and you have to arm yourself against this. Not in the least because the IT environment has by now been so closely integrated into operational technology infrastructure that the continuity of processes that help us in everyday life is coming under pressure. From barriers in car parks to water pumps and locks to guarantee our country stays dry. Further integration of systems is also necessary for future business innovation. And your security policy helps to achieve this. 

The business sector is calling ever louder for more efficiency, management, and control of operational technology. This brings the interrelatedness of IT and OT even closer. The somewhat older ‘just in time’ principle for delivery and ‘near real-time’ sending of order specifications is becoming dominant in all industries. In addition, the need for detailed information on product quality is on the rise. In short, the hunger for information is increasing, and today, this also means that organisations deploy generative AI applications.

The heart of the matter is that operational technology must be able to change from static - a machine or installation just doing its job - to more dynamic. You can use machines, for example, to respond to peak demand because, as an organisation, you have the data that can predict them. The same goes for preventive maintenance, which can be scheduled in advance because sensors monitor the load on a motor. You can intervene before the machine breaks down. You can use generative AI, for example, to analyse parameters (temperature, air pressure) and then optimise processes. And we also see applications that use image recognition to carry out product inspections as part of quality management. 

From Industry 4.0 to 5.0

Slowly but surely, a shift is taking place from Industry 4.0 to 5.0. Just like 4.0, this last stage is characterised by a high degree of digitisation and automation, including the help of AI. An additional dimension is the collaboration between man and machine, in which sustainability also plays an important part. This way of working, in combination with the industrial internet of things, is not new, but the scale on which this is happening has expanded at a rapid pace. And so the integration between OT, IT and IIoT has really taken off. Data collected in the OT environment need to be analysed and result in smart conclusions in the IT environment. And then that input can be used for automatic OT management. In the past, I also referred to IIoT as Shadow OT.

Attack surface for cyber criminals has expanded massively

Because of this close interrelatedness, the attack surface for cyber criminals has expanded massively. Not only in terms of fact, since a PLC - and its machinery with it - may become the victim of a cyber attack. But also in terms of volume, because sabotaging an oil pipeline or halting production may result in huge disruption and damage. No wonder, therefore, that the scope of the NIS directive has been broadened and the provisions have been tightened. This should be a guideline for essential organisations to bring their current security measures up to the appropriate level. Practice shows, however, that the level of security has not grown along with the fast pace at which the integration between IT and OT has been effected. Applications with IIoT and generative AI have not been developed according to the ‘secure by design’ principle. As said in earlier blogs, 100 per cent secure by design is hard to achieve. And what is secure today may not necessarily be secure next week. That means that, as an organisation, you have to put a lot of energy into monitoring, to ensure that you can detect unusual behaviour on your network. It is a bit like opening the front door and constantly walking through your house to check strangers and not taking valuables from your cupboards. In the long term, it will always remain a combination of secure by design and monitoring. Be sure you know that when you roll out new applications and systems in the context of Industry 4.0 or 5.0, that they are secure by design and system, product and process are secure from the start, making it easier to adjust to changes in the threat landscape later on. 

Secure by design
Nevertheless, your organisation still has (parts of) an infrastructure that is not secure by design. Take a good look at NIS2 and follow the principles that arise from this Directive:

• Everything starts with a good business risk inventory of the systems.
• Manage the security risks - chain liability also plays a part here.
• Protection against cyber attacks, including organising awareness training and identity management.
• Detect cyber security attacks and see to it that this is done proactively.
• Reduce the impact of a cyber attack, for example by having backups ready and having a disaster recovery plan in place.

The motto for organisations that have closely integrated IT and OT should be: new developments must be secure by design. Where this is not yet possible, ensure that the security monitoring environment is at the right level and that you are properly secured. These are good first steps for future NIS2 compliance.

Step by step secure by design 
Secure by design seems a somewhat abstract concept. The following checklist gives you something to hold on to. Realising secure by design should contain the following elements:

1. Determine what business risks can be caused by a new system.
2. Determine which level of security you want to achieve.
3. Determine which measures are specifically necessary for this project.
4. Find out to what extent and in what ways the project concerned impacts the general security measures in the organisation.
5. Identify and list the additional activities that are necessary.

The IEC62443 framework offers OT environments good tools for defining an approach for this. In short, be prepared with secure by design, monitor actively, and make sure that you are able to adapt security measures to tomorrow’s reality. If you use this approach, compliance will be a result of the secure by design principle. You will be compliant in a way that is in keeping with reality and that can easily be implemented.