Cybersecurity, Trustworthiness and IT/OT Convergence
2019-10-30 Marcellus Buchheit
Earlier this year, ARC Advisory Group, in conjunction with Kaspersky Labs, conducted a survey on the State of Cybersecurity of Industrial Control Systems (ICS) as well as the priorities, concerns, and challenges it brings for industrial organizations. Survey participants were nearly split equally between Operation Technology (OT) and Information Technology (IT) professionals.
Not surprisingly, nearly 80% of the companies surveyed stated that OT/ICS cybersecurity was a high priority and felt the need to invest in more resources, in both systems and ICS staff experts, to adequately address the necessary protection mechanisms. When asked to rank their concerns around an ICS cybersecurity incident, respondents primarily cited the health and safety of their employees (78%), as well as possible damage to the quality of their products or services (77%) as major worries, should the worst happen. The loss of customer confidence (63%) and possible damage to equipment (52%) were also rated as significant concerns.
While there was much data to absorb in the report, one particular point of interest for me was the relationship between OT and IT. Nearly 80% of companies surveyed regarded the growing interconnectedness of OT and IT as a challenge, mainly as a result of the digitalization of OT (industrial networks in particular), which can expose industrial systems and devices that might not be adequately protected to cyberthreats. IT and OT teams often have different security priorities and different goals for maintenance and improvement of their systems. In addition, cultural differences and the lack of communication between departments can exacerbate the problem.
In just the past few years, the convergence of IT and OT has become a well-worn topic of discussion, as there have been a few bumps in the road along the way. Let’s take a brief historical perspective and introduce the notion of “trustworthiness” and how it can serve to smooth the path towards convergence.
OT has been used for many years to implement complex technical processes in industries such as energy generation and delivery, oil/gas, production, transportation and others. OT systems were rarely connected to the Internet as their security capabilities were unable to withstand hacker attacks. As a result, OT systems were unable to take advantage of the benefits of cyber connected systems, such as remote access and administration, centralized data collection and analysis, or cloud-based access to information for process automation e.g. automatic access to weather forecasts to optimize commercial energy usage.
In the past 20 years, IT learned how to safely connect to the Internet, but only after experiencing frequently increasing security issues and cyber-attacks. Today, we have IT systems capable of remotely accessing all types of private or public information and executing complex operations, such as Software as a Service (SaaS). However, IT systems are still not ready to handle the high security demands of OT systems.
The convergence of IT and OT is required to successfully implement Industrial IoT systems, but the challenges for such a confluence are high, as noted in the ARC survey: Both sides have significantly different priorities, system models, and terminology.
Let’s look at the term Trustworthiness – a paradigm put forth by the National Institute of Standards and Technology (NIST) and the Industrial Internet Consortium (IIC) to address the key system characteristics of cyber-connected IIoT systems. The IIC defines trustworthiness as the degree of confidence one has that a system performs as expected, characterized by 5 key elements: the degree of safety, security, privacy, reliability, and resilience in the face of environmental disruptions, human errors, system faults and attacks.
Trustworthiness is a trait used for years to define the characteristics of both IT and OT systems. For IT, trustworthiness mainly addresses security, reliability, privacy and resiliency, while safety is a lower priority. On the other hand, trustworthiness for OT mainly addresses safety, reliability and resilience. Security is only marginally addressed and privacy is out of any OT scope. Addressing the missing key system characteristics in both IT and OT systems and focusing on the five key characteristics of the IIoT trustworthiness paradigm will solve many IT/OT convergence problems, especially concerning security, safety, and privacy.
If you are interested in taking a more in-depth look at the characteristics of Trustworthiness in regards to the IIoT, the September 2018 edition of the IIC’s Journal of Innovation features nine articles highlighting different aspects of Trustworthiness, including a short introduction and an article on Trustworthiness in Industrial System Design by me.
Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA
Marcellus Buchheit earned a master's degree in computer science from the University of Karlsruhe, Germany, in 1989, the same year he co-founded Wibu-Systems. He is known for designing innovative techniques to protect software from reverse-engineering, tampering and debugging. He frequently speaks at industry events and is co-author of the IIC's Industry IoT Security Framework publication. He is currently president and CEO of Wibu-Systems USA, Inc. based in Edmonds, Washington State.