Supply Chain Technology: IT/OT Convergence

As technology expands at an increasingly high rate; robotics, conveyance and automatic guided vehicles have also increased in accuracy with less waste; so, what’re the next steps?

Although Supply Chain has required improvements in technologies, there are lots of systems and tools which can be deployed to monitor real-time information for real-time decision-making, connecting to Manufacturing Execution Systems (MES), Maintenance, Quality, and others. But with so many systems and software’s out there, how do you choose? This is exactly the question EVERYONE should be asking.

Firstly, As Industry 4.0, or digital transformation, continues to expand, there is a growing need to link and integrate business systems with manufacturing systems and shop-floor equipment. However, It is critical to note that this convergence between IT and OT carries risk because Industrial Control Systems (ICS), which are used in almost every machine or infrastructure – handling physical processes – are often unpatched and do not play nice with anti-virus software so they are highly susceptible to attacks. For OT organizations responsible for critical infrastructure, any hint of compromise needs to be taken very seriously. This is why it is time to get down to business to start planning to secure your environments.

While IT systems are mostly standardized, UDP/TCP/IP, OT systems use a wide array of protocols, many of which are specific to either function, industries, geography, etc. As IIoT devices become more common, external partner products present significant challenges to creating secure environments: there is a larger challenge to secure legacy systems. In effect, digital transformation efforts generate these structural problems, and these problems become exacerbated by poor IT security hygiene practices within OT environments. This is largely due to the insecure deployment of IIoT devices, a lack of visibility of the devices, or the interface of them through networks to business systems.

It is IMPORTANT that you understand that the enormous presence of unprotected IIoT devices is providing opportunities for threat actors. The terrifying part is that most of these devices are plug-and-play without the need for passwords or configurations which essentially makes security optional. Many of these types of devices are shipped with commonly known default passwords to provide easy access to configuration panels. You might be able to imagine that it is not so difficult for hackers to create botnets to trigger distributed denial-of-service (DDoS) which freezes or disables systems. From a technical point of view, these attacks have elaborate mechanisms that are difficult to detect because they are encrypted and designed to profile processes. These attacks can enter your poorly secured OT environments into your business systems to exfiltrate organizational data and threaten to leak it or steal proprietary information.

We know that the devices are not secure and pose threats to organizations, but there are additional concerns regarding IT/OT convergence that needs to be mentioned. The first is the accidental insider who is on a quest to create greater efficiencies and productivity lacks security awareness; they may accidentally introduce conditions that make environments more susceptible through ill-advised changes in configurations. Secondly are external actors: As most organizations need help from external partners to set up these new shiny things, accidents can happen. The third is a malicious insider: a trusted person with technical knowledge and access who manipulates systems. The fourth, a malicious outsider, whether an external partner or a hacker, the lack of security controls puts organizations at unnecessary risk.

"As IIoT devices become more common, external partner products present significant challenges to creating secure environments: there is a larger challenge to secure legacy systems"

If all these points are starting to alarm you, then you are starting to understand that you should not be taking these risks. So, what do you do? The best answer is planning a physical separation of devices and networks. For example, you should not co-locate IT and OT applications on the same physical infrastructure. It looks more economical to have centralized (or cloud) infrastructure for IT and OT applications and infrastructure, but what is the cost of a breach? OT lower-level devices should be on-premise and not have access to the internet and you can control who has access to those devices using the local OT infrastructure. Secondly, evaluate your firewalls to ensure you have a separation between IT and OT, this way the firewalls can act to prevent OT devices from going through the IT networks, and vice versa. Thirdly, segregate internal networks: IT systems should access separate VLANs to OT systems; this way, individual switch ports can be configured to that VLAN.

Now you might be thinking, great, there is a way to fix it. Well yes, in many cases but there are a lot of considerations to plan for. Many solution providers are using PCs as managers for their systems and quite frankly, they are far less secure than a physical server and so that device has to be placed into the lower level and accessed through a Jump Host. There are also considerations on the number of VLANs depending on configuration and applications, failover devices, clusters versus high availability, methods and devices to scan OT environments, and the big one – Support Processes. So do yourself a favor and create a detailed process flow map that can lead to architecture discussion, which will lead to system needs.