FEATUREDApplication Development & Modernization
JOHN CAVANAUGH | Vice President & Chief Technology Officer
While working with clients on the rollout of a new regulation, there was an interesting presentation I saw that showed that the Operational Technology (OT) and the Internet of Things (IoT) had device counts well above the numbers generally associated with what Information Technology (IT) Teams supported. The presentation showed OT/IoT had three times the device count supported by IT, was typically managed outside IT security teams, and had about a tenth of the security budget.
Traditionally, such systems were managed separately. They could be physical control systems managed by a facilities team, SCADA systems operated by plant management teams, and even medical instrumentation managed by a clinical IT group or subcontractor at a hospital.
Why were they managed separately?
IT grew from the back office and principally supported business processes, often similar across a wide range of industries. HR, payroll, financials, CRM, ERP, email, telephony, and other forms of collaboration were the primary use cases and were rightly viewed as critical resources by the C-Suite.
SCADA, CAD/CAM, and CNC technologies began development before the Internet, becoming ubiquitous and the domain of manufacturing engineering organizations. As a result, they were deployed separately from IT and often on an isolated network (with no external access). A similar path emerged in other industries, with facilities teams (physical plant management, A/C, etc.) and security (CCTV, access doors, alarm systems, etc.) leading the charge.
Why address this now?
Initially, the consensus maintained that keeping these systems isolated protected them. With no access, they were impregnable. However, two significant trends in the industry have emerged:
- Stuxnet revealed that isolated systems could be targeted. Stuxnet used a malicious worm to embed itself in systems looking for SCADA systems and PLCs (Programmable Logic Controllers). They could manipulate these systems to destroy industrial equipment and perform other malicious acts when found.
- Everything is moving to the Internet Protocol (IP), and many previously isolated systems are now on Wi-Fi or otherwise connected to corporate networks.
For example, in modern hospitals, IT teams, facilities, and clinical technology teams often share closets and sometimes share networking resources but often have no standard security views or budgets.
In the face of ransomware, malicious hacking, Intellectual Property theft, data theft, and privacy concerns, it is now paramount that chief security officers, risk officers, and CISOs address these issues with a common strategy.
Solutions
Network architectures and security strategies exist to support tighter access and control of all systems and data today. Encryption in transit and at rest can protect data and privacy concerns.
BlueAlly has implemented Security by Design in many industries, providing a methodology to segment environments to protect infrastructure and lock down access to critical systems. The case study linked above illustrates a Payment Card Industry (PCI) example, but we have worked extensively with clients in the financial, healthcare, utility, and government markets.
Call to Action
Executives should examine their overall approach to segmentation and security. Leaving their OT and IoT systems separately managed and budgeted dilutes overall security efficacy. In today’s interconnected world, compromised systems in one domain will impact others.
BlueAlly consultants have a long history of working with clients in regulated industries such as utilities, healthcare, and the financial sector. We can work with your teams to identify and mitigate the risks your Firm faces cost-effectively and comprehensively.
To learn more, contact us about the assessments we can perform and the professional services we can provide to address any concerns and improve your security.
