The fact is that we see a significant increase in the number of attacks on both the industrial control systems (ICS) and the operational technology (OT) side of the Industrial Internet of Things (IIoT).
However, the real question is why IIoT is that vulnerable to cyber attacks? The consensus among experts is, in a sense, a perfect storm of conditions in recent years, all of which together have led to these trends.
The so-called perfect storm consists of the following elements:
- Old OT equipment and control systems which haven’t been designed to function safely online
- A subsequent and inevitable patchwork of OT and control system from multiple non-coordinated vendors
- Inadequate or non-existent cybersecurity technology and practices
- Lack of budgets for security
- A massive increase in the number of devices and sensors connected to IIoT of organizations, which together represent a perfect destination for attacks
- An increase in the number and types of cyber attackers
IT and OT – One is Not for the Other
The biggest problem when it comes to cybersecurity in this industry is the fact that organizations do not differentiate between the two.
OT networks are more diverse and more complex, and yet all the benefits and risks of IT are migrated to them. It inevitably leads to vulnerabilities in the OT networks, as they were never designed to deal with IT security issues.
Also, each OT is unique and different; each is an embedded system, made from components from several manufacturers – which makes them impossible to secure with the same IT technology properly. Most companies do precisely that. The security has to be built in the system itself; it cannot be provided from the outside and as a sort of patch.
Lack of Standardized Cybersecurity
With such great complexities of OT networks versus IT and the uniqueness of each ICS, it’s not surprising that there is no standard for their security. There are some, but they are not enforceable to all. The chemical and energy sectors are these exceptions, but naturally, they cannot apply to the manufacturing industry.
Furthermore, even the US government is not requiring enough cybersecurity standards for control systems and their compliance.
Another big problem is the people who work with OT networks do not have a good knowledge of security practices that the staff for IT networks has.
Besides the fact that they are not used to following similar procedures, most of them are untrained in cybersecurity. Furthermore, many among the engineering OT staff do not know how to design, manage, and diagnose and maintain cybersecurity systems.
The reality is that you have to engineer security like you have to engineer your control systems. Unfortunately, many companies are failing to understand that.
Are There Any Solutions?
Acquiring and subsequently managing cybersecurity technology that can protect all of the OT devices of a company is a big subject and hugely complicated.
It could include software and hardware solutions, both endpoint and cloud-based security, as well as purchased technology and outsourced security as a service (SaaS).