As we look at the convergence of IT and operational technology (OT), I’m seeing more sensors, assets, machines and systems connected to utilities’ networks than ever before. It’s estimated that, by 2026, industrial organizations will employ more than 15 billion new and legacy assets connected to the internet, cloud and 5G. These new sources of data offer more and sharper business insights. However, they’re also expanding the attack surface – that is, the possible points or vectors where a bad actor can enter.
Not only are we seeing more devices, but the fact is that assets like programmable logic controllers (PLCs), actuators, and sensors, are very different from the computing devices attached to typical IT networks. They often lack security features, have weak security credentials, and run outdated operating systems. They also require very different change management processes because 24x7x365 operational demands make it difficult to schedule downtime to upgrade or patch equipment.
Utility companies can’t secure what they don’t know about. Lacking visibility and a concise inventory increases their cybersecurity risk. Building a stronger security foundation starts with gaining a comprehensive understanding of all the assets and devices – and their respective vulnerability – in a network.
Exploring the challenges
Gaining the right level of visibility in OT environments is hindered by several challenges. These include:
Legacy systems: I’ve observed that many utilities still rely on legacy technologies and equipment that wasn’t designed for today’s cybersecurity needs, like hardware in power plants that’s so outdated you can no longer purchase replacement parts for it. These systems often lack inherent monitoring and logging capabilities.
Limited bandwidth: OT networks don’t always have sufficient bandwidth for monitoring and data transfer, which can inhibit the ability to implement real-time monitoring solutions.
Proprietary protocols: Utilities often use proprietary communication protocols that might not be documented well and may not be easily accessible for monitoring and analysis.
Silos and isolation: OT and IT networks are frequently isolated from one another for security reasons. This can actually make it more difficult to access and monitor OT systems remotely. Isolation is hard to keep comprehensive, meaning there is still a risk of lateral movement and contagion.
Constrained resources: Most utilities are engaged in a constant struggle to do more with less. They often lack the budget and resources needed to invest in comprehensive monitoring systems, training and personnel.
Insufficient expertise: There’s a global gap of 3.4 million skilled cybersecurity professionals overall, according to ISC(2). Finding security experts with a specific knowledge of OT environments is even harder.
Safety and availability requirements: Utilities are part of critical infrastructure. Uptime is essential and teams must find ways to implement monitoring solutions that don’t interrupt operations, especially since maintenance windows can be limited and heavily scheduled.
Gaining the needed visibility
All of this can seem daunting, but it’s not an insurmountable challenge. A good place to start is with these best practices.
Conduct an inventory: Start by identifying the specific assets and protocols used in an OT environment. This can include everything from Distributed Control Systems (DCS) to Industrial Control Systems, supervisory control and data acquisition (SCADA) systems and more. It also includes common IoT devices like security cameras, printers and HVAC systems. Doing this manually can be an arduous and time-consuming process, but there are tools that combine machine learning with crowdsourced telemetry to identify the company’s IT and OT assets, apps and users.
Use a solution that’s built for OT and is easy for OT teams to understand: When evaluating potential solutions for asset visibility, it’s important to select one that is meant for OT systems and professionals/ Look for a solution that can recognize both standard asset types and OT/ICS applications and provides reporting tools that fit OT needs.
Look for a comprehensive tool: Solution sprawl has become a major problem for many utility companies today. Many of these tools don’t integrate with one another, leading to siloes. An integrated approach helps address this and ensures you can cover multiple environments.
Deploy as few sensors as possible: Be judicious in the deployment of additional sensors, which can be difficult to roll out and add additional complexity. There are solutions today that don’t require additional sensors and can provide a more streamlined option for data collection, saving time and money.
The road to cybersecurity for utilities can seem like a long and arduous one, but getting it right is critical. And comprehensive visibility is that important first step that will guide you through this journey.