When IT and OT Collide

When IT and OT Collide


This post was written by Omri Sagron ( Senior Information Security Consultant @ Comsec , CISSP Instructor @ ISC2 )

Israel, Oct. 4th

Since Charles Babbles’ invention of the Analytical Engine, computers became very similar and are all based on the same principal, though with different ways of input and output. Think of your PC, smartphone, tablet, Apple watch and compare them to industrial systems like electrical grid transformers or building management systems. Eventually they are all computer-based systems that process information, but they are definitely not all the same.

No question that nowadays computerized industrial systems devices connected to the Internet are providing great opportunities for automation and intelligence, but are the age-old systems also introducing many risks? The answer is obviously and simply YES.

The ongoing internet revolution turns billions of devices such as smart meters, production lines, smart buildings and home automation systems into SMART and VULNERABLE access points into critical infrastructures, those infrastructures that we are all relying on day by day. It is time to permanently change the way we think of protecting the industrial systems from external threats. It is not enough concentrate protection efforts solely on devices physically accessible outside buildings and production factories, but rather to renew protection strategy, emphasizing the overall security to the full chain from the backbone to the end-points.

Most of the technical people have good understanding of what IT (Information Technology) is, and the everyday key elements that are part of it, ranging from e-mail communication and multimedia presentations to sophisticated data analytics. OT (Operations Technology) on the other hand, is a term that describes the technology that keeps our power plants running, implements building’s access control, manages factory process lines, and essentially works together to achieve an industrial objective such as manufacturing, automation, transportation, generation, etc.

Let's take the example of industrial plants with production lines including building and energy management system as a use case - the different components in those systems may refer to computer-based systems that monitor, manage and control various electrical and electromechanical functions within a specific factory’s facility. Typically, ICS (Industrial Control Systems) are implemented in large-scale structures, operated by a wide array of critical operational functions, including:

  • Power Distribution and Consumption.
  • Components in Production Line.
  • Heating, Ventilation and Air-Conditioning (HVAC).
  • Factory Energy Management System (FEMS) & Energy Backup.
  • Renewable Energy.
  • Access Control Devices.
  • Illumination.
  • Plumbing.
  • Fire Safety/Extinguishing.

Another example is Building Management Systems (BMS), or alternatively, Building Automation Systems (BAS) [Fig.1], which may refer to computer-based systems that monitor, manage and control various electrical and electromechanical functions within a specific facility. Typically, BMS are implemented in large-scale structures, operated by a wide array of critical operational functions, including:

  • Heating, Ventilation & Air-Conditioning (HVAC).
  • Power Distribution & Consumption.
  • Fire Safety/Extinguishing.
  • Elevator Control.
  • Security, Observation & Surveillance.
  • Illumination Control.
  • Plumbing.
  • Building Access Control.
  • Renewable Energy.


Fig.1 - Building Automation Systems (BAS)

However, as these centralized systems can potentially bring greater efficiency, they are also susceptible to hacking and cyber-attacks due to the interface of the Operational Technology (OT) landscape with IT/wireless networks and the internet. Since any connected device is vulnerable and controls critical functions within the building, hackers who manage to penetrate the BMS can inflict serious damage to key operations.

Imagine that all those age-old systems are becoming SMART and are connected to internet based networks. Smart thermostats, smart dryers and other IoT (Internet of Things) devices can be now infected by malware and like this they can be converted into massive botnets or vehicles for data destruction and theft. The IoT don’t limited to cell phones and tablets. It also includes things like cars, home alarms, and appliances. But what about connecting industrial equipment? Similar to many IoT aspects, the IIoT (Industrial Internet of Things) allows broader and more focused use of big data, efficient machine-to-machine communication, autonomous and semi-autonomous machinery, pumps, turbines, mixers, compressors, and robots. Powered by the IIoT, smart manufacturing holds the promise of vastly improving production by capturing all the available real-time and historical information, from the machines and programs on the plant floor, to those along the supply chain, and converting that data to actionable insights. But even though connectedness opens the door to cybersecurity risks, manufacturers apparently haven't fully embraced proper IIoT security.

The nature of the problem depends on the way this critical infrastructure is designed, developed, modelled, installed and operated. Until recently, companies developing products and components for manufacturing plants put greater weight on operational efficiency, yet with relatively low consideration of impending security threats. Consequently, many production lines do not include adequate cyber-security controls and risk mitigation measures. Most of the times, it is impossible to use cyber-security solutions commonly used in today’s IT infrastructure in order to protect the OT infrastructure and a totally different approach is required. Unfortunately, we can’t just simply install Anti-Virus or Application Firewalls on a diesel generator. Not to mention the fact that IT experts (including the organization's information security team) aren’t familiar with the OT technologies and their specific security issues.

As noted by Tim Conway, technical director, Industrial Control Systems (ICS) Security for the SANS Institute, “When you take people with an IT background and bring them into an industrial control system environment (OT) there’s a lack of understanding from operations why they’re there and there is a lack of understanding of the specific controls environment needs from IT.”(1)

Recent cyber security incidents exploiting the connectivity between IT and OT express how important it is to adjust the ICS security framework to the already existing and threatening cyber security risk landscape. The critical cyber security is definitely a strategic concern that should be taken care on international level.
A good example of such incident exploiting vulnerabilities of age-old components linked to the network can be attributed to the Ukraine Electric Distribution Company Cyber Attack (2) which caused a massive power outage in Ivano-Frankivsk Ukraine using a program called BlackEnergy3. The attack succeeded due to the connectivity between the IT networks and the SCADA systems, together with the fact that employees could remotely log into the SCADA network. The attacker operated with a lot of patience for six months until he successfully achieved the privileges to carry out the attack.

Also the EU understands that it is crucial for the economic robustness to secure accordingly all critical infrastructures and pushes for new solutions, along with standardization, hence the existence of the CIPSEC project.

CIPSEC project results receive funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
The opinions expressed and arguments employed in this publication do not necessarily reflect the official views of the Research Executive Agency (REA) nor the European Commission.