Securing OT and IoT

Operational Technology or OT is hardware and software that controls and monitors physical processes and devices (valves, pumps, belts, sensors etc). It is most often applied in industrial control systems, making it essential for safe and smooth daily operations. The facilities that affect our daily life, aka critical infrastructure, use OT. Examples are: the electric grid, water plants, public transportation, the chemical and food industry.

OT has existed since the industrial revolution, has surely evolved but always has been a conservative realm for good reason: safety and availability are its primary concerns.

What a contrast to Information Technology (IT: your tablet, mobile, smartTV and its software) that, since the 70’s with processing power roughly doubling every 2 years plus the opening of internet and wireless communications, has grown exponentially and impacts our daily life and the way businesses are run.

The rapid evolution of IT has a side-effect though: enabling your laptop to connect to each IP-address in the world reciprocally means that each IP-address in the world can connect to your laptop. With bad intended entities (persons and computer programs) around, this raises the need for ensuring your data’s confidentiality, integrity and availability together known as security.

Then for already a decade there has been the Internet of Things (IoT). It is the network of appliances and devices (think of your ConnectedCar, your iFridge, your iCoffeeMachine) that have processing power on board and are capable of autonomously exchanging information with the internet.

OT - not on an island anymore

“Industry 4.0”, that brings IoT and cloud computing, integrates IT, IoT and OT. The traditionally disconnected (by air-gap) OT is now connected to the company’s IT network bringing easier maintenance and remote control, feeds OT-data into IT business applications and allows for even faster production process adaptation and optimization.

However, by connecting OT to IT with its inherent security challenges, also OT will be exposed to the underlying threats.

Connecting OT and IT creates both opportunities and risks. Characteristic to OT systems (sometimes also referred to as Old Technology) is their lack of visibility. Often OT systems have organically grown over tens of years, use “dumb” components that have little on-board processing power and sit in networks that have been poorly documented. This latter becomes understandable once one realizes that “availability” of the industrial processes is the adagium in OT and hence halting the production to make an up-to-date inventory has often been out of the question.

OT and IT are inextricably linked. Where IT is the computing power behind your network, hardware, software, the internet lines, and the people managing it, OT takes care of the physical processes. Without IT, we wouldn’t be able to diagnose problems in real-time or monitor for any discrepancies in our OT. If the OT configuration is (partly) unknown, entry points aren’t secure, if (OT) software is out of date and unpatched, or if problems go unsolved, this can spell costly vulnerabilities for companies.

OT Security at stake

OT security ensures that your operations are safe and maintain optimal uptime. When we ignore this critical piece of safety infrastructure, we’ve thus created the hackers dream. In early 2021, a public water plant in Oldsmar, Florida was hacked and fluoride levels were increased to toxic levels. Luckily this was caught before the water was released to residents. The vulnerability was due to the plant using outdated software, OT and IT connected via an inadequately secured network.

These vulnerabilities are not brand new. In 2016, a power outage in Ukraine affecting nearly 225,000 customers was caused by hackers. To carry out the attack they used malware enabling remote intrusion and to cover their tracks. Due to vulnerabilities in Ukraine’s national grid infrastructure, hacks such as these aren’t too difficult to carry out.

The Colonial Pipeline attack on May 7th in the United States stunted fuel deliveries across the East Coast. The hackers used a legacy VPN to remove information from the company’s internal drive and asked for $5 million to have the files returned. Before the payment could happen, thousands of miles of pipeline were shut down in hopes to isolate and contain the attack. This, of course, was disastrous as gas stations struggled to meet demand and airline routes were disrupted.

These attacks don’t have to target water and power facilities, cyber threats on OT can also impact supply chains. Inhibiting logistics software to be run or critical deliveries to take place, puts food supply chains at risk. At the customer level this may be a nuisance, at the supplier level this will impact reputation and may lead to costly claims.

When doors are left open

Ensuring that software is up to date is not enough anymore. OT security is key to protecting your assets, but has not been sufficiently emphasized until recently. Hackers are able to enter the IT domain through phishing emails and untrusted websites. Once they have crossed the threshold into the business’ systems, they’ll move laterally to OT controls and start making malicious changes (hint: The fluoride levels at the water plant.) Once they’re in the system they can manipulate controls to the point of causing failures, disasters, or ask for a ransom.

How “Azure Defender for IoT” can help

How can companies using OT best protect themselves against the risks that come with vulnerabilities? Avanade recommends “Azure Defender for IoT”. Although the name is confusing, Azure Defender for IoT can help protect both OT and IoT devices and networks, utilizing comprehensive security across all your devices. It is also able to identify every piece of infrastructure you own in these networks to increase visibility of all assets in your (OT and IoT) networks. With your assets visible and recognized, it becomes significantly easier to optimize what is existing and monitor every entry and exit.

Azure Defender for IoT works both with Agents as well as Agentless. The Agent is typically integrated in newly purchased OT and IoT devices. The Agentless method relies on sniffing and analysing all traffic in your OT and IoT networks by using SPAN ports on your switches. Traffic will flow unidirectionally from the switch to Azure Defender for IoT, ensuring enhanced security and ISA-95 compliance.

This way, Azure Defender for IoT can be easily deployed without making any changes to your existing devices. You can keep everything you have and not have to worry about investing in anything else that is new. Defender for IoT works to monitor all your devices, knowing the protocols and learning the patterns of operational behaviour such that discrepancies can be immediately flagged. This will not change the traffic in your operational network, it monitors passively ensuring you’re running just as fast as before.

Azure Defender for IoT integrates with Azure Sentinel and other SIEM systems to generate alerts and inform security operations. What does this mean? You’re getting a helicopter view of the boundaries that directly shows if anyone or anything is trying to manipulate them. Instead of getting a ransom notice, you’re able to catch issues as they happen and better defend your assets in the future.

How to get started?

It’s possible to get started, immediately get visibility and protect your both legacy devices as well as the newest ones. With Defender for IoT monitoring and analysing your environment, every type of device is protected and understood for its behaviour and vulnerabilities. For the first 30 days, Agentless monitoring is free for up to 1000 devices. After the introductory period, you’ll be charged by the number of devices.