The recently released National Cybersecurity Strategy sets a strategic objective for the federal government to modernize Information Technology and Operational Technology infrastructure, and to “replace or update IT and OT systems that are not defensible against sophisticated cyber threats.”
In recent years, advances in technology, coupled with the ease of digital connection, have greatly increased the convergence of IT and OT across critical infrastructure sectors and even within the federal government. In fact, 56 out of 90 agencies report using Internet of Things technologies to control, monitor, access, or track equipment, systems, facilities, or physical assets.
Convergence brings significant benefits, from increased visibility to user-centric capabilities. Unfortunately, it also greatly increases agencies’ attack surface, so now must be included under the NCS.
IT and OT are not created equal
Lessons learned from modernizing IT unfortunately won’t apply to OT because of OT’s unique operating requirements. Efforts taken under the NCS must first consider each individually and then together.
For instance, when an IT system reaches end-of-life, an agency must decide to either continue using it at risk, pay for extended manufacturer service, or sunset and replace it all together. Each option has pros and cons, but agencies at least have options and can usually plan accordingly—sunset dates will be known in advance, diminishing potential impacts of the time variable.
However, timing is actually critical for approaching OT modernization. Gartner predicts that by 2025 cyber attackers will have weaponized OT environments to successfully harm or even kill humans. Ramifications of an attack on IT could be devastating, but might pale in comparison to the long-term human safety and critical infrastructure impacts of a well-executed attack on OT. We simply lack the luxury of time to modernize OT security that has been given to securing IT over many years.
Additionally, it is often feasible and more cost effective to simply rip-and-replace an IT system at its end-of-life. Because of how OT systems were designed, rip-and-replace isn’t a viable approach for them. Legacy OT systems were built on the engineering paradigm of twenty years ago—to be long-lasting and achieve the functional goals of monitoring and controlling critical processes.
Connectivity wasn’t a functional requirement, so neither was security. Times have changed since these systems were put in place and security risks must now be a consideration.
Further, because of the nature of what OT systems do, continuity requires that they can’t just be turned off and replaced with a new, more secure system. Unlike VoIP phones in an office, airplanes and tanks, for example, aren’t mass produced or easy to replace. When replacement of OT systems deployed in-field is possible, such efforts would take years and the required costs would be prohibitive.
Three tenets for OT security
Instead, OT security modernization should focus on improving security by augmentation, particularly for defense and weapons systems. Here are a few tips for agency decision-makers to consider when assessing OT modernization approaches:
— Any given defense or weapons system has up to hundreds of different types of hardware, components and ‘standard’ protocols in use. Tooling for cyber modernization efforts should not be limited to addressing only a subset of them. Instead, chosen solutions should be hardware and protocol agnostic. The tool must accommodate the platform rather than trying to force the platform to conform to the tool’s limitations.
— As data is the building block of IT network security, so it should be within OT systems as well. Defense and weapons systems continually produce tremendous amounts of valuable data that in its raw form isn’t of much use. But when captured, enriched and translated, it could be turned into information, when coupled with historical data and context, that can become actionable intelligence for critical security decision-making.
— “You can’t protect what you can’t see” is a common IT security maxim that also holds true for OT. The aim of OT security modernization should be complete observability—the ability to understand what is happening inside a system based on external data that the system produces and exposes. Observability can enable decision-making to be based not on backward-looking indicators and uncertain predictions, but on leading indicators providing facts, knowledge and understanding.
As the interconnection between IT and OT in onboard weapon systems increases, digital threats now put previously isolated OT at unprecedented risk. Meeting the objectives of the NCS will require a skillful approach to protecting each separately and both together to protect our warfighters and preserve American battlefield dominance.
Colby Proffitt is a cybersecurity strategist at Shift5, an Arlington, Virginia-based supplier of computer security services.
Have an opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.