Mind the Gap – Security at the IT/OT Boundary
There is a long history of attacks against organisations that deliver critical infrastructural services, and these are becoming more frequent, sophisticated, and targeted. Barely a week passes without news of a new attempt to compromise a critical industry organisation. From major ransomware attacks to attempts to penetrate industrial networks and directly target operational technology (OT), critical infrastructure is in the cross hairs. Now more than ever, organisations need to ensure the protection of their services from cyberattack.
68% of business leaders feel their cybersecurity risks are increasing.”
One of the most common requirements at the IT/OT boundary is the need to extract historical data or logging information from the OT network for analysis in the IT network. Data travelling in this direction can be assumed to be “safe” and therefore the primary concern is to ensure that the communication channel itself cannot be used by an attacker to jump the electronic air gap and cross from the IT to the OT network.
In normal operations, networked machines are capable of both transmitting and receiving data. Traditionally these communication channels are guarded with either a data diode or a high speed verifier.
The Data Diode is a great one directional flow solution to mitigating the risk that the channel can be used by an attacker to get in. For organisations that require a more resilient solution, and reliable bi-direction communications at the IT/OT boundary the High Speed Verifier is the best solution.
Importing Software Updates
Another common requirement at the IT/OT boundary is the need to import software updates such as Windows/Linux updates and signature updates if required by your data protection solution. A bi-directional gateway can provide an effective solution, ensuring that traffic can flow in both directions between pre-configured update servers residing either side of the boundary.
Secure Monitoring in the Cloud
Managing OT networks and assets from the cloud, whether for the purpose of viewing historical data, or monitoring those assets in real-time or even remotely controlling them, delivers big business benefits. However, to enjoy these benefits, providers of critical infrastructure need to be certain that the links between the OT network and the cloud monitoring platform cannot be used by an attacker to compromise the OT network and assets.
Importing IT Files
The challenge of managing security at the IT/OT boundary becomes far more complex and nuanced when it comes to importing IT files (rich content of the kind used every day in the enterprise network) from IT to OT or supporting bi-directional application protocols.
Office files, PDFs and diagrams are all essential to the smooth operation of plant and machinery. However, this type of complex data is the carrier of choice for cyber attackers intent on getting malware in and establishing remote command and control channels. Sadly, detection-based security defenses all too often fail to detect malware concealed in data and another solution must be found to ensure organisations can be confident they are receiving malware-free data.
According to Brian Krebs:
On average, antivirus software is only 25% successful at detecting malware.
Rather than trying to detect malware, Forcepoint’s Zero Trust Content Disarm & Reconstruction (CDR) uses a unique process of transformation to only deliver the valid business information that users need. Ensuring the delivery of safe and fully functional content so organizations can have utter confidence in the files they are importing from IT to OT.
Using a combined hardware & software security solution designed to address the above challenges head on, is the best way to ensure security at the IT/OT boundary. At an application level, Forcepoint’s Zero Trust CDR ensures files crossing the boundary are always malware-free, fully revisable and safe from zero-day attacks. The use of a High Speed Verifier solves the need to support bi-directional protocols, and enforces separate data flows along with IP breaks to secure the communication channel at a network level. As a further safeguard, each file is verified as safe in hardware logic (something that can’t be remotely compromised or manipulated by an attacker) creating an incredibly small attack surface.
Fortifying the IT/OT Boundary
For organisations that are responsible for the critical infrastructure on which we all depend, the IT/OT boundary has long been a potential Achilles heel. At Forcepoint we believe the risk is best mitigated utilising a combined hardware and software solution that includes, both a High Speed Verifier or Data Diode and Zero Trust CDR.
Forcepoint's Critical Infrastructure solution enables organisations to fortify the IT/OT boundary, and still enjoy the benefits of Industry 4.0 and digital transformation – request a demo today.
Download the “Securing Critical Infrastructure from Cyberattack” eBook for free.