Best practices in IT/OT integration for ICS

Applying IT-style cybersecurity defenses to operations technology (OT) networks is not effective to ensure reliable operations of industrial control systems. Thus, OT cybersecurity practices are always evolving to address these concerns. For more on Waterfall’s perspective on the IT/OT challenge, check out some of our media articles.

• Firewalls alone are not enough to protect our industrial control systems from hackers. While you might think that firewalls and encryption will keep your industrial control systems secure, these forms of protection are essentially software, which has the capacity to contain bugs and, even worse, be hacked. That said, there are so many limitations to software-based firewalls, all of which are common knowledge to anyone with an elementary awareness of cybersecurity. For example, a recent German steel mill attack proved that cyber hackers were able to compromise industrial corporate and production networks and solidified the need for safe integration of IT networks and operations technology (OT) networks. To find out more about the implications of firewall use, check out my recent article in BetaNews, “Cybersecurity best practices for facilitating IT/OT integration.”
• As software and computer hacking become more complex, so do cyberattacks. Standards and regulations are attempting to solve these problems, but the hackers are becoming much more capable. French ANSSI standards, which forbid the use of firewalls in control system networks, are a recent example of this. However, security practitioners need to consider the technologies in play. We need to ask ourselves if any of our control systems, let alone those in critical infrastructures, are expendable enough to be protected by firewalls. IT/OT integration is the best solution. Read more in my recent article in Utility Products, “What's Wrong With IT-style Cybersecurity Approaches?”
• While there are some similarities between the hardware and software on corporate and control system networks, the characteristics of the two are quite different. However, the main difference is control. Control system networks govern the physical world while corporate systems manage data and IT processes; hence, why cybersecurity best practices are evolving to recognize the differences between the two types of networks. Standards, like the above mentioned ANSSI rules and NERC-CIP requirements, are encouraging hardware-enforced unidirectional security gateways. You can read more of my insights into the differences between control and corporate networks, as well as more information about these regulations, in Security Magazine: “Control System Cybersecurity Is Shifting Away from Corporate Thinking.”

Want to stay up to date on critical infrastructure news? Follow us on Twitter.