Representative End User Clients
Representative Automation Clients
Representative Software Clients
Keywords: Cyber-Resilient Industrial Operations, IT/OT Cybersecurity Convergence, IT/OT Cybersecurity Platforms, Palo Alto Networks, ARC Advisory Group.
Summary
Ensuring the security of industrial operations has never been more important and challenging. Convergence of IT and OT security programs is essential to deal with today’s and tomorrow’s challenges. The dramatic rise in cyber-related operational disruptions shows that industrial operations have become prime targets for cybercrime and cyberwarfare. Adoption of new developments like remote workers, cloud applications, IoT, and 5G have already expanded connectivity requirements to the point that isolation-based security is no longer an option.
Today’s OT systems face the same security challenges as IT and demand comparable cybersecurity capabilities. This includes visibility of all assets regardless of where they are located or how they are connected; micro-segmentation capabilities that enable granular policies and isolation; zero trust; and rapid threat detection and response. Converging IT and OT cybersecurity programs is the best way for companies to achieve these goals, and it will simultaneously improve the company’s overall security posture and reduce costs.
Some industrial companies have already taken steps to converge IT and OT cybersecurity programs, particularly sharing of limited cybersecurity resources. OT groups generally support these efforts, but they have been reluctant to accept IT cybersecurity technologies in OT environments out of concern that they don’t support unique OT cybersecurity issues. While this was true in the past, today’s IT security platforms have been enhanced with fit for purpose capabilities to support all the needs of industrial operations. This includes IT, OT, IoT, Edge, and Cloud as well as the full range of communication methods and protocols being used in industry, like LAN, WAN, WiFi, and cellular (LTE/5G). ARC recently discussed these issues with Palo Alto Networks executives. A summary of how this company is enabling effective convergence of all industrial cybersecurity programs is included to demonstrate that comprehensive security platforms are available that can meet all the needs of industrial operations.
Cybersecurity Requirements for Today’s Industrial Operations
Today’s industrial operations are facing two major cyber threats. Cybercriminals are attacking industrial IT systems with ransomware, to disrupt the company’s ability to support meaningful operations and encourage payment of exorbitant ransoms. Nation-states are launching cyberwarfare attacks on OT systems to disable critical infrastructure operations, like power systems. These cyber threats involve sophisticated attackers who can find and rapidly exploit any security gaps. Industrial companies need mature IT and OT cybersecurity programs to ensure that operations are properly protected.
OT and IT Require Comparable Cybersecurity Maturity
ARC’s Industrial/OT Cybersecurity Maturity Model provides a useful tool for understanding and managing the status of industrial cybersecurity programs. This model provides a roadmap for implementing the security technologies and human resources needed to support the NIST cybersecurity framework recommendations.
The steps in ARC’s model show the different cybersecurity technologies needed to achieve specific security goals. The colors distinguish passive defensive measures that are needed to protect systems against conventional hackers, from active defense capabilities that are needed for more sophisticated attacks. The model also illustrates the cybersecurity management solutions that are needed to maintain defenses and enable rapid response to new threats. The top line shows the human resources required to support different maturity levels.
A key benefit of the ARC model is how it highlights the need to maintain alignment of people, processes, and technology capabilities. The effectiveness, or maturity, of a cybersecurity program is determined by the category with the lowest maturity score.
The typical maturity levels of industrial IT and OT programs are indicated for comparison. OT cybersecurity program maturity lags IT in every program category and these gaps need to be addressed to deal with today’s industrial cyber risks.
Use IT/OT Cybersecurity Convergence to Close the Gaps
Converging IT and OT cybersecurity programs may not be the only way to address OT cybersecurity gaps, but it is the best. The enhanced cyber-security capabilities it provides will address current OT challenges and ensure that IT and OT cybersecurity strategies are always aligned. This ensures there are no security gaps between IT and OT security policies for attackers to exploit and facilitate more effective governance and compliance management.
Some end users may be concerned that converged IT/OT cybersecurity programs make OT systems more susceptible to the kinds of attacks that plague IT systems, like ransomware. But most OT systems are already connected with IT and at risk of malware propagation. The inability to quickly assess these situations has forced companies to shut down operations whenever IT systems have been compromised. Converged IT/OT cybersecurity programs give defenders the broad-based visibility and security tools to detect and address them earlier in the attack chain. Converged IT/OT cybersecurity programs also give system developers confidence that they can securely adopt new developments like cloud apps, AI, and 5G to improve operational performance.
While desirable, IT/OT cybersecurity convergence is not a trivial matter. The current OT security situation isn’t due to lack of attention or effort by OT cybersecurity teams. It’s due to significant constraints in OT systems and environments that limit defender’s ability to properly address recognized security issues. Simply assuming that current IT security programs can be extended to include OT is naïve. But a planned convergence of IT and OT cybersecurity programs that recognizes these challenges can achieve the required cybersecurity across all technology domains.
Overcoming IT/OT Cybersecurity Convergence Challenges
An effective IT/OT Cybersecurity convergence program addresses all aspects of cybersecurity including people, processes, and technologies.
Overcoming People and Process Differences
Lack of people and cybersecurity expertise has been a longstanding issue for OT security teams. Many industrial operators are unwilling to hire additional people just for cybersecurity. Others have had their efforts frustrated by the global lack of OT cybersecurity experts and the associated high costs.
Recognizing this situation, many companies have launched programs to leverage their IT cybersecurity resources in support of OT. These efforts have demonstrated that converged IT/OT security teams can be an effective approach. But it requires strategies to overcome cultural differences and training to educate IT cybersecurity experts in OT technologies and the various work practices that need to be followed in operating facilities.
Security practices also need to be updated to reflect operating constraints. Convergence won’t change the need to delay patching until downtimes, avoid system reboots, and minimize restrictions on access to devices. But fully converged IT/OT cybersecurity programs offer ways to improve security under these constraints. For example, virtual patching can be used to protect at-risk assets until they can be properly patched, and defenders can use IT SASE capabilities to ensure all OT system access is properly authenticated.
Overcoming IT and OT Technology Differences
Security technology isn’t a panacea, but as the ARC model illustrates advanced security solutions are essential to achieve the cybersecurity maturity needed for today’s industrial facilities. The sophistication of today’s attacks also requires solutions that are fully interoperable and support every modern security technique.
Legacy networks represent the biggest obstacle to achieving this goal. They have limited capabilities for isolating assets, blocking attacks, and monitoring network activities. Upgrading networks with modern IT networking solutions that have OT context awareness should therefore be a priority. This will give defenders the visibility and control they need to rapidly detect new threats and the capabilities to isolate and deal with them. Upgraded networks will also enable use of the full suite of IT cybersecurity solutions in OT environments.
Cybersecurity Platforms Can Ease IT/OT Convergence
The ultimate goal of IT/OT cybersecurity convergence should be to enable consistent cybersecurity across all systems, apps, and activities related to operations. Fortunately, there are cybersecurity platforms available today that address all these issues. But choosing the right platform is essential. IT cybersecurity companies have developed these platforms and users need to make sure they fully understand OT requirements and have implemented the functionality enhancements to ensure they are respected and addressed. Following the technology breakdown in ARC’s Industrial Cybersecurity Maturity Model, ARC recommends that users consider the following OT requirements in selection of an appropriate IT/OT cybersecurity platform:
Asset Inventory
Non-disruptive asset discovery for OT system devices with automatic recognition and data collection from common industrial devices.
Integrated OT, IT, and IoT asset maps that support industrial perspectives like the hierarchical Purdue model.
Endpoint Protection
Endpoint protection solutions that can protect managed devices used in OT such as engineering workstation, HMI and historian servers.
Ideally, IT/OT cybersecurity convergence will support use of cloud based EDR, but companies may have certain facilities and concerns where they prefer to restrict such use.
Network Security
Network segmentation that supports common industrial architectures, like the hierarchical Purdue Model.
Network firewall policies that support granular rules and use of industrial commands.
Virtual patching capabilities to protect legacy OT assets that can’t support endpoint protection or have unmanaged vulnerabilities.
Consistent security across multiple communication technologies including wired, Wi-Fi, and cellular.
Support for centralized management of security across all network devices, whether at the DMZ, plant floor, remote access gateway, cloud or cellular network.
The ability to implement zero trust for all communications within OT system networks and those involving external networks and remote parties. This should include least privilege access.
Secure remote access for remote workers that restricts external access to authorized network segments and devices; restricts operations that can be performed by remote workers on internal devices; enables by-invitation-only remote access to internal systems; enables continuous monitoring and termination of all remote sessions; and provides full records of all session users, devices, and activities.
Security controls to protect internal devices when they are being used to access external systems, applications, and people, including reducing the risks of workers accessing untrustworthy sites; reducing the risks of workers downloading malware into internal devices; reducing the risks of malicious or accidental loss of confidential information; and blocking malware and ransomware command and control communications with attacker servers.
Anomaly Detection
Ability to detect and alert defenders of anomalous behaviors within endpoints, network devices, and network communications.
Ability to correlate anomaly alerts across all operational assets including OT, IT, Cloud, and IoT devices.
Vulnerability Management
Broad-based visibility of security risks across all operational assets including OT, IT, cloud and IoT devices.
Ability to ensure consistent cybersecurity governance across all IT, OT, cloud, and IoT assets regardless of where and how they are deployed.
Threat Management
Support for OT cybersecurity threat advisories and the ability to rapidly assess their relevance and importance across all the company’s operations.
Ability to perform remote forensics and remediation on OT system assets.
Palo Alto Understands and Supports OT Cybersecurity Needs
Palo Alto Networks is a global cybersecurity leader with an extensive portfolio of networking and cybersecurity solutions that span the technologies used across modern industrial operations. They provide an integrated security platform that provides protection for tens of thousands of organizations across industries, clouds, networks, and devices. It is also empowering a growing ecosystem of partners in cybersecurity.
The Palo Alto Networks approach to securing industrial operations builds on their extensive portfolio of security products, knowledgeably enhanced to address the unique needs of OT and IIoT. It can rightfully be viewed as an IT/OT cybersecurity platform as described in this report. They have ensured that their solutions align with key industrial standards (IEC 62443, NIST 800-82) and the combination of their Zero Trust methodology, suite of NGFW products, coupled with their Cortex Security Platform and the Industrial OT Security service provides a solution for securing all users, assets, applications, and data that are critical for meaningful industrial operations.
Palo Alto Networks has extensive experience in supporting the needs of industrial companies. This includes development of ruggedized industrial security products for use within operating facilities and ongoing developments of solutions to support the multitude of new cloud, IoT, and mobile assets being deployed by industrial companies in their pursuit of operational excellence through digital transformation and Industry 4.0 initiatives.
Next Generation Firewalls
Palo Alto Networks offers a full line of next-generation firewalls (NGFW) in various forms that are built with advanced security features for threat detection and prevention. The company’s Industrial OT Security subscription adds extended capabilities designed specifically for industrial needs, like deep packet inspection of industrial protocols and autodiscovery of OT and IIoT devices. The company also offers security for containers, cloud apps, and 5G devices. Unlike existing visibility-only OT sensor solutions, Palo Alto Networks’ integrated approach bridges asset visibility and policy/security into the same device, thereby helping organizations manage risk versus just being made aware of an issue.
The company’s Panorama solution provides on-premise, centralized network security management across all firewalls and firewall types. This solution enables efficient policy development and management. It also helps companies ensure consistent security across all critical operations assets. For those that also use Palo Alto’s Prisma Access SASE offering for OT remote operations, the Strata Cloud Manager platform provides unified management of SASE, Cloud, and on-premise firewalls.
Palo Alto Networks’ Prisma Access solution supports full secure service edge capabilities, including a secure web gateway, zero trust network access (ZTNA), and a cloud access security broker (CASB). It can be deployed as a plug-in for Panorama or as a stand-alone cloud-based management offering.
The company’s App-ID, User-ID, Device-ID, and Content ID approach to analyze and secure traffic through the NGFWs provides in-depth visibility across applications, users, and assets. This visibility is inclusive of industrial applications and enables consistent least privilege granular access control across industrial operational assets wherever they are located, in plants, remote sites, or the cloud.
Industrial OT Security Services
Combined, Industrial OT Security and the NGFW provide visibility of assets, applications, and users across a facility. This includes conventional OT assets, such as HMIs, PLCs, RTUs, and IIoT devices. The Industrial OT Security service provides an accurate asset inventory, determines asset risk, and understands ICS application flows to help baseline normal network behavior, provide policy recommendations, and detect anomalous activity. This information can also be used to provide zero trust with granular least-privilege access. In situations where facilities can support cloud-delivered security services, defenders can leverage global intelligence to filter content as well as detect threats and attackers.
These services automatically create protections against new threats and attacks in addition to continuously updating endpoint, network, and cloud sensors. Advanced Threat Prevention prevents malware, exploits, data exfiltration, and C2 (command and control) communications. To protect against unknown threats, Palo Alto Networks’ WildFire solution provides a virtual sandbox environment, and companies preferring not to use the cloud service directly can deploy a WildFire appliance on-premise.
A key differentiator for Palo Alto Networks’ Industrial OT Security service is its cloud-based ML architecture, which increases speed and accuracy of asset detection, flexibility to accommodate IT and OT assets, and scalability to support large and small OT infrastructures. Because the NGFW sensor is simultaneously the enforcement point, Palo Alto Networks’ approach provides native protection of assets, in contrast to other OT sensor deployments that provide only visibility and are dependent on other products for protection.
The Industrial OT security service also provides visualization of ICS asset communications across the OT process hierarchy (Purdue model) so that security teams can visualize assets and communication patterns in a familiar ICS context. This view can also highlight unwanted communications, spotlight vectors for lateral movement, and visualize before and after scenarios such as segmentation. Continuous monitoring of the ICS communication flows with ML-based profiling and behavior baselining enables the service to identify any anomalies or movement away from the baseline.
The Palo Alto Networks security platform also includes the Cortex security operations center product suite, which can empower security teams with the advanced detection, investigation, and response capabilities needed for today’s challenging industrial threat environment. When this is combined with Industrial OT security, companies get SOCs with broad OT and IIoT asset visibility, asset context, and continual risk assessment. This enables active defense against cyber-attacks across the entire enterprise, inclusive of Industrial infrastructure. The network security platform can be applied in new and existing brownfield facilities to facilitate IT/OT cybersecurity convergence.
Recommendations
Threats to industrial operations have outpaced the capabilities of most OT cybersecurity programs. Facilities lack the advanced security technologies and cybersecurity management tools required to defend operations against ransomware and sophisticated cyberwarfare attacks. They also lack the people and expertise to ensure security of digital transformation efforts and expanded use of remote workers. Today’s OT security teams face the same security challenges as their IT counterparts, and they require comparable capabilities. Convergence of IT and OT cybersecurity programs is the best way to address OT security gaps.
While some companies are already converging IT and OT cybersecurity teams, this isn’t enough for today’s challenging threat environment. Industrial companies need complete convergence that includes IT-level security solutions and processes. Upgrading OT networks with advanced IT network security capabilities is the first step. This will increase visibility of cyber risks, enable modern security strategies like zero trust, address new digital transformation developments like 5G, and provide the foundation for use of advanced IT cybersecurity solutions for protection, detection, and response. No industrial company can afford to ignore the growing risks of cyber incidents disrupting their operations.
This report discussed the major weaknesses in OT cybersecurity people, processes, and technologies and the need for converged IT/OT cybersecurity programs. It also noted the importance of implementing an IT/OT cybersecurity platform to ensure end-to-end security and offered recommendations for selecting an appropriate supplier. The review of Palo Alto Networks solutions shows that there are companies that offer security platforms that support the unique requirements of OT systems. So, the biggest risk to industrial operations is users ignoring the urgency in ad-dressing these critical issues.
ARC Advisory Group clients can view the complete report at the ARC Client Portal.
Please Contact Us if you would like to speak with the author.
You can learn more about cybersecurity at Industrial Cybersecurity Market Analysis Research