Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 블로그

구독

Securing IT-OT Environments: Why IT Security Professionals Struggle

When providing cybersecurity in converged IT and operational technology environments, it’s critical for infosec pros to understand the differences between the two and utilize a toolset that delivers a comprehensive picture of both in a single view.

If your organization has IT and operational technology (OT) environments, it’s virtually guaranteed that they’re converged, even if you don’t realize it. Gone are the days when OT was air-gapped. Instead, connectivity is delivered through the IT infrastructure, thereby leaving the door wide open for adversaries to reach critical OT infrastructure. And, based on our experience working with organizations around the globe, we believe that IT devices account for approximately half of what’s found in an OT environment these days, making it nearly impossible to draw a hard line between the two.

As a result, an increasing number of IT security professionals suddenly find themselves managing the security program for both environments ― and many are at a complete loss as to where to even start. That’s because IT and OT environments were built differently from the ground up. Consider this comparison:

Comparing IT and OT environments                             

Attribute IT OT
Control Centralized Zone-based
Connectivity Any-to-any Context-based (hierarchical)
Focus Top-down ― operations and systems required to run the business Bottom-up ― plant, processes and equipment required to operate and support the business
Reach Global wide area network (WAN) Local area network (LAN)
Network posture CIA ― confidentiality, integrity, availability AIC ― availability, integrity, confidentiality
Response to attacks Quarantine/shut down to mitigate Non-stop operations/mission critical (never stop, even if breached)
Biggest fear Network intrusion Reduced safety; loss of view/control
Level of cybersecurity maturity High Low
Weakness Stringent security controls Insecure behavior

Source: Tenable, December 2021

So where do you even start? A great first step is to understand the differences highlighted in the table above and consider how those differences might affect attitudes, beliefs and, ultimately, security decisions.

What’s in a name?

The word “security” takes on a different meaning in an OT environment. I will be forever grateful to a friend and former colleague of mine who saved me from making a fool of myself in front of 100 OT practitioners when I was just getting started in IT/OT security. I was reviewing my presentation with her prior to a talk I was preparing to deliver to this audience. In it, my plan was to tell them that OT practitioners needed to start paying attention to, and really prioritizing, security. She explained to me that the OT audience would react negatively to this message. They already consider security to be at the heart of everything they do. So, what was the problem? I was defining “security” in the context of my IT experience, meaning cybersecurity. In the OT world, “security” means safety and physical security. So, one word with vastly different meanings.

Why do IT and OT professionals view “security” so differently?

In IT, data is king, so it stands to reason that the biggest security fear is that there could be a network breach. An adversary gaining access to the network can damage the integrity of the data, exfiltrate it, or even lock it up so that it can’t be accessed by the organization. In contrast, OT environments are inherently more physically dangerous, so the biggest fear is that there could be an accident that disrupts critical operations and possibly jeopardizes employee safety, or that of the community. As a result, OT professionals are highly driven to manage an “always-on” operation, as well as to maintain a high degree of safety ― and, by extension, the physical security controls of the environment.

Vastly different structures

With that background in mind, the rest of the table starts to make a lot more sense. IT security professionals opt for centralized control, providing an infrastructure that can conceivably be used to permit any asset or person to access any other asset, or any data, anywhere on the network. These are wide area networks (WAN) housing the systems and processes required to run the business.

Conversely, OT environments are designed with a great deal more privacy and limited control in mind. These highly segmented environments make it impossible for authorized people and assets to access other assets that are outside their purview. These are local area networks (LAN) that house systems and processes that support the business. Most of these devices are intended to only communicate with other devices within their zone and not with the outside world.

Differing viewpoints

Given their disparate network topologies and definitions of what it means to be secure, it shouldn’t be surprising that the priorities of OT and IT security groups, and their reactions to attacks, are at polar opposites, even within the same organization. While IT security professionals prioritize their world in the form of C-I-A (confidentiality, integrity, availability), OT professionals take the diametric opposite perspective, prioritizing their world as A-I-C. As mentioned above, for IT security, data is absolutely the most important thing, so ensuring its confidentiality and integrity will trump availability every time. But for a safety-conscious OT professional, the operations must always be available to ensure that the environment runs smoothly and without failures that have the potential to lead to catastrophes.

What do these different priorities look like in action? In the event of an attack, IT security pros will quarantine and shut down the affected systems as quickly as possible in an attempt to contain the problem and minimize any data leakage. OT, however, will take the opposite approach by keeping the critical infrastructure running at all times. The only deviation from this strategy, of course, is if the attack causes OT devices to malfunction and possibly present a danger to the business, its employees, or the surrounding community.

Variety of tools

Arguably the biggest challenge faced by IT security professionals as they attempt to get their arms around OT security is the fact that many of their traditional IT security tools don’t work in an OT environment. In fact, the most basic IT security tool of all ― the scanner ― can actually crash an OT network. So, you need to be sure to choose a scanner that’s proven in an OT environment. But then you run the risk of having two sets of security tools, one for each environment. While this will certainly help ensure that you have the right tools for each job, it can become challenging, at best, when it comes to managing them all, and ensuring that your staff is trained to use them all properly.

Then comes the true complication ― figuring out how to merge all of the disparate data, from the two completely different environments, into one dashboard so that you can view all assets and prioritize all security issues across your entire attack surface. Without this ability to comprehensively view and assess all environments across the extended attack surface in a single, fully-integrated solution, your team will spend exponentially more time understanding the full security picture. Plus, you run the very real risk of missing major security issues.

The bottom line

If you’re responsible for managing the security program for a converged IT/OT network, it’s absolutely essential that you understand the differences and unique challenges of an OT environment. And just as importantly, take care to ensure that you’re utilizing the right security tools for the job ― those that will support an OT environment, and that fully integrate with complementary IT security tools, to deliver a comprehensive picture of the organization’s security landscape. Then, from a people and process perspective:

  • Ensure that your IT security professionals meet with the OT leaders to truly understand the inherent differences that are unique to OT environments.
  • Take the time to truly understand the needs and priorities of of OT ― and why they’re important ― rather than pushing IT security philosophies on them.
  • Understand that OT environments have only experienced outside connectivity for a relatively short period of time, so OT leaders are still at the beginning phases of security maturity.
  • Winning hearts and minds is essential, so be open to phasing in changes, rather than pushing for the “ideal” security solution overnight.

자세히 알아보기

관련 기사

최신 익스플로잇에 대해 취약합니까?

이메일을 입력하여 최신 사이버 노출 알림을 받으십시오.

tenable.io

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable.io Vulnerability Management 평가판에는 Tenable Lumin, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

tenable.io 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

65 자산

구독 옵션 선택:

지금 구매

Nessus Professional 무료로 사용해 보기

7일간 무료

Nessus®는 오늘날 시장에서 가장 포괄적인 취약성 스캐너입니다. Nessus Professional은 취약성 스캔 프로세스를 자동화하고 컴플라이언스 주기에서 시간을 절약하고 IT 팀이 참여할 수 있도록 합니다.

Nessus Professional 구매

Nessus®는 오늘날 시장에서 가장 포괄적인 취약성 스캐너입니다. Nessus Professional은 취약성 스캔 프로세스를 자동화하고 컴플라이언스 주기에서 시간을 절약하고 IT 팀이 참여할 수 있도록 합니다.

여러 해 라이선스를 구매하여 절감하십시오. 연중무휴 전화, 커뮤니티 및 채팅 지원에 액세스하려면 Advanced 지원을 추가하십시오.

라이선스 선택

여러 해 라이선스를 구매하여 절감하십시오.

지원 및 교육 추가

Tenable.io

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable.io Vulnerability Management 평가판에는 Tenable Lumin, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable.io 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

65 자산

구독 옵션 선택:

지금 구매

Tenable.io Web Application Scanning 사용해 보기

Tenable.io 플랫폼의 일부로 최신 애플리케이션을 위해 설계된 최신 웹 애플리케이션 스캐닝 서비스에 대한 전체 액세스 권한을 누리십시오. 많은 수작업이나 중요한 웹 애플리케이션 중단 없이, 높은 정확도로 전체 온라인 포트폴리오의 취약성을 안전하게 스캔합니다. 지금 등록하십시오.

Tenable Web Application Scanning 평가판에는 Tenable.io Vulnerability Management, Tenable Lumin 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable.io Web Application Scanning 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

5 FQDN

$3,578

지금 구매

Tenable.io Container Security 사용해 보기

취약성 관리 플랫폼에 통합된 유일한 컨테이너 보안 서비스에 대한 전체 액세스 권한을 누리십시오. 컨테이너 이미지에서 취약성, 맬웨어 및 정책 위반을 모니터링합니다. 지속적 통합 및 지속적 배포(CI/CD) 시스템과 통합하여 DevOps 실무를 지원하고 보안을 강화하고 기업 정책 컴플라이언스를 지원합니다.

Tenable.io Container Security 구매

Tenable.io Container Security는 빌드 프로세스와의 통합을 통해 취약성, 맬웨어, 정책 위반 등 컨테이너 이미지의 보안에 대한 가시성을 제공하여 DevOps 프로세스를 원활하고 안전하게 지원합니다.

Tenable Lumin 사용해 보기

Tenable Lumin을 사용하여 Cyber Exposure를 시각화 및 탐색하고 시간 경과에 따른 위험 감소를 추적하고 유사한 조직을 벤치마크하십시오.

Tenable Lumin 평가판에는 Tenable.io Vulnerability Management, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable Lumin 구매

조직 전체에서 인사이트를 얻고 사이버 위험을 관리하는 데 Lumin이 어떻게 도움이 되는지 알아보려면 영업 담당자에게 문의하십시오.

Tenable.cs 사용해 보기

클라우드 인프라 구성 오류를 감지 및 수정하고 런타임 취약성을 볼 수 있는 전체 액세스 권한을 누리십시오. 지금 무료 평가판에 등록하십시오.

Tenable.cs Cloud Security 평가판에는 Tenable.io Vulnerability Management, Tenable Lumin 및 Tenable.io Web Application Scanning도 포함되어 있습니다.

영업 담당자에게 연락하여 Tenable.cs 구매

영업 담당자에게 연락하여 Tenable.cs 클라우드 보안에 대해 자세히 알아보고, 클라우드 계정을 온보딩하는 것이 얼마나 쉬운지 확인하고, 몇 분 내에 클라우드 구성 오류와 취약성에 대한 가시성을 얻으십시오.

Nessus Expert 무료로 사용해 보기

7일간 무료

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

Nessus Professional이 이미 있습니까?
7일간 Nessus Expert로 무료 업그레이드하십시오.

Nessus Expert 구매

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

라이선스 선택

프로모션 가격이 2월 28일까지 연장되었습니다.
여러 해 라이선스를 구매하여 비용을 더 절감하십시오.

지원 및 교육 추가