As the number of remotely deployed field devices and SCADA systems are connected to the IT environment, new points of attack are uncovered as the result of the convergence of IT and OT departments within the utility space. In 2012, 41% of cyber attacks took place in the US energy sector, according to the Department of Homeland Security.
Outdated OT security software
IT systems are always being updated with the latest security software. This is very unlike OT devices which are often operating with outdated software-sometimes as old as 10-15 years and older.
As a result, these devices have very little security capabilities because they were installed at a time when a physical separation from IT systems was considered to be “secure.”
With IT-OT systems being brought together, stakeholders will need to make OT systems more secure before merging with IT systems or at least ensure they have a good visibility of the threats.
This integration of systems process is complex. Lori Wigle, Vice President, Security Fabric Program, McAfee/Intel, US, points out in her presentation, Smart Grid Armour:Cyber Security for the Energy Sector, at European Utility Week 2013, that there are many system differences between enterprise IT security and Industrial Systems OT. Security measures that prove to be effective for the IT arena, may not work on the OT side.
For instance, an anti virus is common and widely used in IT but it could cause unacceptable network delays in Industrial Systems. It is therefore essential to identify these different security needs during the OT/IT system integration process and provide appropriate solutions.
In the past, responsibilities of the utility information technology (IT) departments were confined to the servers and computer systems that housed customer data, billing information and other digitally stored data. At the same time, operational teams focused on the performance, maintenance and reliability of assets.
Mostly, the virtual concerns of the IT group did not intersect with Operations’ concerns for physical assets. This Informational Technology / Operational Technology (OT) gap has not escaped the notice of hackers.
Today, the operation and management of physical assets is being managed through virtual systems. This has resulted in a blur in departmental lines and leaves IT groups to struggle with the introduction of disparate and often unsecured assets into the information technology arena.
In addition, operational groups that work around the clock often need support from IT groups that do not work these hours. The shift in departments could leave gaps in accountability which could lead to security threats. A crossing-over of responsibilities will need to be established so that both OT and IT systems do not fall into the hands of a hacker.
Security-an integral part
No-one sets out to build an unsecure system and the key to life in the converged IT - OT world is a partnership that can establish security as an integral part of the IT-OT convergence process. This will ensure that the benefits of convergence are realised and that the process is not hindered by the perceived or real security issues.
It is essential that utilities recognize this security gap from the outset and not view it as a mere afterthought otherwise the success of IT-OT convergence will be compromised.