By Kevin Lackey.
It is often repeated by control systems security professionals that a primary difference between IT and OT systems is that while IT’s primary function is to process, record, and retrieve data, the primary function of OT processes is to maintain availability, keep the process running and the production occurring. This idea is false. To a process engineer (and those that support the process), while production/availability is important, the real end goal is to produce safely. Safety comes before availability.
The IT/OT convergence actually began when somebody decided, for the sake of convenience, to encapsulate control systems protocols in common TCP/IP communication. This infiltration of IT protocols into the OT space has progressed and is now so pervasive that even the majority of safety systems designed to keep accidents, injuries and other forms of harm from happening now communicate with the process over ethernet. Systems that used to be mechanical, pneumatic, or analog are now digital systems.
How do attackers view your systems, then? They do not view it as an OT system. Nor as an IT system, rather they view it as something remote that they can talk to, poke at and manipulate. For some hackers, the recreationists, it is about discovery, learning, and making systems work “outside the box”. For those sponsored by nation states, it is about “how can we impact the process to achieve a goal”. These nation level players will have the training and resources available to them that allows them to understand and have the capability to cause catastrophic kinetic impact on an OT system.
The OT hacking landscape once again took a jolt with the announcement of a hacking toolkit, “TRITON”, that includes tools for attacking SIS’s (Safety Instrumented Systems). For years those of us who evangelize in the OT security space have noted that as safety systems increasingly migrated to being built upon ethernet communications, the safety systems themselves become targets of attack. TRITON is the manifestation of those concerns.
We as an industry may view IT and OT systems/processes as distinct entities with different approaches, controls, and risks, but with increasingly overlapping technology and the digitalization of safety systems, for the attacker, it is all just stuff on the other end of a communication channel that can be tampered with. And because OT processes control kinetic stuff, “tampered with” means to the point of really impressive/destructive consequences. Attackers are now armed with the ability to override those systems that were designed to ensure that harm or loss of life did not occur as a result of a “malfunction” in the system.
Attackers targeting OT assets often view the IT system as the pathway to the OT system, where we have actually provisioned the OT systems so they are not directly exposed to the Internet, dial up, or in some case direct physical access. Now, with ethernet based safety systems, attackers having awareness of control systems can override the safety systems.
We as an industry can not afford to view IT, OT, or OT safety systems in our environments as independent. We must look at our assets holistically but understand them individually. If an asset is digitally reachable, it is a target.