IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image

How OT/IT security gaps threaten industrial transformation in Australia

Mon, 2nd Oct 2023

Digital technologies are transforming the industrial sector across Australia and APAC. Whether it's automated robotics, AI-enabled control systems, cloud computing, Internet-of-Things devices, advanced analytics, and more – smart technology is changing the way things are produced, distributed, delivered, and maintained. This brave new world is known as Industry 4.0.

Not every industrial organisation is ready. Research among Australian businesses suggests that while the necessary technologies and willingness to implement them exist – when it comes to practical readiness, it's not that simple.

The real vs. the ideal
The drive for change is relentless – 78% of business leaders in Australian manufacturing companies surveyed by KPMG say they feel under pressure to speed up their investment in digital opportunities. However, industrial organisations are not starting the journey to industry 4.0 with a clean sheet. They've got a whole raft of embedded legacy technology that's coming with them.

Studies show that many industrial companies still use old versions of operating systems that are no longer supported or updated by the manufacturer and cannot be secured against cybersecurity threats. Weak encryption protocols and the use of default passwords also remain widespread. Such high-risk scenarios are not necessarily the result of poor security postures – older systems may have little choice but to continue using weaker versions to ensure the ongoing functionality of hardware and software and maintain production reliability.

The push to deploy modern technology alongside legacy systems can expose significant security vulnerabilities. And nowhere is this seen more clearly than when operational technology, or OT, meets IT.

The differences between OT and IT
OT is the tech responsible for managing and controlling the production machines – and it's where most of the legacy technology remains. OT devices are usually found in production lines, power plants, and other industrial settings, and their primary objective is to ensure uninterrupted production.

OT devices need to be able to react and respond in real time. They are generally custom-built for a specific task and incompatible with other hardware or software systems. Their security features are designed to ensure physical safety and process continuity of production or industrial environments.

IT devices are very different. They are connected and inter-compatible and far more resilient to temporary downtime. Their security is designed to protect data and applications.

The impact of industry 4.0
Industry 4.0 is blurring the lines between OT and IT domains. This is intentional. The OT/IT convergence provides administrators with real-time access to and visibility of their industrial environment and the ability to manage updates and preventative maintenance. When done correctly, this can help control costs and boost production in manufacturing and industrial environments.

However, when these systems converge without proper security, IT becomes a threat vector to OT. When OT systems are brought online and exposed to the web, they may be targeted with automated attacks and advanced threats. When they are exposed to the IT network, any network compromise can pose a threat to production. This is especially true when there are unpatched systems on the IT network.

Industrial organizations are aware of the need to address this risk. One in five (21%) of enterprise security leaders questioned by Forrester for its security survey in 2022 said the security of Industrial Control Systems (ICS) and OT was a tactical priority in 2023.

This is in part because OT cyberattacks tend to have higher, more negative effects than those in IT, as they can have physical consequences (for example, shutdowns, outages, leakages, and explosions) that impact the organization and its entire supply chain.

How to protect your smart industry
Every device – in OT or IT – that is connected to a network is a potential entry point for an intruder. Preventing a security breach is the top priority for any defence strategy. This should include robust access control measures and segmentation to prevent unauthorised access and lateral movement.

Zero Trust Network Access (ZTNA) is a security framework that assumes that no device, user, or network is inherently trustworthy. A Zero Trust deployment emphasizes continuous verification that provides or denies access to users and devices individually, regardless of their location or network.

ZTNA ensures users can access only the resources necessary to perform their assigned and authorized tasks. Access control is based on factors such as user identity, device security posture, location, and other contextual information configured by the administrator.

At the same time, software-defined perimeters (SDPs) dynamically create isolated network connections between users and the resources they are allowed to access. This introduces dynamic micro-segmentation at the network level. Dividing a network into smaller, isolated zones is a common practice in IT and mission-critical OT environments. Because segmentation can restrict lateral movement through the network, the impact of intrusions and malware attacks is limited to the compromised zone.

Lastly, Zero Trust deployments can adapt security policies so that when a potential threat is discovered, Zero Trust can respond in real-time with appropriate adaptive restrictions.

To reap the full benefits of Industry 4.0, security teams need to understand what they can do to harden their legacy systems. If they can't upgrade software, for example, they need to isolate, airgap and segment these systems so that threats are incapable of breaking through from the internet and from IT.

Second, they need to address the ever-expanding attack surface of their smart technologies and components and the interconnections with IT. This is where Zero Trust really comes into its own.

If you're unsure where to begin and would like information and advice, visit our industrial security page to get a free trial of our relevant solutions in your environment.

Follow us on: