It is often said that operational technology (OT) and industrial control systems (ICS) environments face “unique” security challenges. But beyond emphasizing the different security needs of OT and Information Technology (IT), what does this statement mean? What are the major challenges that OT/ICS environments face when it comes to security, and what is so unique about them?
In this article we’ll explore these important questions both broadly and through the lens of Tata Chemicals, a trona ore mining and processing company located in rural southwest Wyoming. McKay Smith, IT Manager at Tata Chemicals, recently joined the Cyolo team for a webinar in which he discussed how his organization is working to ensure both the security and the safety of its facilities, operations, and team members.
Industrial control systems are the lifeblood not only of the organizations that run them but also of the critical infrastructure that our society depends on every day. In the simplest terms, ICS refers to a collection of software, hardware, and network components used to control and monitor industrial processes, such as energy production, water treatment, manufacturing, transportation, and more.
Common examples of ICS devices include programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA), remote terminal units (RTU), and distributed control systems (DCS). These components and technologies work in different ways depending on the specific industry or process at hand, but their purpose is always to ensure the smooth operation of industrial facilities and critical infrastructure. If you’re picturing an expansive manufacturing line, a thunderous wastewater treatment plant, or a mine operating around the clock, you’ve got the right idea.
Let’s think a bit more about that mine located deep within the earth. This is not your typical office setup – and that’s one of the big reasons why OT priorities are so different than IT priorities and why the security challenges of ICS environments are so “unique.”
A cyberattack on an ICS can cause not only significant financial damage, but it can also compromise the safety of workers, the wider public, and the environment. Unauthorized control or manipulation of the industrial process can result in accidents, equipment failures or shutdowns, and physical harm. For these reasons, operators of ICS environments prioritize physical and operational safety over all other concerns, including cybersecurity.
Operational Safety at Tata Chemicals: According to the Tata Chemical North America website, “the mine has an underground tunnel network spanning 20-plus square miles. Personnel and equipment enter the mine via a hoist that descends the 1,600 feet to the mine in two-and-a-half minutes.” Every piece of equipment, from the hoist to the monitors measuring gas levels within the mine, must be functioning at the highest standard to guarantee the miners' physical safety. This is and always will be the company’s #1 priority.
Industrial facilities rely on continuous operation, and any downtime due to cyberattacks or other security incidents can result in service disruptions, production losses, economic consequences and, as previously noted, potential harm to workers or the wider community.
The need to keep operations running also limits the ability of many IT-focused security strategies and tools to function in OT environments. For instance, patching and updating systems are common practices on the carpeted floor of the IT world. But on the factory floor, a standard patching exercise that requires even a brief period of downtime, or perhaps a system restart, is often simply not possible. Security solutions that will be used in OT environments need to account for this reality if they are to succeed.
Systems Availability at Tata Chemicals: The Tata Chemicals facility is up and running 24 hours a day, 7 days a week, 365 days a year. All systems must always be operational, or safety could be at risk. When searching for a new security solution, the Tata team specifically sought out a vendor that understood the reality that operations cannot be shut down or even slowed to accommodate the deployment of a new platform.
Nearly all organizations, including the most modern and cloud-focused, rely on at least one legacy system or application to keep their business running smoothly. However, OT environments generally contain significantly more legacy architecture than IT environments. As already mentioned, these systems cannot be easily updated each time the manufacturer releases an updated version. In addition, many legacy systems or applications are so old that they do not natively support modern security and authentication protocols, such as multi-factor authentication (MFA). The result is that the infrastructure at the heart of many industrial enterprises is highly vulnerable to cyberthreats but also extremely difficult to upgrade, update or replace.
Tata Chemicals Depends on Legacy Architecture: Like most industrial enterprises, Tata Chemicals depends on legacy infrastructure for critical parts of its operations. One of the major problems Smith and his team at Tata were looking to solve when they first engaged Cyolo was their inability to secure access to their legacy systems with modern authentication. Unlike other zero-trust access solutions, Cyolo can “retrofit” legacy systems to support MFA as well as single sign-on (SSO). In effect, Cyolo “wraps” the existing OT infrastructure in a layer of security that protects critical processes without requiring downtime or affecting operational efficiency.
In the current age of IT/OT convergence, fewer OT systems are fully air-gapped or otherwise isolated from IT networks and the internet. Still, isolation continues to play a vital role in OT security. Whereas IT systems often depend on external connections to function correctly, many OT environments prefer to limit connections as much as possible and even to remain offline. Security tools implemented in an OT setting should therefore ideally be able to work without any connection to the internet or other systems.
Isolation also has a second significance in the world of OT. Due to the types of work they support, OT systems are often found in highly secluded and difficult to physically access locations. Examples include the infrastructure sustaining an oil rig hundreds of miles from dry land or a mining operation that sits both far from the nearest town and deep underground. To meet OT needs, security solutions must be able to function under quite inhospitable conditions and with minimal in-person maintenance.
Isolation is a Reality for Tata Chemicals: McKay Smith of Tata Chemicals does not hesitate to admit that his place of work is “in the middle of nowhere.” The mining operation in Wyoming is 175 miles from the closest large city. Because the facility is not easy to access physically, the ability to connect to critical systems via secure remote access is crucial.
Many industries across both IT and OT are currently facing new and stricter compliance mandates but, of course, not all regulatory guidance is designed the same. If you’ve read this far, it will not be a surprise to learn that compliance regulations in the OT space emphasize the protection of critical infrastructure and operational continuity. Security tools designed IT environments often do not include the necessary capabilities to help industrial enterprises meet the relevant compliance mandates.
Compliance Regulations at Tata: The Occupational Safety & Health Administration (OSHA) has defined specific operating parameters for the air quality in a working mine. Tata relies on their air quality measurement system to ensure compliance and worker safety. This system, found deep underground, needs to regularly update monitoring tools outside the mine, creating a cross-zone connection security concern that Tata solved with the Cyolo zero-trust access solution.
Tata Chemicals exemplifies why industrial enterprises are best served by security solutions purpose-built for OT and security vendors with a deep understanding of OT environments. As we have seen, these environments do indeed face challenges that are unique – though certainly not insurmountable.
To learn more about how Tata Chemicals is overcoming their very toughest access-related challenges, watch the full webinar on-demand.
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.