Skybox Security’s research report “Cybersecurity risk underestimated by operational technology organizations” found that fifty-six percent of Security Architects and Engineers listed “misconfigurations” as one of the most significant risks to their OT environment.
OT misconfigurations introduce the same security issues that plague IT organizations, such as outages, access to risky services, and overly permissive rules, including shadowed and redundant rules. However, OT misconfigurations also introduce an additional layer of business problems, such as production failure due to a floor machine losing access to resources; for instance, an inability to connect with the schematics the machine needs to execute the design or cutting process. Again, this slows production and can cost the company significant revenue due to downtime.
OT vulnerabilities don’t just impact the business but public services and safety, as well. Misconfigurations can allow attackers to access sensitive areas where they can stop or change processes that can impact public infrastructure. For example, a bad actor sneaking into a water plant by exploiting a misconfiguration to shift the mix rate of chemicals used to treat water. This horror story isn’t a fictional villainous plot out of a Batman movie – this is real-life scary stuff.
Misconfigurations often increase due to the inheritance of bad practices. For example, mergers and acquisitions can introduce misconfigurations if the incoming policy templates are not adequately vetted.
Functional silos increase risk of network misconfigurations
In the report, Architects, Engineers, CIOs, CISOs, and Plant Managers listed “functional silos leading to process gaps and technology complexity” as their top challenge. And over one-third of all respondents said that a top barrier to improving security programs is “decisions made in individual business units with no central oversight.”
Organizational policy without central oversight contributes to what I call “bad behavior.” That is the desire to satisfy business objectives without considering how this impulsiveness could impact the security posture and – surprise, surprise — lead to misconfigurations. That’s why leadership is also crucial to maintain current data flows and consistent collection of information because the introduction of nontraditional IT services and devices can overwhelm OT teams. The teams guarding the machinery often lack an understanding of which controls should be monitored and collected and how to prepare against mimicked controls that may introduce an outage or instability.
There is an immediate need to reimagine security to overcome the security risks introduced by the functional silos. Architects cannot see misconfigurations, understand vulnerability exposure, identify access policy violations, tackle weak security controls, and improve change management capabilities without complete network visibility of the IT-OT attack surface. Without these insights, companies are ill-prepared to meet today’s Industry 4.0 security challenges.
Cybersecurity inertia persists
The evidence bears this out. The report found 40% of respondents said OT is an afterthought to other digital initiatives. Why? CISOs don’t understand the OT environment; IT managers patch the entire network without regard for OT, thus halting production; and even OT teams, themselves, contribute to cybersecurity inertia by barely prioritizing security over their production goals.
This political dynamic amongst security team personnel results in a gridlock that inhibits companies from embracing a more holistic, proactive strategy to protect their OT assets.
The blindfolds caused by silos have led to a blatant disregard for standard OT controls – and that has led to misconfigurations. And rules for new architecture lose in favor of existing, archaic processes.
Unfortunately, when it comes to keeping critical OT infrastructure safe, I’m always surprised what lengths security teams will go to avoid dealing with the reality that their systems are vulnerable.
