New security alliance wants to build strong defense against cyber-physical attacks on IoT devices

The Operational Technology Cyber Security Alliance calls out need to protect newly digitized pumps, sensors, valves, and thermostats.

IoT and the security challenges that tech companies face Cisco's Michele Guel, Distinguished Engineer and Chief Security Architect, discusses IoT and how enterprises are working to secure the IoT infrastructure.

As the Industrial Internet of Things digitizes more and more  manufacturing processes, security risks from the IT world are reaching into operational technology as well.
Operational technology (OT) includes the hardware and software that manage processes of physical devices such as valves, pumps, sensors, cameras, electronic locks, and thermostats.


SEE: Cheat sheet: Google Home (free PDF) (TechRepublic download)

Until recently, these technologies have not generated data for business use and OT traditionally has not been part of an IT department's responsibilities. OT systems typically have relied on physical security and have ensured high availability at the expense of confidentiality and integrity. As more of these processes and devices are connected to the Internet, that opens up OT systems to cyber attacks. 

In a report on the digitization of the oil and gas industry, EY Global found that the convergence of the IT and OT environments has created new cyber-physical risks: "... network connected endpoint devices such as unmanned vehicles, smart sensors, handheld engineer terminals and industrial routing equipment are being produced and deployed without a cybersecurity baseline implementation and are open to remote compromise."

In the 2019 Global Information Security Survey, EY found that leaders in the oil and gas industry are facing familiar problems:

  • 50% say the lack of skilled resources is challenging information security's contribution to the organization.
  • 95% say their cybersecurity function does not fully meet their organization's needs.

The most surprising finding was that only 17% of respondents said it was very likely that they would detect a sophisticated cyber attack.

A new security alliance wants to make the OT world safer by identifying best practices and helping manufacturers secure systems.
The Operational Technology Cyber Security Alliance (OTCSA) will help companies address the OT security challenges that continue to put operations, and consequently, business at risk.

The OTCSA mission is to:

  • Strengthen cyber-physical risk posture of OT environments and interfaces for OT/IT interconnectivity
  • Guide OT operators on how to protect OT infrastructure based on a risk management process and reference architectures/designs which comply with regulations and international standards 
  • Guide OT suppliers on secure OT system architectures, relevant interfaces and security functionalities   
  • Support the procurement, development, installation, operation, maintenance, and implementation of a safer, more secure critical infrastructure
  • Accelerate the time to adopt safer, more secure critical infrastructures

The group will provide architectural, implementation, and process guidelines to OT operators to navigate necessary changes, upgrades and integrations to evolving industry standards and regulations.

These security guidelines will cover the entire lifecycle—procurement, development, deployment, installation, operation, maintenance, and decommission—and address aspects related to people, process, and technology.

Understanding the security challenge

The Alliance has defined the security challenges facing the OT world in a white paper, "Protecting Inherently Vulnerable Devices." The combination of legacy devices and the increase in industrial system connectivity has created an urgent need to protect systems that have been operating for years or decades.These devices include programmable logic controllers, process sensors, gateways, and workstations.  Common challenges of protecting IVDs include:

  • Unpatchable applications and systems
  • Insecure industrial and networking protocols
  • "Air-gap" weaknesses
  • Increased IIoT connectivity

OTCSA membership is open to all OT operators and IT/OT solution providers. Current members include ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAFence, Splunk, and Wärtsilä.

Also see