Easi casts a broad view of the security landscape during Behind Closed Doors. Not only IT, but also OT gets a lot of attention, and that is no coincidence. OT and IT are increasingly merging, but they are also fundamentally different.
Easi is once again bringing a lot of people from all kinds of sectors to its Behind Closed Doors event. The doors of the Van der Valk Hotel in Ghent, which overlooks the neighboring soccer stadium, are fortunately not yet closed when we arrive. After the welcome speech, everyone still inside hurriedly looks for a free spot at one of the sixteen tables.
Behind Closed Doors is a “marketplace” for security. At each table, selected vendors give their best during eight 40-minute sessions. Like an evening of speed dating, attendees move from table to table. A diverse range of topics passes the review: from pen testing to SOCs and (of course) AI. The moderator keeps a close eye on the schedule, and a loud alarm signals that it’s time to move on to the next table.
Weak link
The roundtables are not limited to IT security. Operational technology, or OT for short, is also regularly discussed. IT and OT were long considered two separate worlds, but partly under pressure from European regulations such as NIS2, they are increasingly coming together. Yet OT is still often considered a “weak link” in security.
Whether that dubious reputation is justified, we ask Jeroen Colpaert, Business Unit Manager at Easi and his colleague Gerrit Neyrinck, Executive Security Engineer. Neyrinck immediately puts his finger on the sore spot. “IT has a twenty-year head start on OT when we talk about security. If machines are running and working then you stay away from them, because shutting down production costs a lot of money. Most ‘old guard’ OT engineers also have little to no knowledge about security. OT used to stay local, but with IoT there is more convergence with IT.”
“The scope is completely different,” Colpaert further adds. “In IT security, we mainly talk about the integrity of data. Availability, reliability and security are the three keywords of OT security. OT and IT must learn to understand each other and share knowledge with each other. Now too often they still don’t know about each other.”
IT is twenty years ahead of OT in security.
Gerrit Neyrinck, Executive Security Engineer Easi
Emergency button
The overlap of IT and OT is not without controversy precisely because the two worlds are so different. OT security is often approached from IT principles, but that approach doesn’t work, Neyrinck notes.
read also
You can’t force IT principles on OT environments
“There is no ’emergency button’ for OT: then your factory flies up in the air, so to speak. Patching as is the norm in IT also doesn’t work because you can’t test in an OT environment. Once the upgrade is started, you can’t reboot because it takes too long to go back into production. The risks are much higher in an OT context, which is why the approach is more prudent.”
“Manufacturing used to be in an air-gapped environment, but today everything is connected. Secure remote access is also becoming crucial for production machines. How do we know if it’s safe when someone remotely pushes a button? If everything is running, it’s fine, but if a machine fails, the consequences can be catastrophic. You can’t isolate devices: that simply doesn’t work in an OT environment. The impact of OT problems is very big: not only financially, but possibly also for the safety of people or the environment,” Colpaert warns.
The presence of outdated technology adds security complexity. Neyrinck: “OT systems can last up to thirty years and need to keep running 24/7. Moreover, no two plant environments are exactly the same. If a vendor of a specific machine goes out of business, you risk having nowhere to turn for problems. In IT, you do a hardware refresh every, say, five years, but we can’t ask manufacturing companies to replace new machines costing millions of dollars every five years, can we?”
Visibility
OT security deserves its own approach, Colpaert and Neyrinck agree. Everything starts with gaining visibility into your environment. Colpaert: “You need to know not only what’s in your plant, but also what components are in the machines. Then you start looking at where any vulnerabilities are in the network and what policies might clash. If you don’t know that, you can’t apply security to it. It’s about getting visibility into everything you have and how to run that in a secure way.”
“We see the market evolving,” says Neyrinck. “Vendors from the IT security world are seeing their chance to get a piece of the pie and are adding OT. Personally, I do think there is a need for dedicated OT solutions that understand the specific protocols.” “Manufacturers of chips for the machines are also playing a role here. Vendors want to help develop tools. But it’s not a question of how to go from IT to OT, but how to bring both worlds together,” Colpaert adds.
In IT security today, much of the focus is on training people to handle technology safely. Colpaert and Neyrinck also see value in this for OT, but place a caveat. “People need to understand how to interact with machines in the context of security, not just from operations, Colpaert says.
Neyrinck picks up further: “It does require a different approach. Your production teams don’t work from behind a PC. You won’t reach them with mandatory video training. Flash cards, for example, are more effective in creating awareness among users. Physical security is still the most important thing in OT.”
The impact of OT problems is very high: not only financially, but also for people and the environment.
Jeroen Colpaert, Business Unit Manager Easi
Head out of the sand
Neyrinck sees a positive shift in awareness about security. It’s of need, because NIS2 makes no exception for OT environments. “Companies used to know OT security existed but did nothing about it. Now the ostrich tactic is no longer possible. Companies are going to be penalized if they don’t deal with it. Standards for OT are going to be as important as IT standards.”
“I like the fact that NIS2 also takes OT into account and not just IT,” Colpaert echoes in agreement. “The frameworks deal with the same theories, only the way you approach it is different. Companies are looking for the right people with the right skills. Those are rather limited in the OT world, though.”
In short, there is still much work to be done, Neyrinck also concludes. “NIS2 makes a strict distinction between SMEs and large companies. As a result, SMEs don’t really know whether it will also have an impact on them. We also need to think more about backups and disaster recovery. Large companies can put a team of dedicated people on their OT faster, but even then you don’t just work away a 20-year backlog.”
This is an editorial in collaboration with Easi. Look here for more information on security solutions.