In the near-decade Sid Snitkin has worked with ARC Advisory Group, he’s seen a number of changes in the world of industrial cybersecurity and operational technology. He’s seen the threat landscape evolve, growing adoption of cybersecurity measures by industrial companies, and increased need for IT-OT convergence.
“A lot has changed,” Snitkin says. “Today, most industrial companies understand the risks of cyber-attacks and many companies have invested in basic defenses. But there’s still a lot that needs to be done to protect our critical infrastructure.”
ARC Advisory Group is a technology research and advisory firm for industry and infrastructure. Snitkin heads ARC’s industrial cybersecurity practice, which develops products and services for protecting industrial facilities.
“It’s a hot topic. We monitor all of the developments and the technologies in the OT space,” Snitkin says. “We know all the equipment and the suppliers. We know who does what and who’s developing what. Our analysts have a very good insight on the trends and where the market is going.”
Industrial Cyber talked to Snitkin about how the threat environment has changed during the decade he’s been at ARC, the need for active defense, and the need for IT-OT convergence.
According to ARC’s research, in 2019, industrial companies spent $4 billion to protect OT systems. By comparison, companies spent $125 billion on IT cybersecurity, indicating that industrial companies are spending far less on OT security than IT security.
Despite these numbers, OT spending has more than doubled over the last eight years. According to ARC, power, oil and gas, and water and wastewater are the industries spending the most on industrial cybersecurity.
“Most companies seem to be aware of the need for cybersecurity and have made investments in passive defense technologies, but many have not made investments in the people and tools that are needed to maintain these defenses. Few companies have invested in active defense because they don’t think an attack will be able to get past their defenses. This is leaving many facilities at risk.”
While malware attacks used to be the most common type of attack industrial companies faced, today most industrial companies are starting to see more sophisticated attacks involving ransomware. According to Snitkin, nearly one-third of the ransomware attacks that occur today are against industrial companies.
“Attackers are continuing to find ways to penetrate defenses,” Snitkin says. “Some attacks are going to get through no matter what, which is why active defenses are necessary to ensure these attacks are quickly detected and addressed.”
Snitkin is a proponent of active defense cybersecurity measures. He says organizations need to shift to active monitoring and detection in order to quickly address attacks and abnormalities when they occur. However, he says OT security teams often lack the resources to do this effectively. That’s why he emphasizes the need for IT-OT convergence.
“It will be hard for industrial organizations to protect themselves if they try to maintain separate IT and OT cybersecurity programs,” Snitkin says. “There will always be OT-specific cybersecurity issues, but these needs can be addressed as part of a converged IT-OT cybersecurity program. “
Today, Snitkin says most industrial companies have two cybersecurity programs: one to protect their IT system and one to protect their OT system. Most companies treat these as two independent programs because of the differences in technologies, goals, and security strategies.
However, most OT facilities are facing critical OT cybersecurity resource gaps. They lack the people and technology necessary to manage sophisticated attacks. Additionally, Snitkin says CISOs are demanding consistent cybersecurity management across all systems.
Another factor driving the need for IT-OT convergence is digital transformation which requires stronger security measures. More and more, industrial facilities are seeing the deployment of IoT and IIoT devices which are creating new challenges.
“News risks are becoming apparent as companies are launching digital transformation initiatives,” Snitkin says. “IT and OT are starting to converge more and more and that is bringing about more sophisticated cyber attacks on the plants.”
Snitkin says IT-OT convergence allows for better cybersecurity governance, broader visibility of cyber risks, faster detection of compromises, and faster response and recovery. Convergence is a cost-effective way to gain experienced cybersecurity experts, and IT security operations centers are already built for active defense. Ultimately IT-OT convergence centralizes policy management, integrated threat information, and technology that supports fast and efficient incident management.
However, Snitkin cautions that IT-OT convergence is about more than shifting OT cybersecurity to IT security teams. That’s because OT cybersecurity deals with unique people, processes and technology, including nontraditional cyber assets like PLCs and DCSs and networking technology and protocols. It also includes legacy IT assets that cannot always support security software or be easily upgraded. There are also a number of constraints on security practices and technologies in plants and factories. Therefore, IT-OT cybersecurity must be flexible.
Snitkin says IT-OT convergence tends to follow three models: collaboration, integration, and unification. Some companies might adopt a blended approach that follows each model on a case-by-case basis.
Collaboration involves two separate isolated programs that try to collaborate where they intersect. This provides for better isolation of ICS systems, but it causes duplicate resources and little visibility. Integration involves two teams, managed separately, who collaborate on common challenges, such as cloud adoption, remote access, IoT devices and edge systems. This allows companies to better leverage resources. Unification means establishing one cybersecurity program that includes traditional IT and OT assets.
“We’re seeing more sophisticated attacks and new developments that are forcing IT and OT groups to expand their programs,” Snitkin says. “Companies are starting to recognize that IT/OT convergence is the best way to address these challenges. The question is no longer about whether they should be converging but when.”