OT and IT are converging. How are network structures changing as a result? Does this create new gateways for cyberattacks?

Dr. Terence Liu: There was a prevailing belief that OT environments were fundamentally air-gapped; however, the reality presents a stark contrast. According to our 2023 survey, 97 percent of CISOs expressed that a security incident in IT invariably impacts OT. This strongly underscores the high degree of connectivity between IT and OT networks.

In addition to the connection between IT and OT, the internal network of OT has also become very advanced over the past twenty years. Most of the machines can be connected to SCADA or upper-layer application servers such as Databases and MES via the network. Apart from being able to provide feedback on machine data, they can also further accept instructions. In addition to Ethernet, Wifi and Private Mobile (4G/5G) are also common networking infrastructures. However, when most devices are connected to the internal network, they have many vulnerabilities due to infrequent updates, and the internal network lacks protection from network security devices. Therefore, as long as hackers infiltrate the internal network, they can cause significant disasters.

While many organizations initially structured their OT environments as sprawling, monolithic networks, attitudes towards network security are evolving. Presently, numerous organizations are adept at employing technologies like network microsegmentation to diminish the risk surface, thus enhancing security posture and reducing resilience time-all without necessitating alterations to existing networking infrastructure.

But it is worth noting that many enterprises use VLAN to implement segmentation. This is not a very effective method because VLAN can only limit the participants of the conversation but cannot limit the transmission of viruses and network attacks. TXOne's microsegmentation is from Level 2 to Level 7, which, in addition to network access control, can also control network protocols and achieve virtual patching.

While the majority of organizations still tend to maintain some level of isolation for OT environments from the Internet, a growing subset of OT environments are migrating to the cloud. In such instances, organizations are highly likely to encounter heightened complexity in security implementation, as they grapple with IT-based security challenges alongside OT-based security constraints.

How does the OT/IT environment need to be adapted to be more resilient to cyberattacks?

Dr. Terence Liu: Firstly, it's imperative to establish a clear boundary between IT and OT networks. Secondly, we must address technical and business constraints to effectively deploy robust OT-friendly security solutions within OT environments. For instance, we utilize a layered solution matrix to achieve comprehensive coverage and prioritize solutions that seamlessly integrate with legacy systems to maximize effectiveness. Additionally, embracing an asset-centric security control flow in OT, harmonized with the human-centric security control flow in IT, is essential. This necessitates a shift in the role of the security manager, with an increasing number of CISOs extending their responsibility and authority beyond IT to encompass OT security, thereby facilitating synergy between IT and OT security efforts.

To maintain robust cyber hygiene and resilience in OT, it's imperative to adopt a comprehensive perspective, considering all aspects of operations and cybersecurity. Unlike in IT, where organizational objectives often revolve around people, in OT, the focus is predominantly on assets. Consequently, organizations must formulate distinct security strategies tailored for both IT and OT environments.

Consider the Zero Trust concept, which advocates for a fundamental principle of trusting no entity and always verifying. In IT, this entails constant scrutiny of staff to mitigate the risk of insider threats. Conversely, in OT, it involves continuously monitoring the security status of each asset throughout its lifecycle. Whenever an asset is introduced into the OT ecosystem, rigorous security assessments are essential before integration with other assets. Similarly, when an asset provides a service, it must be fortified with robust defenses, such as active protection or preventive measures like application whitelisting. Moreover, when an asset exits the operational cycle for maintenance or upgrades, another round of security evaluation is imperative.

Presently, the main challenges lie in the limitations of many IT-centric security tools, which often fail to support legacy systems, rely excessively on the internet, and are not optimized for the unique requirements of OT assets. Consequently, security strategies in the OT domain must be tailored accordingly, focusing on pragmatic solutions that deliver adequate protection while being economically and technically viable for OT personnel to manage seamlessly.

A prevalent issue in OT environments is the shortage of security experts, underscoring the necessity to achieve comprehensive asset coverage, even with limited staffing. Ultimately, the overarching security objective for OT is to ensure 100 percent coverage of assets, enabling operational staff to manage security effectively without undue strain.

Network security plays a critical role in both IT and OT security landscapes. Security gateways or firewalls can significantly enhance organizational security, particularly for entities with remote data access. However, in OT environments, data exchanges often utilize numerous ICS network protocols that are distinct from those in IT environments. Therefore, there is a pressing need for tools capable of identifying ICS protocols while providing operational context insights.

With this operational context, network security solutions can surpass mere security functions, extending to mitigating human errors. According to our 2023 CISO survey, 35 percent of organizations encountered cyber incidents stemming from human error in 2023. Incorporating adequate operational context into cybersecurity controls can substantially reduce this figure.

For instance, if a manufacturing context never requires sending a command to a PLC to deactivate coolers in a plant, blocking such commands from the network becomes a highly reliable approach. These are unmistakable human errors that PLC devices cannot identify.

To achieve this, OT security managers must possess knowledge spanning both IT and OT domains, or alternatively, deploy mechanisms intelligent enough to establish operational baselines and seamlessly integrate into existing security products.

In essence, ensuring security for both OT and IT demands a comprehensive perspective and an inclusive mindset that addresses the needs of both realms. This entails developing a set of cohesive execution plans to seamlessly integrate them. Ultimately, hackers perceive organizations as unified targets, irrespective of whether they target IT or OT systems. Consequently, security managers must adopt a unified defensive approach.

The security platform in detail

How can cyber-physical systems be secured?

Dr. Terence Liu: In the realm of ICS security frameworks like NIST 800-82, the journey typically begins with comprehensive risk assessment, progresses through security program development and planning, and culminates in security architecture design and implementation of security controls. At TXOne Networks, we've developed a concise yet highly practical framework that resonates with most organizations.

We champion the concept of "OT Zero Trust" to safeguard CPS at every stage of their lifecycle. This entails thorough inspection of all new assets prior to deployment, fortification through endpoint or networking measures during operation, and subsequent inspection during maintenance intervals.

This straightforward approach optimizes the efficiency of security investments across the entire risk spectrum. Firstly, it proactively diminishes the OT cyber risk surface by leveraging specialized OT expertise early in the lifecycle. Secondly, it employs operationally sound techniques to preemptively manage residual risks in alignment with the known limitations and constraints of OT systems. This integrated cyber risk management process harmonizes with its operational risk management counterpart, thereby aligning security objectives with business imperatives.

TXOne presented SageOne at the Hannover Messe. What exactly is it?

Dr. Terence Liu: SageOne serves as a comprehensive Cyber-Physical Systems (CPS) protection platform that seamlessly orchestrates cybersecurity information throughout all TXOne solutions. It goes beyond mere visibility, offering robust protection and advanced threat detection capabilities across all CPS facilities within your organization. With actionable suggestions tailored for implementation by OT security management teams, SageOne plays a pivotal role in bolstering the security posture of industrial and mission-critical environments.

By amalgamating expertise in protocols, network behavior, and physical asset characteristics, SageOne contributes significantly to the resilience and reliability of cyber-physical systems. It ensures secure and efficient interaction between the digital and physical realms, thereby fortifying the overall security framework.

Can you explain the three key elements of the platform in more detail?

Dr. Terence Liu: A CPS protection platform must ensure safe, reliable, resilient, and adaptable performance in real-time, supported by robust cybersecurity measures. As a CPS protection platform, SageOne is built upon the following key pillars:

First - CPS Attack Surface Management. Visibility is a cornerstone for cybersecurity. A clear view of the overall security posture helps identify security focal points in an OT environment. SageOne focuses on operational security by honing in on assets and illuminating the security information of various controls.

Second - Integrated Lifecycle Protection. Centralized management simplifies cybersecurity governance and achieves collaborative defense. As an abstraction layer, SageOne streamlines the contextualization and consolidation of data across various products. It offers a tailored, task-oriented console designed specifically for executives, security personnel, and plant leaders.

And third - CPS Threat Detection & Response. Properly handling known threats is absolutely crucial. Coping with unknown threats is equally important. SageOne compiles all security insights from multiple solutions and scouts for potential risks in order to enable early caution and response when needed.

How can SageOne help users respond to cyber attacks?

Dr. Terence Liu: SageOne is designed to swiftly and effectively respond to cyberattacks or potential threats by providing comprehensive operational insights across various security perspectives, in addition to the mentioned features.

The platform prioritizes the analysis of unexpected behavior and unidentified threats. It identifies suspicious events by cross-referencing endpoint and network telemetry within the OT-native XDR (Extended Detection and Response) engine. By seamlessly integrating advanced technologies with an intuitive user interface, SageOne ensures the safeguarding of critical infrastructures.

For robust CPS attack surface management, SageOne offers Asset-Centric Visibility, providing complete visibility of all network devices. Furthermore, it prioritizes the analysis of the attack surface and offers actionable recommendations.

SageOne facilitates rapid threat response by issuing early warnings of suspicious network behavior through CPS Threat Detection & Response Orchestration, leveraging cross-telemetry analysis.

Additionally, Integrated Lifecycle Protection ensures the security of devices and systems throughout their service life. This is achieved through centralized management of security solutions and unified defense, resulting in enhanced cost efficiency. With SageOne, TXOne Networks underscores its commitment to CPS security and reliability, driving continuous advancements in OT security.