In the last year, Hong Kong has seen the growing convergence of IT systems and OT systems as more companies try to drive digital transformation deeper into their organization.
“The cyber-physical convergence, especially on the use of IoT (Internet of Things), is actually happening and keeps growing in Asia Pacific, including in Hong Kong across multiple areas,” says Luke Ma, head of consulting for Asia, NTT Security. “Many enterprises are deploying various types of beacons and sensors within their business operation environments in order to collect more useful information to enhance operation efficiencies as well as improve end-customer user experiences.”
Henry Ng, managing director, critical information systems and cybersecurity, Asia, at Thales says OT systems don’t necessary embed IoT devices.
He says OT systems are used to monitor events, processes and devices related to industrial operations. Many of these devices are not connected to the internet, but instead directly supervised by OT systems.
“However, the OT systems are and more interconnected with the IT systems to become Industrial IoT (IIoT) as a consequence of digital transformation,” Ng said.
“Enterprises are starting to use IoT devices as part of the digital transformation journey. Industries such as manufacturing, logistics, healthcare, retail are already embracing the usage of IoT. As more devices are Internet-enabled, more enterprises will deploy and use IoT devices to enhance their business operations,” he adds.
Garrick Ng, chief technology officer at Cisco Hong Kong and Macau, agrees: “We are seeing the government is pushing for Industry 4.0 in Hong Kong, and a lot of companies are harnessing the power of data by connecting devices and machines to the network for better insights for optimizing business operations, enhancing customers experience, and generating new revenue sources.”
Security challenges as two worlds collide
IT systems security has traditionally focused primarily on confidentiality, integrity and availability, whereas OT security focuses on safety, availability, physical security, reliability, resilience, adaptability, and privacy in different ways.
“Based on these differing lenses, cyber-physical systems (CPS) present challenges—some that build on operational technology (OT) (to include ICS/SCADA) security and some that are unique to the dynamic nature of the environment CPS operates in,” says Katell Thielemann, vice president, Gartner.
She adds: “Some of these challenges include: Security of controls, actuators or sensors; network segmentation, isolation or masking; size and limited computational power to run security on deployed devices; and identity management and authentication in resource-constrained devices.”
Gartner predicts that by 2023, 50% of security products and services generically marketed today as the IoT will focus on industry-specific cyber-physical systems security (CPS-Sec) needs, compared with a negligible number today.
Ng of Thales notes that IoT devices may collect and store sensitive data, and transmit such data to other devices. If the sensitive data is not protected properly during storage and transmission, sensitive data could be exposed.
“As many of these IoT devices are running embedded operating systems, there may not be sufficient security controls already built into these IoT devices. If enterprises simply connect IoT devices to their corporate network and allow them to collect data over the Internet and transmit back through the corporate network, these IoT devices can become security loopholes compromising the security protection of enterprises,” he says.
“We have to address the issue at the system level and not only at the device itself—meaning secure the device (identity and authentication), the communication flow (integrity and confidentiality when required) and the data management system. Risk analysis is mandatory to identify the threats and define the right and trusted solutions and services to fix them,” Ng says.
Meanwhile, one big problem that enterprises face today is that IoT devices and OT environments are sometimes not managed or even funded by the same IT and security teams.
“This then makes it complicated to enforce policies and security procedures which require knowledge and capability of these devices which are often unknown,” says Fernando Serto, head of security technology and strategy for Asia Pacific at Akamai.
“In most cases, we see devices that can’t even be patched, and all that is required for them to work is network connectivity. Enterprises need to implement additional controls, like an effective way of monitoring and enforcing all DNS activity to prevent them ‘calling home’ to a command and control server somewhere else and potentially launching attacks against other targets, or in a worse-case scenario, these devices being used for exfiltrating data from within the enterprise,” Serto says.
Transform cybersecurity posture for the new era
According to Thielemann of Gartner, companies—too often—fail to focus on the cyber-physical angles of security vulnerabilities, risks and impacts, zeroing in on IT-centric concerns instead.
“At best, they are starting to think about the growing convergence of IT and operational technology (OT) in industrial settings. However, cyber-physical systems present a higher level of complexity altogether, particularly when they become ‘systems of systems’,” she says.
Serto observes that companies should understand the risks imposed by having traditional architecture still in place when they are looking at digitizing their environments.
“Traditionally, the budget allocated to cybersecurity was always tied to physical appliances or a rollout of something like a new end point protection software,” he says. “With OT and IoT, however, the same types of approaches don’t apply anymore, so they should be looking into ways of deploying these systems without compromising the integrity of their network.”
Furthermore, enterprises should also embrace a security culture starting from top management to embed cybersecurity in their daily operations as well as building security in early stages of project implementation, says Ng of Thales.
“Unfortunately, we see some enterprises treating cybersecurity as an aftermath that they will usually only implement minimum security controls without allocating sufficient budget and resource,” Ng says. “Only when security incidents have occurred will they start to impose additional resources to address and fix the issues. Defining a clear cybersecurity strategy which is signed off by the senior management can change the landscape.”
Getting your act together
Proper assessment is required to determine how to connect IoT devices to the corporate network, according to Ng of Thales.
”The authenticity of IoT devices needs to be established to ensure the enterprises are indeed communicating with legitimate and authorized IoT devices. If IoT devices are storing and transmitting sensitive data, encryption should be implemented to protect sensitive data,” he says.
Meanwhile, Garrick Ng of Cisco says the corporate IT team needs to find, secure and manage all the various legacy and new devices that are connecting to networks with automated resources in order to gain control over IoT deployments.
“Just as with rogue and beyond shadow IT equipment, older IoT devices are a potential network threat if they are not tightly managed. Even modern IoT devices can create a virtual tsunami of risks for IT,” he says.
“Therefore, the IT needs to identify the existing networked devices and provide maximum protection or isolation, even if they have no inherent security capabilities,” he adds. “Existing legacy devices are typically simple in functionality, have minimal identifying information, negligible or non-existent security capabilities, and are usually installed with default security settings, making them easy to hack.”
Ng also says network management tools can be leveraged on to sense and locate the existing devices, and detect and record the manufacturer, type and model if available. Once identified, network management assigns policies that control where data from devices can stream, and what types of other devices can communicate with the legacy nodes.
He further points out that when deploying new devices, it is important to know the identities and installation locations, and use available and contemporary built-in security software.
”However, applying the appropriate policies to hundreds or thousands of new connections is an IT workload nightmare when attempted manually… Automating the application of these policies is key to keeping up with the rapidly expanding IoT universe.”