IT/OT Governance & ITAM 2.0
Manufacturing has come a long way since the industrial age -- and in today's market, digital transformation is accelerating as a way for manufacturers to reduce risk, optimize spend and control costs at production facilities. As a result, operational technology (OT) and the IT assets that comprise it are proliferating at an unprecedented rate and the role of ITAM & IT Governance needs to expand into OT.
Not long ago, OT was treated as separate from IT within the corporate four walls, and as a result, IT Governance best practices were not typically applied. That didn't matter so much in the past, because the systems were separate from corporate IT networks. Today, however, they're connected to corporate networks and systems, and organizations who neglect to extend ITAM to include OT will soon find themselves vulnerable to risk and increased costs.
In the first two posts in this series, we explored the importance of ITAM as a crucial first step for IT Governance and examined how ITAM 2.0 can address the new security challenges of remote working in the Covid-19 era. Now, let's take a look at why organizations must extend IT governance to encompass OT and the myriad IoT devices connected to it, to ensure security and control operational costs as Industry 4.0 takes hold.
IT and OT Converge on the Network
OT consists of hardware and software used to monitor and control physical equipment, machinery, and processes in manufacturing environments. OT is found in industries that manage critical infrastructure -- water, energy, oil and gas -- as well as manufacturing facilities for automobiles, defense equipment, construction, pharmaceutical goods and so on. Through automation and integration with other business-critical systems, OT provides tremendous efficiencies.
Historically, OT was isolated from corporate IT networks. For example, in a printing facility, specialized software would instruct machinery when to dispense ink, and when and how to cut paper or other materials, but the PC running the software would interact only with the machinery it controlled. This was the typical OT scenario, and as such, securing the OT environment revolved primarily around physical security concerns. Since the devices were operated manually or with proprietary electronic controls, they didn't pose the same security risks as devices connected to the corporate IT network.
But that's changing, noted Bert De Mol, VP Research & Innovation at Lansweeper. "The desire to cut costs and make operations more efficient led to the convergence of IT and OT. OT suppliers are now converging their systems onto connected IT platforms, to enable remote monitoring and management, reduce costs, improve vendor support, and streamline operations and management."
The Challenges of IT/OT Convergence
Converging OT with IT introduces new challenges -- specifically, the potential to create vulnerabilities that expose the enterprise to security threats. One common trend we see is outdated software that is used to control industrial systems. "A significant number of dedicated PCs in OT environments are running outdated Windows operating software, such as Windows XP," said De Mol. "The OS is no longer supported by Microsoft and does not benefit from software patches and updates that could protect the network from new and emerging security threats. That is why it's so important to have software like Lansweeper. You want to be able to properly identify and track these vulnerable devices so that potential risks can be identified and mitigated before they become a serious threat/problem."
"The lack of visibility into OT systems puts organizations at high risk of breaches and downtime. Unfortunately, hackers are aware that OT devices are easy targets."Bert De Mol, VP Research & Innovation at Lansweeper
Another problem is that vendors are deploying software updates and patches remotely, in an effort to reduce the costs associated with sending support staff to facilities to update equipment. This means manufacturing facilities must open up their networks to outsiders on a more frequent basis. To make matters worse, OT environments have not been subject to the same IT Governance as IT, because they fall outside of the purview of those responsible for IT security, risk assessments and audits.
Research from a 2019 Forrester and Fortinet found that 56% of organizations that use industrial control systems as part of their OT experienced a breach over the year prior to the study, and 97% said those breaches were a direct result of IT/OT convergence efforts. This is why securing OT is ranked among the most important digital transformation initiatives among cyber leaders for the next 12 months, according to Deloitte's 2019 Future of Cyber Survey.
IoT Adds Complexity, Extends the Attack Surface
Adding to the existing challenges of IT/OT convergence is the growing number of cloud-connected Internet of Things (IoT) devices. In industrial settings, IoT devices are equipped with sensors, software and other technologies for the purpose of exchanging data with corporate systems.
IoT devices may range from complex robots to environmental sensors to smart glasses and other internet-connected devices -- and every device that's accessible over the corporate network can be the gateway for a malicious attack. Even 'smart' coffee machines could be a possible attack vector. "Any vulnerability on these connected devices can put the organization at risk," De Mol said. Such breaches cost companies millions.
"With the increased automation, machine-to-machine (M2) communication and connected devices that define Industry 4.0 proliferating at a rapid pace, continuous monitoring of the entire IT estate is absolutely critical to minimizing risk and controlling operating costs."Bert De Mol, VP Research & Innovation at Lansweeper
For example, Picanol Group, a large manufacturer of weaving machines, fell victim to a large-scale ransomware attack in January this year, causing significant financial impact in downtime and costs associated with calling in experts to repair affected IT systems. When ransomware hit Norwegian aluminum giant Norsk Hydro in March 2019, the company's operations and IT systems were impacted, and its OT had to be switched into manual mode -- a disruption that cost the company more than $40 million.
According to a 2019 Ponemon Institute report, 26% of risk management and governance experts surveyed reported experiencing an IoT-related data breach. An example of an IoT-related breach is when ransomware infected a U.S. manufacturing firm in February 2019 by way of a command-line tool that enables processes to be executed by administrators on remote computers. The attackers stole administrator credentials and used them to execute the attack.
A Clear Path to Organization-wide IT Governance
This last installment in our blog post series on IT Governance illustrates the need for a reliable and complete system of record that maintains accurate data across not only IT, but OT and IoT as well. A dedicated ITAM solution can become the foundation for IT Governance and security across all of an organization's connected assets, and inform any possible use case -- from cybersecurity to compliance, service desk, ITSM, cloud migration and more. At Lansweeper, we believe that our ITAM 2.0 solution makes this possible.
"Lansweeper's vision for ITAM 2.0 is to create a single source of truth for all data pertaining to any network-connected device -- whether within the four walls of an enterprise, within manufacturing and production facilities or inside the homes of remote workers"Bert De Mol, VP Research & Innovation at Lansweeper
In this way, our platform provides comprehensive visibility and unprecedented insight and visibility, enabling organizations to apply IT Governance best practices across the entire IT estate.