Mind the Gap – Security at the IT/OT Boundary
68% of business leaders feel their cybersecurity risks are increasing.”
In normal operations, networked machines are capable of both transmitting and receiving data. Traditionally these communication channels are guarded with either a data diode or a high speed verifier.
One of the most common requirements at the IT/OT boundary is the need to extract historical data or logging information from the OT network for analysis in the IT network. Data travelling in this direction can be assumed to be “safe” and therefore the primary concern is to ensure that the communication channel itself cannot be used by an attacker to jump the electronic air gap and cross from the IT to the OT network.
Importing Software Updates
The Data Diode is a great one directional flow solution to mitigating the risk that the channel can be used by an attacker to get in. For organisations that require a more resilient solution, and reliable bi-direction communications at the IT/OT boundary the High Speed Verifier is the best solution.
Secure Monitoring in the Cloud
Another common requirement at the IT/OT boundary is the need to import software updates such as Windows/Linux updates and signature updates if required by your data protection solution. A bi-directional gateway can provide an effective solution, ensuring that traffic can flow in both directions between pre-configured update servers residing either side of the boundary.
Managing OT networks and assets from the cloud, whether for the purpose of viewing historical data, or monitoring those assets in real-time or even remotely controlling them, delivers big business benefits. However, to enjoy these benefits, providers of critical infrastructure need to be certain that the links between the OT network and the cloud monitoring platform cannot be used by an attacker to compromise the OT network and assets.
The challenge of managing security at the IT/OT boundary becomes far more complex and nuanced when it comes to importing IT files (rich content of the kind used every day in the enterprise network) from IT to OT or supporting bi-directional application protocols.
Importing IT Files
According to Brian Krebs:
Office files, PDFs and diagrams are all essential to the smooth operation of plant and machinery. However, this type of complex data is the carrier of choice for cyber attackers intent on getting malware in and establishing remote command and control channels. Sadly, detection-based security defenses all too often fail to detect malware concealed in data and another solution must be found to ensure organisations can be confident they are receiving malware-free data.
Rather than trying to detect malware, Forcepoint’s Zero Trust Content Disarm & Reconstruction (CDR) uses a unique process of transformation to only deliver the valid business information that users need. Ensuring the delivery of safe and fully functional content so organizations can have utter confidence in the files they are importing from IT to OT.
On average, antivirus software is only 25% successful at detecting malware.
Using a combined hardware & software security solution designed to address the above challenges head on, is the best way to ensure security at the IT/OT boundary. At an application level, Forcepoint’s Zero Trust CDR ensures files crossing the boundary are always malware-free, fully revisable and safe from zero-day attacks. The use of a High Speed Verifier solves the need to support bi-directional protocols, and enforces separate data flows along with IP breaks to secure the communication channel at a network level. As a further safeguard, each file is verified as safe in hardware logic (something that can’t be remotely compromised or manipulated by an attacker) creating an incredibly small attack surface.
For organisations that are responsible for the critical infrastructure on which we all depend, the IT/OT boundary has long been a potential Achilles heel. At Forcepoint we believe the risk is best mitigated utilising a combined hardware and software solution that includes, both a High Speed Verifier or Data Diode and Zero Trust CDR.
Fortifying the IT/OT Boundary
Download the “Securing Critical Infrastructure from Cyberattack” eBook for free.
This post was first first published on Forcepoint website by Joanna Crossley. You can view it by clicking here