Industry 4.0 blurs the lines between IT and OT

In January of 2016 the World Economic Forum (WEF) published an article proposing that the Fourth Industrial Revolution had begun. The article was authored by Klaus Schwab, who argued that the velocity, scope, and systems impact of modern technological breakthroughs marked the end of the previous revolution and created a distinct new era.

The Fourth Industrial Revolution is also known as Industry 4.0 and 4IR. Schwab identified this as a cyber-physical revolution, marked by “artificial intelligence, robotics, the Internet of Things, autonomous vehicles, 3-D printing, nanotechnology, biotechnology, materials science, energy storage, and quantum computing.” Put simply, Industry 4.0 refers to the convergence of traditional manufacturing with AI-powered technologies, and a reduced dependency on human intervention.

Industry 4.0 presents new opportunities for the different types of manufacturers that embrace these new processes and tools. Like all digital transformation, it also brings new security challenges. The foundation of one of the largest challenges is the distinction between information technology (IT) and operational technology (OT).

IT vs. OT — why the differences matter

The distinction itself seems simple enough. IT is commonly understood to be the computing systems used by humans to run the business, and OT is used to monitor and control other machines. These OT devices are usually found in production lines, power plants, and other industrial settings. In most cases, OT devices cannot be separated from the production. The primary objective of IT is all about managing data, and the primary objective of OT is about ensuring uninterrupted production.

Beyond these primary objectives are several other conceptual areas where the distinction between IT and OT is especially important:

Approach to time: IT applications like file, print, messaging, application, and data management processes can typically tolerate some level of latency. Real-time responses are not critical for most business applications. On the OT side, responses need to be real-time or very close to real-time. These devices send alerts and commands that must be received within the allowable time for the application. While no one wants slow IT networks, a 20-second delay in an application does not normally stop production.

Interoperability: IT systems are designed to be flexible, promoting interoperability with various devices and systems. It wouldn’t be possible to deploy a WAN or a SASE platform, or even use the modern internet in the absence of this flexibility. OT systems are usually custom-built for specific tasks. They use proprietary software and hardware, and they are generally not (natively) connectable to other systems.

Security implications: IT security strategies are designed to protect company data, prevent network intrusion, and protect business applications. OT security strategies are meant to ensure physical safety and process continuity of production or industrial environments. The data generated by OT is not meaningless, but the primary security objective is usually to prevent equipment damage and disruption.

IT is an OT threat vector

Industry 4.0 is blurring the lines between IT and OT domains. IT/OT convergence provides administrators with real-time access into their environments and the ability to manage updates and preventative maintenance. When done properly this can help control costs and boost production in manufacturing and industrial environments.

When these systems converge without proper security, IT becomes a threat vector to OT. When OT systems are exposed to the web they may be targeted with automated attacks and advanced threats. When they are exposed to the IT network, any network compromise can pose a threat to production.  This is especially true when there are unpatched systems on the IT network.

2009-2010 Stuxnet attack

The first high-profile example of this is the Stuxnet attack on Iran’s Natanz nuclear research site. The facility had multiple programmable logic controllers (PLCs) in place to control uranium centrifuges. These PLCs were not connected to the internet, but they were connected to an IT network where Siemens PLC management software was installed on Windows PCs.

The Stuxnet worm was developed specifically for this environment. When the worm was ready, one  Stuxnet threat actor carried it into the facility and installed it on a Windows PC using a USB stick. The worm spread through the IT network looking for the Siemens software. Stealth was an important part of this operation, so the worm did nothing if it didn’t find the targeted software. If it did find the software, it would then attack the PLCs directly by increasing the speed of the centrifuges until they self-destructed. Facility operators didn’t realize there was a problem until June 2010, after thousands of centrifuges had been destroyed.

Stuxnet worked because it exploited four Windows zero-day vulnerabilities, a zero-day flaw in the Siemens PLCs, and an older Windows vulnerability that was used by Conficker. An absolute embarrassment of riches for the attackers.  

Assume both IT and OT are under attack

The Stuxnet attack demonstrates multiple levels of failure, and some lessons on OT security remain unlearned. An OT system administrator cannot install a patch that isn’t available, but an IT system administrator has no excuse. Both IT and OT administrators must assume that their systems are under constant attack, and if one is compromised, then both are compromised.

The 2021 Colonial Pipeline ransomware attack did not directly hit OT systems, but the industrial pipeline systems were taken offline for several days. The company shut down pipeline operations to protect that infrastructure from the malware that had infected the IT system. It was a proactive measure taken by the company, which in turn affected delivery to nearly half of all pipeline operators. The United States declared a state of emergency, as did 17 individual states and the District of Columbia. The White House issued an all-of-government response by the United States. This was all due to one compromised set of credentials to one VPN connection to the IT network.

Protect your company with Zero Trust

Zero Trust Network Access (ZTNA) is a security framework that assumes that no device, user, or network is inherently trustworthy. A Zero Trust deployment emphasizes continuous verification that provides or denies access to users and devices individually, regardless of their location or network. Industrial controls and OT devices benefit from ZTNA in several ways:

Granular access control: The least privilege approach of ZTNA ensures that individual users can access only the resources necessary to perform their assigned and authorized tasks. Access control is based on a variety of factors, such as user identity, device security posture, location, and other contextual information configured by the administrator.

Least privilege access: Zero Trust Access is built on the principle of least privilege, which means that it is meant to provide users with only the minimum necessary access rights to perform their tasks. This is a long-standing best practice in network security. When companies deploy least privilege access, network users can only access the specific resources relevant to their work. Zero Trust effectively creates a personalized network for each user, based on what they each need to do their assigned work.

Software-defined perimeters (SDPs): Software-defined perimeters (SDPs) dynamically create isolated network connections between users and resources. These are direct connections only between authorized users and devices and the specific resources they are allowed to access. This hides network resources from unauthorized users and introduces dynamic microsegmentation at the network level.

Dynamic policy enforcement: Zero Trust deployments can adapt and enforce security policies based on factors such as user behavior, threat intelligence, or network conditions. This is a result of the ongoing verification process that authenticates each request to the network. When a potential threat is discovered, Zero Trust can respond in real-time and restrict users, devices, and other assets as configured.

Microsegmentation: Dividing a network into smaller, isolated zones is a common practice in IT and mission-critical OT environments. Because segmentation can restrict lateral movement through the network, the impact of intrusions and malware attacks are limited to the compromised zone. The features of ZTNA enable and support IT and OT segmentation. As mentioned above, Zero Trust Access creates network boundaries based on the user’s level of access. Dynamic policy enforcement creates new boundaries in real-time if certain policy conditions are met.

Barracuda industrial security solutions

Compared to a traditional perimeter-based approach, the industrial attack surface is reduced significantly with a Zero Trust deployment. A full SASE deployment will secure the network further by adding secure internet access (SIA) and other network protection.

Barracuda secures users, devices, networks, and applications. Our Zero Trust Access and Barracuda SecureEdge solutions protect both the IT and OT domains and help you take advantage of the best that Industry 4.0 has to offer. Visit our industrial security page to get a free trial of our solutions in your own environment.