The Difference Between IT and OT, and How They Are Converging

Posted on
the difference between IT and OT
the difference between IT and OT

Every system is susceptible to failure or manipulation, and that is why all technology in the enterprise must be carefully secured. Depending on the type of technology, however, different approaches to security are required: guarding a computer with guns will not prevent it from being hacked. Likewise, anti-virus software will not protect a car.

At least, that’s how things used to be. More recently, the kinds of technology that support industry, business and personal productivity have started to converge on the level of software and networking, and security requirements are changing in response.

For instance: historically, the field of cybersecurity has applied exclusively to information technology (IT). Now, it increasingly applies to operational technology (OT) as well. So what is the difference between IT and OT, and how are they converging? In this article, we will explore that question.

What is IT?

IT stands for “information technology,” and the keyword here is “information”. According to Gartner, IT is:

“The entire spectrum of technologies for information processing, including software, hardware, communications technologies and related services.”

In the history of business, IT is very recent: prior to the existence of computers, it did not exist. Since then – and especially with the advent of the Internet – IT has increasingly become inseparable from business processes including decision-making and strategy, collaboration, sales and customer service.

Here are examples of the IT that an organization relies on every day:

  • Local and wide area networks
  • Data centers and data processing, including the cloud
  • Sales management software
  • Project management
  • Email and calendar

As time goes on, IT absorbs or consolidates more and more business functions, and today the majority of technology within an organization falls into the category of IT. But there are some exceptions, and OT is one of them.

What is OT?

OT stands for “operational technology,” and – as the name implies – it supports the operation of other systems. According to Gartner, OT is:

“Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”

This technology is critical in industrial applications that involve the use of heavy machinery, physical processes and fleets. Examples include:

  • Manufacturing
  • Transportation services
  • Public infrastructure
  • Energy production, transmission and distribution
  • Ventilation and heating

From a purely technological standpoint, the major difference between IT and OT involves information scope. According to Gartner, “IT does not include embedded technologies that do not generate data for enterprise use,” while OT does: but this distinction is beginning to disappear.

The OT/IT Convergence

While the term OT was invented relatively recently, what it refers to predates IT by many decades. Prior to the existence of microprocessors and programming environments, factories, utilities and production facilities still required technology to control operations.

Since the invention of IT, most OT assets have depended on Programmable Logic Controllers (PLCs) that use proprietary code and lack any networking protocols to connect or communicate with other devices.

Today, this physical isolation is quickly vanishing with the introduction of Remote Terminal Units (RTUs), Human Machine Interfaces (HMIs) and wide area Supervisory Control and Data Acquisition (SCADA) systems.

Gartner predicts that by 2020, 50% of OT providers will collaborate with IT leaders to provide IoT services that bring network connectivity into the OT environment. While these developments bring many advantages, they also bring added risk.

Pros and Cons

On one hand, the IT/OT convergence is bringing capabilities to organizations which they did not have before, driving more efficient processes and lower costs in many ways:

  • Enables real-time/edge data processing and analysis
  • Permits systems to be supervised, managed and adjusted off-premise
  • Allows fast software updates that fix problems quickly

On the other hand, OT is now exposed to network access, becoming vulnerable to the same issues that have plagued IT for years, leading to data breaches, espionage and hijacking. Moreover, OT allows attackers to cause significant damage:

With so much of our national infrastructure at risk, locking down OT should be an immediate priority for any organization. Fortunately, solutions exist, though they are not widely talked about.

The Need for Cybersecurity

In recent years, attention has been drawn to cybersecurity in many contexts as data breaches and cyberattacks achieve wide publicity, but OT remains dramatically underemphasized. A study conducted this year shows that 90% of OT organizations have fallen victim to a cyberattack within the last 24 months.

As OT and IT converge, the right approach to security mainly differs in emphasis: the fundamentals are the same. Strong authentication, encrypted network connections, persistent monitoring and audits, penetration and vulnerability testing are all tools that can keep OT systems safe.

The key for securing OT is to design and implement a series of cascading controls that use network security, operating system security, application and device security to ensure that no single weakness can allow a critical compromise. To protect your investment and keep your customers safe, choose a partner who can do it all.

Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and OT critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on securing your IT and OT environments.

NIST 800-53 Rev. 5: What it Is, and Why You Should Care

Posted on
NIST, security and privacy controls
NIST, security and privacy controls

Later this year, the National Institute for Standards and Technology (NIST) will release revision #5 to Special Publication SP 800-53 Security and Privacy Controls for Information Systems and Organizations, a key framework documenting recommended security controls for federal information systems. Soon, government agencies, contractors and FedRAMP certified vendors will be rushing to update their systems before the guidelines go into effect.

As the de facto standard for compliance with the Federal Information Security Management Act (FISMA), SP 800-53 directly applies to any federal organization (aside from national security agencies), and indirectly to non-federal organizations via SP 800-171. In this article, we’ll summarize the contents and newest revisions.

Establishing Security Controls

To maintain security, any IT system must observe basic security controls to prevent threat incidents and establish proper responses. On an ongoing basis, NIST compiles and documents controls recommended to it by research groups including the Information Technology Laboratory (ITL).

The most recent edition (Rev. 4) of SP 800-53 includes 212 controls distributed across 18 control families designated by acronyms, such as “AC” for “Access Control,” “IR” for “Incident Response” and “CM” for “Configuration Management”. Controls are ranked according to three (3) tiers of impact ranging from “low” to “moderate” to “high,” and fall into three types:

  • Common – used throughout an organization
  • Custom – specific to an application or device
  • Hybrid – standard control customized by an organization

SP 800-53 is very useful as reference material for designing security plans, and its controls are used as a basis for other special publications/regulations. However, to actually protect an organization it must be implemented according to a Risk Management Framework (RMF).

The NIST RMF

SP 800-53 contains outlines for a standardized Risk Management Framework. For this purpose, it is commonly used in conjunction with SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems:  A System Life Cycle Approach for Security and Privacy which details the formal certification and accreditation process.

The NIST RMF guides organizations through a comprehensive risk management and response plan in six (6) stages:

  1. Categorize – determine the category of information systems based on type of information processed and threat impact
  2. Select – select baseline security controls to mitigate risk
  3. Implement – implement and describe how the security controls have been deployed
  4. Assess – assess performance, correct implementation, and outcome of the security controls
  5. Authorize – authorize operation of the system based on its overall risk to an organization, its assets, mission, and personnel
  6. Monitor – monitor security controls on a regular basis and record performance, reporting concerns to appropriate organizational officials when necessary

Due to its methodological rigor, the NIST RMF gives organizations a high degree of precision in determining risk, mitigating threats, and maintaining accountability before regulatory bodies.

Who Does SP 800-53 Apply To?

SP 800-53 directly applies only to federal agencies. However, the publication is used as the basis for many other programs and should be referred to by anyone to whom they apply. This includes:

  • – Cloud Service Providers (CSPs) authorized under a FedRAMP program are required to use SP 800-53 controls to secure their services and facilities
  • – since SP 800-53 is used as the basis for FISMA[BS1], state agencies and any contractors partnered with the federal government will also have to comply
  • Defense Federal Acquisition Regulations (DFARS) – while  SP 800-171[BS2]  initially imported security controls from SP 800-53, the controls have since been adjusted to better protect controlled unclassified information (CUI) specifically. Nevertheless, SP 800-53 is recommended as a useful reference for non-federal businesses required to comply with DFARS, and is more and more being used as a reference for non-Federal security programs, such as to form a baseline for protection of Industrial Control Systems (ICS) in some industries.

In general, it is safe to assume that as an organization conducting any business with the U.S government, SP 800-53 or some portion of it will apply to information systems used during the contract.

Changes in Revision 5

Because SP 800-53 applies to all U.S. agencies and government partners, it goes without saying that compliance is mandatory, and systems should be updated to reflect new revisions as soon as they are released.

Revision 5, to be released later this year, brings with it a new emphasis on privacy, expanded security controls and changes to control categories:

  • Outcome-based (as opposed to impact-based) controls
  • New emphasis on privacy: integration of privacy controls with security controls, and better integration with cybersecurity/risk management
  • Separation of control selection from actual controls
  • New controls based on threat intelligence

Revision 5 will go into effect in 2020, a year from the date of its official release. In the meanwhile, preparing to comply will help your organization to be ready. To learn more about the latest version of SP 800-53, view the draft on NIST’s website.

Securicon Can Help

To become NIST 800-53 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

How Real Hackers Think, and Why it Matters

Posted on
cyber warfare, hackers, cyber attacks cyber warfare
cyber warfare, hackers, cyber attacks cyber warfare

In 2019, hackers are experiencing what sea-pirates experienced in the 17th century: a golden age. And just like the British Navy used privateers to keep pirates at bay, modern businesses must use the tools and methods of hackers to prevent successful attacks.

For the past few years, data breach occurrence has steadily climbed. The average cost of a cyberattack has hit $1.7 million, and by 2021, annual cybercrime damages will reach $6 trillion – exactly when the world will have 3.5 million unfilled cybersecurity positions.

Vulnerability assessments and penetration tests are a proven line of defense against hackers as they can show where points of attack and unauthorized entry exist. But these methods are only successful with a professional touch: in order to beat hackers at their own game, an organization must be able to think like them. In this article, we’ll explain what that means.

Two Types of Attacks

The media continues to depict hackers as socially isolated trolls. But if this stereotype was ever accurate, it no longer reflects reality: hackers around the world come in many stripes, from lone professionals to organized crime groups and even governmental or military organizations.

For organizations, there are two major categories of motivation that define the attacks they can encounter.

Attacks for Effect

Some hackers aim to cause as much destruction as possible. This group may comprise amateurs who wish to gain the respect of other hackers or disgruntled current or former employees with a personal vendetta.  But also included in this group may be hacktivist groups or politically motivated attackers whose intent is to send a message – either to the site owner or to the public.  The product of their attack is to make the site a very visible billboard for their favorite cause.

But the biggest threat to organizations today comes from the second class of attacks.

Attacks for Gain

Criminals undertake hacking for reasons ranging from data theft to political terrorism to monetary gain. Far from being trolls, hackers in this class of attacks are organized, professional, well resourced, and persistent. They thrive on invisibility and may evade detection for a long time while doing their work – a persistent threat.

Since hackers in this class are the most dangerous to an organization, understanding their modus operandi is crucial to avoiding them.

How a Hacker Thinks

1. Strategic

Prior to an attack, hackers may spend months preparing, gathering reconnaissance and strategizing how to execute. During this time, they will search for points of entry by mapping an organization’s network and IT assets, its structure and procedures.

Tactics used may include,

  • Footprinting
  • Social engineering
  • Accessing public records
  • Port scanning and probing

Even with high levels of security control, hackers may dupe employees or administration into divulging critical information via phishing and social engineering. Training and compliance at all levels of an organization are therefore crucial portions of a security strategy.

2. Opportunistic

During the preparation phase, hackers search for anything that can grant them unauthorized access to a system. This means that any exploits may be used, no matter how obscure – and in fact, obscure vulnerabilities may be preferred.

Organizations have many levels of IT infrastructure that may provide a gateway for deeper penetration. So-called “non-critical” systems like internal email should not be neglected when it comes to documentation and testing. At the same time, during a vulnerability assessment or pentest, systems should be prioritized to reflect the likeliest starting point for a real-world hacker.

3. Stealthy

While trolls are interested in visibility, criminals are not. Professional hackers use a variety of techniques to keep their activities hidden from administrators and lurk within a system for years at a time:

  • Enter discretely – hackers know that obvious entrances are carefully guarded and seek out less obvious points of entry to begin an attack. Additionally, 90% of hackers use encryption to disguise their origin.
  • Persistent access – once they are inside of a system, hackers quickly try to establish a backdoor for persistent access. This way, they will always be able to return, even if the vulnerability by which they gained access is patched.
  • Move laterally – by re-entering over time, hackers advance slowly from point A to point B. This allows a careful and methodical progression from small vulnerabilities to much larger ones.

In order to keep systems secure, it’s not enough to guard the front entrance: organizations must continually scan and monitor activities on their network to detect signs of suspicious activity.

4. Goal-oriented

It should be clear by now that real-world hacking is a difficult process that requires preparation, and commitment to a long-term strategy. Every hacker therefore pursues some concrete object, such as:

  • Political sabotage – an organization may be attacked either because it is involved in political activities, because it serves the government, or its products and services are critical to a nation’s political process. In this case, hackers may aim to obstruct its daily operations by targeting mission-critical systems.
  • Data theft – today, almost any organization has a wealth of information about its customers and clients. This data can be exploited for many purposes and – wherever it is stored – attacks should be anticipated.
  • Monetary gain – hackers rarely steal money directly from their victims. But companies possess many assets which can be used for profit, including intellectual property and trade secrets.

Concerted attacks, like any other business risk, are difficult to predict, but they are not difficult to anticipate. Although cyberattacks are inevitable, they should never be viewed as inexplicable or mysterious. To protect itself, an organization should identify and monitor its most valuable assets.

5. Deceptive

Hackers will use deception in the earliest stages of their campaigns. During reconnaissance, they often trick employees into forwarding “important information” to their colleagues, which is – in reality – a phishing attack.

When they actually begin their work hackers will, moreover, use false-flags to misdirect system admins, and anyone else who may be watching. This includes targeting systems they do not really care about and using exploits that are not crucial to their end-games

Experience vs. Automation

To enforce real security, companies require experts who know how to think like hackers.  Throughout the industry, however, those who claim to do so are frequently misguided. Most pentests, for instance, are left to automated software, leaving clients vulnerable to attacks that software can’t anticipate.

Securicon is comprised by infosec veterans who have played red-team against government agencies in real-world hacking scenarios and formulated unique toolkits that money cannot buy. Our scans and assessments reflect this experience and uncover the only vulnerabilities that matter: those our clients are unaware of.

Most hackers will not work for anyone except themselves. But Securicon’s team shares the knowledge and experience of professional hackers, while aiming to protect – rather than harm – the companies they target. In the long term, we believe there is no better way to enforce security, and anything else is a compromise.

How Regular Risk Assessment Prevents and Stabilizes Threats

Posted on
Risk assessments

Data breaches, foreign hackers and corporate espionage: today, it seems that phrases like these are on the tips of every tongue, and not without good reason. As digital literacy, Internet access and affordable technology scale with global penetration, the knowledge and skill of attackers is increasing as well. Organizations both public and private are right to be concerned about these risks.

At the same time, “risk” is a broad domain, and while it might seem that we are facing more of them today than ever before, it remains true that the greatest risks to an organization originate from the inside. From mundane eventualities like power surges, to human error or malicious sabotage, any and every vulnerability within an organization constitutes a “risk”.

While individually a single risk may not amount to much, collectively risks represent a danger that can seriously obstruct – if not destroy – an organization and its mission. But with so many to worry about, how can they be anticipated and successfully prevented?

How to Define Risk

“Risk” is a measure of likeliness that a vulnerability in a system or asset will be exploited leading to adverse effects, and the probable impact of those effects. Impact may be measured in financial loss, operational obstruction or human capital.

The existence of vulnerabilities in any given system or asset can be taken for granted. All technology is flawed in some way, or risk would not exist. While most vulnerabilities are benign, obscure or inert, some are always serious enough to be targeted by threats.

Today, companies face many threats from the outside, including attackers, malware, foreign governments and APT groups. But they face many more from the inside, from malicious employees, to deprecated equipment, human error, poor coding and mishandling of data.

Fortunately, there are many methods to prevent threats from succeeding, and respond when they do. But organizations focused on prevention or remediation cannot skip the discovery process. Before risks can be dealt with, they must first be identified, measured and assessed.

The Role of Risk Assessment

A risk assessment is the controlled, systematic identification and documentation of existing risks, likeliness of occurrence and probable impact. A professional risk assessment will follow careful methodology to ensure that nothing is overlooked, and that remediation is prioritized according to severity.

The purpose of a risk assessment is not merely to prevent risks from occurring, but also to establish a suitable response that will mitigate damages if they do occur. Risk assessments therefore inform organizational policies, providing an objective, quantifiable basis for regulation and best practice.

IT infrastructure and assets change with time as old equipment is discarded, new equipment is acquired, and configuration changes are made on a regular basis. Moreover, the availability of knowledgeable and skilled personnel may change with new hires, transfers or retirement.

For these reasons and many others, risk assessment should be repeated on a regular basis as part of an organization’s overall security and auditing cycle. What held true yesterday will not necessarily hold true tomorrow.

The NIST Framework

The National Institute of Standards and Technology (NIST) publishes a risk management framework for federal agencies, partners and contractors, and maintains the Framework for Improving Critical Infrastructure Cybersecurity (SP 800-30).

NIST’s guidelines for conducting a risk assessment establish six broad steps:

  1. Identify Threat Sources
  2. Identify Threat Events
  3. Identify Vulnerabilities
  4. Determine the Likelihood of Exploitation
  5. Determine probable impact
  6. Calculate Risk as Combination of Likelihood and Impact

Other standards bodies follow NIST’s framework closely in their own publications, making it a de facto industry standard for conducting regular, thorough risk assessments as part of an overall risk management program.

Simplified, Productive Assessments

Risk is inevitable. It is a consequence of using technology and systems built by people in a world populated by people, some of them good, some bad, and none perfect. But being caught off guard is not inevitable. And when a breach, attack or system failure hits, those who are prepared will suffer the least and recover fastest.

Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our Risk Assessment framework.