Threat Analysis: A Secure and Effective Solution for Operational Technology in Industrial IoT That Cannot Accommodate IT-Style Patching

Hey there, fellow San Franciscans! Today, we’ll talk about Industrial Internet of Things, or IIoT, as it’s commonly known. As you know, it’s a major topic in business and industry right now, and for a great reason. Before we dive into the details of IIoT, we need to clarify that we are talking about industrial internet of things, not your regular internet of things.

Now, if you’re like most people I talk to, you’ve got questions about who should handle IIoT security, and well, that’s where the tension begins. Is it the responsibility of the IT guys, or should the OT (Operational Technology) and LOB (Line of Business) professionals handle it? This divide creates confusion and an unsettling uncertainty, which can actually put the security of your company in increased risk! In fact, recent reports say that almost 60% of companies are tolerating some level of risk when it comes to this security split. That’s very concerning!

Why does this divide even exist? Well, for starters, IT and OT perceive threats and handle problems very differently. To give a couple of examples, in terms of downtime, IT techies are okay with a 1% downtime a year, which means about 8.76 hours of annual downtime. In the world of OT, downtime needs to be 0.001% or just about 5.25 minutes per year. That’s less downtime than the duration of a sitcom episode!

Similarly, IT folks refresh systems every 3-5 years, while OT systems tend to last for a solid 10-15 years. These guys can’t afford to shut everything down every time a system needs updating, as it would interrupt strategic, revenue-generating operations. This is where “threat analysis” comes in. In the world of IIoT, patching isn’t just about preventing problems – it’s a balance of preventing problems and keeping operations running smoothly.

Before you ask, yes, threat analysis can sound pretty complicated. The old stop-and-go approach to system security just doesn’t cut it with IIoT. That means the IT-industry thought of shutting systems fast to patch or replace them does not apply here, as in the OT-world, the mantra is to keep it up and running, no matter what the cost!

So why do we need threat analysis? Picture this: your company runs hundreds of devices. These devices have been going for 15, 20, even 25 years and are incredibly complex. When these machines are shut down, advancements in technology could mean they don’t come back the same. This unpredictability – not knowing if a two-decade-old device will work the same once its patched or come back like a rogue robot – is not an option.

To suddenly derail the normal function because a new patch needs to be installed doesn’t sit well with OT. We must be thinking about how to provide security to IIoT systems without risking these important factors. And this is where good ol’ “threat analysis” cuts in with its groovy moves.

Okay, let’s get serious again. Threat analysis is basically the IT equivalent of putting a system or vulnerability under the microscope. Instead of rushing into patching a system, or alternatively, ignoring the issue because patching isn’t feasible, we first step back to study. We validate if there is a vulnerability, and if one does exist, we calculate how it can be exploited, and take appropriate measures.

Remember, we’re essentially trying to strike a balance between robust security and minimum OT downtime. This process demands careful consideration, adding another layer of complexity to the mix. But hey, aren’t challenges what we live for in this industry?

For now, this process may still be time-consuming, costly, and requires skilled professionals. However, with more and more companies realizing the necessity and importance of a universal, organized approach to IIoT security, the hope is that soon we can automate this process.

The takeaway here? What worked for IT doesn’t necessarily work for OT, especially in the case of IIoT security. The future lies in creating robust, effective processes that make patching (or not patching) decisions more calculated and less of a guessing game. Just because it sounds hard now doesn’t mean it always will be. It’s just about rolling up our sleeves and joining hands to ensure that we make it happen!

Let’s buckle up and start working towards this goal together, shall we?

by Morgan Phisher | HEAL Security