By Ludovic F. Rembert, Head of Research at Privacy Canada.
The sheer volume of damage caused by widespread security threats can bring large and small organizations alike to a standstill while also causing severe reputational damage. However, this issue is further exacerbated by the fact that these digital threats can now permeate IoT on an industrial scale, compromising the operational capabilities of businesses.
As more companies converge their operational technology (OT) and information technology (IT) capabilities, it’s time to rethink the way they secure their systems to create an overarching strategy that encompasses it all.
In June of 2020, the automotive giant Honda was hit with a devastating malware attack that completely halted its global operations. The particular ransomware demonstrated a dangerous ability to spread from IT to OT networks rapidly, which is a threat for all converged networks.
With operational technology (OT) forming the core of modern-day organizations, it has become a high-value target for cybercriminals. This begs the question: what can organizations do to safeguard their converged networks?
In this article, we will be answering that question along with advice on how to sync the two environments into one security domain, which requires building bridges across technologies, system architectures, and cultures.
IT And OT Convergence – What Does It Mean For Businesses?
IT and OT convergence means integrating systems that process physical events with the back-end software conveying information. Here are two ways to combine hardware and software environments into one security domain:
Develop a security culture In your organization
While cybersecurity awareness and training have gained precedence, human beings still remain the easiest target for cyber-attackers. This makes your employees and guests arguably the weakest link in the cybersecurity chain.
According to recent research, employees who handle large-scale data often have trouble identifying phishing emails, with 85% of organizations sustaining phishing attacks at least once over the last year. These numbers show the importance of aligning your employees’ training with organizational security goals.
Developing a security culture for your organization refers to a set of values and habits that determine how employees should approach security threats and issues. Adequate security training ensures that employees know how new systems and applications can be safely implemented. It can also help them understand what the organization stands to lose if they are not careful of these threats.
As organizations working remotely, employers need to update their workers’ security training, for example, providing adequate information on recognizing phishing emails. All it takes is one click on a phishing scam disguised as a perfectly legitimate email to cause potential harm to your organization.
Also keep in mind that it may not be your employees who detect the beginning of a cyberattack, but rather your customers themselves. This is why organizations should have appropriate help desk or customer support systems to communicate potential dangers and threats customers may face. These systems should be integrated directly into the emails of your IT or security teams, so that they can be notified instantly when a customer has any reason to believe their information was hacked or put at risk.
Remote communication must also be adequately secured to keep hackers’ from accessing high-class confidential information. For example, IoT devices such as Siri or Alexa could be potential targets of digitally weaponized materials that look harmless enough but have the power to transmit important business info to unscrupulous individuals.
Build bridges across technologies
Application Programming Interface (API) allows users to share important information between different devices and applications. For example, the access to weather information on your mobile phone is sourced from a third-party application sent to your phone through an API.
Detailed documentation is available for APIs to provide transparency for developers that can help them in coding. However, this transparency can also act as a blueprint for hackers exposing them to potentially sensitive logic and data. According to a recent study, 35% of the surveyed websites were victims of API hacking, while 94% of applications were found to have vulnerabilities in their security features.
Many people think cyber-security is all about having IT skills like an engineer, analyst, or networking expert. But rarely ever do companies and organizations consider that none of their technical knowledge or procedures matter without an efficient communication system with end-users about the why’s and how’s of security procedures.
Protect your applications and software from these attacks with API collaboration tools that provide vulnerability analysis of applications, giving you the visibility needed to take adequate security measures.
What can organizations do to protect the converged landscape?
As cyber-criminals continue to attack OT systems, traditional tools used to protect IT networks simply can’t provide adequate fortification to organizations. This means that specialized security training and knowledge are required to protect this equipment without impacting its functionality.
Choosing the right security vendor
You will need to work with a security vendor with the resources and experience necessary to address both OT and IT security requirements. It is also essential that they work with your internal IT team to create strategies that prioritize confidentiality, safety, and reliability across the organization.
They can also maximize your OT potential by taking advantage of strategic partnerships with other security specialists and offering a comprehensive range of tools specially designed to secure OT environments.
Use VPN’s for remote access
As more people use the internet, more information gets exposed to the cloud, making it vulnerable to threats and hacks. However, a VPN can encrypt data sent across the internet, making it inaccessible to hackers.
VPNs also hide your IP address and protect your browsing history from prying eyes. Thanks to their built-in encryption protocols, VPNs ‘hide’ personally identifiable customer data in transit from anyone who manages to breach the system.
Sydney-based cybersecurity expert William Ellis of Privacy Australia claims that it’s of the utmost importance for employees to use VPNs over public networks especially, explaining:
“Let’s say you’re trying to access a public Wi-Fi network. Maybe it’s crossed your mind that somebody else might be monitoring your activity. Well, whether from home or using a public connection, this is the reason for virtual private networks….they create an encrypted tunnel that separates you and whatever server is hosting the website/internet bandwidth you are accessing. Surveillance agencies, hackers, and other cybercriminals cannot see your IP address or other compromising pieces of data.”
Simply put, a VPN connection operates as a safe tunnel through which you can exchange information and provide data that can be easily hidden from unauthorized access.
In today’s digital age, consumers and end-users want instant access to information without compromising their personal data. But organizations that are involved in securing operational environments risk their customer’s data and their employees’ data every day.
There is no denying the importance of challenging conventional training, security protection methods and integrating OT tools into a comprehensive security strategy. In fact, this is critical to your organization’s success, ensuring its safety, confidentiality, and integrity for the long haul.