There is a lot of hype out there about the dangers of mixing operational technology (OT) with information technology (IT), and a lot of it is true. With both technology environments designed to address different requirements, it’s only natural for these environments to each bring their own unique challenges when it comes to integration and potentially introduce risk.
As this study revealed: Nearly 6 in 10 organizations using SCADA (Supervisory Control and Data Acquisition) or ICS (Industrial Control Systems) indicate they experienced a breach in those systems in the past year, with many of those organizations at increased risk by allowing a high level of access into their systems.
In an age where data has long been the new oil, organizations would be wise to ensure their exchanges are handled securely without introducing threats to their critical OT networks.
The Importance of Securing OT
OT is critical to almost every facet of modern life, encompassing many critical systems including CT scan machines, factory robots, even washing machines. All such systems and tooling cannot afford to be compromised, become unreliable or be inaccessible.
Operational technologies can potentially use outdated software that is vulnerable to threats because they haven’t had to be exposed outside of their local network – before being integrated with IT, that is. OT is nearly all custom-built, and outages in an OT environment are typically much more critical than an outage of IT tooling.
Integrating OT with IT introduces a lot of new security challenges, but it is almost unilaterally being seen as worth the risk in critical infrastructure organizations across the board. Here’s why.
Why Integrate IT/OT?
IT/OT networks are segmented, and most of the time, isolated. However, data exchange between them is often needed. For instance, Operational Technology includes Distributed Control Systems (DCS). Robust Managed File Transfer (MFT) solutions, such as Fortra’s GoAnywhere MFT, can be used to communicate with message brokers such as Apache ActiveMQ, RabbitMQ, or Kafka integrated into a DCS for specific use cases, such as:
Data aggregation: Collecting and distributing data from various sensors and controllers
Event notification: Sending alerts and notifications based on specific events or conditions
Integration with IT systems: Bridging the gap between operational technology (OT) and information technology (IT) systems
These types of tasks must be done while simultaneously ensuring that only the needed (and free of malware or other threats) data is transmitted. In some worst-case-scenarios, customers are forced to travel onsite with USB sticks laden with data, scan them for malware, and then finally be able to get one upgraded file onto the OT network – a scenario that is costly in both effort and resources, as well as risky from a data exposure standpoint. OT/IT integration, however, allows for improved data analytics and better remote access capabilities, so that:
Patches can be applied
Updates can be installed
Information can be more efficiently transferred
Training can be improved (via remote access)
While good in theory, some challenges remain in execution; specifically, in achieving these benefits while maintaining a high level of cybersecurity.
The Challenge of Integrating IT and OT Securely
When they integrate, most companies want to integrate (bi-directionally) OT networks with IT networks through secure and controlled processes.
This is challenging because usually, the networks are fully isolated, or air-gapped. This physical separation from other devices on the network means that OT networks have not previously needed to worry about external threats (i.e. malware, viruses, etc.) at all, and their tooling is consequently not equipped to handle them. Without proper, safe-handling policies from IT, data transmission between the two technologies can leave the door open for online threats to infiltrate internet-connected IT systems and crawl their way into vulnerable OT networks.
Many of these threats, which target SCADA systems and OT networks within critical infrastructure, are as sophisticated as they come:
Low-and-slow, deeply embedded threat actor exploits
All of these threats can seek to exploit critical vulnerabilities in OT systems, achieve remote code execution (RCE), and then disable the network or launch a denial-of-service (DoS) attack.
Thankfully, there is IT tooling that can help organizations achieve the benefits of integration while keeping things secure. For example, by using GoAnywhere’s Advanced Workflows, organizations can send both MQ (Message Queue) systems that are mostly OT, and RESTful calls (mostly IT) within the same project, allowing the file transfer solution to become a bridge between IT/OT systems.
Here’s a real-world example of how that would play out with MFT securely integrating OT and IT:
Scenario:
A manufacturing plant needs to securely transfer data between its OT systems (like PLCs and SCADA systems) and its IT systems (such as ERP and MES).
Solution:
Data Collection: GoAnywhere collects data such as production metrics, environmental condition, and equipment status from various sensors and controllers in the OT environment.
Secure Transfer: This data is then securely transferred to the IT systems using GoAnywhere’s secure encryption protocols (e.g., SFTP, FTPS).
Automated workflows are set up to trigger data transfers either at specific intervals or based on certain events to ensure timely updates without manual intervention.
Integration: The data is integrated into the IT system, in this case, the company’s ERP system, for real-time monitoring and decision-making to help optimize production schedules, manage inventory, and maintain equipment.
Compliance and Auditing: GoAnywhere helps meet industry and internal compliance and data security requirements with detailed logs and audit trails to track all file activity.
This integration not only helps the manufacturing plant achieve better coordination between its OT and IT systems, but it can also help lead to reduced downtime, enhanced security, and improved efficiency.
MFT Technology Can Help Secure OT/IT Integration
We’ve established that the main problem is how to send information to and from OT networks in a secure fashion. Robust Managed File Transfer (MFT) solutions can deliver the enterprise-level file security needed for this integration. GoAnywhere MFT is built to solve the problems that arise from mixing critical OT with equally valuable IT networks. With the solution’s Threat Protection bundle, any transfer can be extensively inspected and scanned with:
Document sanitization
Multiple AV engines
Multiple content engines
These methods are capable of detecting both known and unknown issues, all within the Secure ICAP Gateway as shown in these system architecture diagrams.
As cyberspace has become the new battleground for social and geopolitical aggression, taking down a nation’s critical infrastructure via remote cyberattacks has become an ever-greater tactic of choice. From disgruntled domestic citizens to state-sponsored, Advanced Persistent Threat (APT)-bearing attackers, some of our oldest systems are under siege by some of the world’s largest, most dangerous, or simply most persistent cyber criminals.
By using GoAnywhere to help put a proverbial moat around crucial OT, critical infrastructure can help stave off attackers and do it in a way that is resource-friendly and effective.
See How GoAnywhere MFT Can be Your OT and IT Bridge
GoAnywhere MFT is an enterprise-level solution that goes beyond sending files from Point A to Point B. As IT and OT become ever more intertwined, secure MFT can be the bridge that helps your two systems communicate effectively.
