Vendor and version lock insights:
- Overreliance on OEMs and outdated software in OT/ICS environments exposes organizations to vulnerabilities, limiting flexibility to adopt new security technologies and increasing uniform risks across systems.
- To mitigate risks, organizations should prioritize vendor-neutral solutions, open standards and alternative cybersecurity controls like virtual patching, network segmentation and SD-WAN technology.
- Closing the IT-OT divide is essential for effective cybersecurity.
Vendor and version lock-in poses significant risks to industrial cybersecurity by limiting an organization’s flexibility to adopt new security technologies and respond to potential threats. This overreliance on original equipment manufacturers (OEMs) or inability to manage system or software updates on the plant floor can create uniform vulnerabilities across operational technology industrial control system (OT/ICS) equipment. This has the potential to compromise your entire security posture.
To mitigate these risks, organizations should prioritize vendor-agnostic solutions, open standards and regular carefully managed updates to maintain adaptability and resilience in their OT/ICS environments.
The OEM blockade
A significant hurdle in securing OT environments is what is sometimes called “OEM blockade.” Original equipment manufacturers often restrict access to their equipment’s software and systems, citing warranty concerns. However, this approach is becoming increasingly difficult, especially in OT environments, in an era of remote access and data-driven optimization.
Vulnerabilities in new equipment
Many organizations may not realize that brand new equipment often comes with outdated software versions, harboring numerous unpatched vulnerabilities. This situation arises because OEMs typically freeze software versions during the factory acceptance testing phase, which can occur months before installation.
The outdated operating system dilemma
The prevalence of outdated operating systems, such as Windows 7 or even XP, in industrial environments, remains a significant concern. While information technology (IT) departments would typically ban such systems from their networks, OT environments often can’t function without them due to long equipment lifecycles and the need to maintain production.
Alternative controls for industrial systems
To address these challenges, organizations should consider implementing alternative controls, such as:
- Virtual patching
- Network micro segmentation
- SD-WAN technology overlays
These solutions can help secure legacy systems without disrupting critical operations.
The IT-OT divide
Despite all the talk about IT-OT convergence, a significant disconnect often exists between these two domains. IT teams may implement OT cybersecurity tools without sharing the data with OT personnel. When they do share information, it’s often filled with false positives or inaccuracies, leading to a lack of trust and cooperation between departments.
Invisible impacts of vendor and version lock
Manufacturing disruptions due to cybersecurity incidents often go unreported. When IT-related issues impact production, companies may not disclose the full extent of the problem to avoid alarming investors or admitting to vulnerabilities. The SEC four-business-day deadline for publicly traded companies to disclose material cybersecurity incidents, puts publicly traded company cyber events in more plain view. Privately held companies are not under the same requirements.
The need for OT-focused solutions
To effectively address OT cybersecurity challenges, organizations must:
- Engage proactively with the ecosystem of OT suppliers, including OEMs and system integrators.
- Engage those with proven experience and a track record of successful cybersecurity solutions and implementation expertise.
- Implement tools that provide visibility into the “ghosts in the machine” — unexplained equipment glitches in industrial control systems.
- Focus on process integrity alongside cybersecurity to improve overall operational efficiency and uptime.
The path forward for better cybersecurity
Improving OT cybersecurity requires a shift in approach:
- OT teams must take the lead in securing their environments, because they own the plant floor. IT teams often lack the specific knowledge needed to address plant floor issues.
- Organizations should seek partners with deep OT expertise who understand the nuances of industrial control systems and can bridge the gap between IT and OT.
- CISOs and IT managers must collaborate closely with plant managers, operations and OT personnel to develop comprehensive security strategies that address both IT and OT concerns.
By recognizing the unique challenges of OT cybersecurity and adopting a collaborative, OT-centric approach, organizations can better protect their critical infrastructure and manufacturing processes from the risks posed by nefarious actors and adverse cyber events.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.