While the convergence of IT and OT networks has clear business benefits, it also introduces new security risks. Hamed Diab, Regional VP of MENA, Forescout which is based in California, tells us about the importance of visibility in securing these environments, as well as how CISOs can take steps to strengthen their current IT-OT security strategies.
Can you give us a broad outline of the cyberthreat landscape right now?
Over the last 20 years, Network Access Control (NAC) has become a fundamental component for enterprises looking to ensure a resilient cyberstrategy. Recently, however, the volume and diversity of the Internet Of Things (IoT) and Operational Technology (OT) devices has increased, so much so that NAC now must provide a deeper level of insight into the posture of each device to correctly provide or deny access at varying levels. As diversification of devices continues, full visibility, classification and enforcing policies become more difficult.
The challenges faced are varied but 2020 has showcased this more acutely than at any other time as the world grapples with COVID-19. The sudden shift to remote working and the need for organisations to create access from home to corporate networks means that virtual private network (VPN) use has also increased. Many office applications remain on-premise and employees everywhere – particularly those working in government, healthcare and critical infrastructure – still require access to corporate and operational networks. This gives organisations no choice but to rely on VPNs to secure the pathway from remote users to a corporate network with an end-to-end encrypted tunnel.
The problem is that a VPN is a tool to enable security rather than an entire toolkit. It doesn’t carry functions like anti-malware or compliance checks and so should not be seen as a ‘catch-all’ approach to cybersecurity – ultimately, a VPN serves as a fast lane into the heart of corporate networks which, without adequate protection, could lead to potentially disastrous consequences creating potentially a bigger threat than what it is enabling.
What security challenges have been created by the convergence of IT and OT?
The bringing together of IT and OT on business networks is often promoted as a key part of the Digital Transformation process. Remote maintenance, faster production cycles, shorter supply chains and, above all, quicker progression from prototype development through to the end-product are just some of the advantages. Couple this with the introduction of 5G and production processes will be faster and more interconnected than ever before.
However, along with its numerous benefits, connecting IT and OT technology can also have its drawbacks, especially when considering cybersecurity and fail-safety. The result of more connected devices is that there is also a higher volume of access points to the network and therefore more potential attack vectors for bad actors. There are numerous technologies that detect dangers in OT networks but many fail because they cannot keep up with the ongoing push from OT engineers to achieve the most uninterrupted operation. In the worst-case scenario, the supposed ‘defences’ can even create further risks.
When IoT and OT devices gain access to a flat network, they have the freedom to move laterally if not properly segmented, limiting full visibility and creating blind spots which can be later exposed. Network segmentation, however, can be dynamic. For example, by providing a Zero Trust approach across all environments and to all devices, with different policies for the computer at the front desk and the CEO’s laptop, the risk posed by attacks is automatically limited.
CISOs are having a difficult time in providing this security. Maintaining close control of their networks and device ecosystem continues to become more difficult as IoT and OT devices increase. In order to achieve effective security, the full context of connected devices must be available to regain both visibility and control. From the data centre to cloud and OT environments, devices can be given appropriate access rather than access to the entire network.
How important is network visibility for securing these environments?
Incredibly important. Gaining full visibility over devices, whether they be permanent or BYOD, IT or OT is a strong foundation for any cybersecurity practice. Research from Forescout last year showed that 85% of IT teams agree a lack of full visibility is a significant point of weakness in any security infrastructure and, on average, any organisation that then goes on to achieve comprehensive network visibility will find 30% more devices than they were expecting.
Full visibility allows for all these devices to be consolidated under one management system and cybersecurity policies to be applied unilaterally or on a case-by-case basis. For instance, different permissions can be granted to a laptop compared to a fixed lab computer and non-compliant devices that attempt to gain access can be instantly quarantined to prevent the risk of lateral movement.
This allows for vulnerabilities to be located and dealt with before they can spread across the network. Segmentation of connected devices across the network also allows for this. The result of which is that, if a compromise does occur, it isn’t able to infect the whole network.
Can you tell us about some use cases for your technology in these environments?
In the Gulf Region, we work with many different financial, healthcare, oil, gas and government entities. A common challenge we find is there is not enough visibility into connected IT, IoT and OT devices. There is also an inability to accurately identify devices which are connected to the network, resulting in failed audits and high-costs due to manual inventory.
Forescout helps large customers to gain device visibility and auto classification of all connected devices whether they are in campus, building automation, OT (Operational Technology), data centre or cloud environments. One of the most common use-cases for our platform is modern NAC (Network Access Control).
Other important related use-cases we have found are threat hunting capabilities – especially with the growing threat of ransomware outbreaks. We help customers to use built-in vulnerability and response policies (such as for WannaCry, NotPetya, Samsam, etc) and allow customers to customise their own policies to search for compromises within the whole infrastructure.
How important is it for organisations to ensure robust security while not compromising operational efficiency?
Service availability and operational efficiency are always top priorities for our customers. Forescout introduced Operational Security Automation – which can help in breaking down existing security solution silos and help our customers reduce their response rates to risks.
Forescout helps customers across the Gulf region to automate manual tasks, whether on the network (for access control or for network segmentation use-cases) or on the end-point (for posture assessment and auto-remediation actions), while orchestrating actions responses from third-party systems.
What best practice approach should CISOs take to ensure a robust network/OT security policy?
Zero trust is a security framework that centralises around the idea that no entity should ever receive automatic access to a network – instead, each one must verify itself in order to be granted the privilege. Born out of the realisation that both the outside and inside of a network can produce threats to cybersecurity, it replaces traditional authentication methods and helps to protect increasingly fragmented and diverse networks.
When deploying the zero trust model, it is vital that organisations have a good understanding of every connected user, their devices and the data they’re attempting to access. This should be the foundation of any security framework already – after all, visibility is the backbone of security – but it is exceptionally important when trying to create appropriate enforcement policies and controls as part of a zero trust strategy. Ultimately, businesses need to know who and whatis trying to access what before they can create the correct parameters and controls.
Are there any emerging trends in this area that CISOs should be planning for?
Maintaining close control of their networks and device ecosystem continues to become more difficult as IoT and OT devices increase. In order to achieve effective security, the full context of connected devices must be available to regain both visibility and control.
Grappling with the growing number of attack vectors while meeting more and more compliance directives, CISOs have their hands full. The advancements in network segmentation have been designed to allow businesses to automate threat detection and isolation without impacting operations. Through limiting risks, maximising control and assuring controls are effectively implemented across a network, enterprises can more effectively prepare and manage the inevitable next wave of cyberthreats.