itb-nz logo
Story image

IT & OT convergence brings new cyber risks to industrial sector

18 Jul 2019

IT and operational technology (OT) are on a journey to convergence, but that convergence must be managed with caution in order to manage cybersecurity risks that go with it. 

The risk towards industrial organisation such as the energy sector are immense – in fact the Australian Energy Market Operator says that protecting the sector is a matter of national importance.

Forescout Asia pacific and Japan senior director of systems engineering Steve Hunter comments that cyber risks against IT and OT environments have been steadily growing. Now there is a driving force by government and industry bodies to address those risks.

The Australian Energy Sector Cyber Security Framework (AESCSF), which provides a foundation for the sector to be consistently assessed and the insight to uplift cybersecurity capabilities and strengthen cyber resilience. 

“This increasing pressure is putting new demands on CIOs and CISOs in the utilities sector now tasked with protecting this entire ecosystem,” comments Hunter.

“The reality is, however, that no organisation can be expected to understand that of which they don’t know, and a key part of addressing this knowledge gap is to have complete device visibility and control across IT and OT.”

He says that criminals often gain access to OT systems by compromising contract and third party vendors.

“Devices are installed onto the network to make workers’ jobs more efficient but the IT team either isn’t alerted to their presence or can’t see them via existing asset discovery processes. Vendors come in and do their job, then leave devices behind or leave decommissioned assets connected, creating rogue devices that aren’t managed and secured. This creates potential to take the organisation down with a single attack.” 

Forescout states that utilities can protect themselves by gaining full visibility into all the devices connected to the network, understanding what’s connected at all times and managing those connected devices to prevent unauthorised access to the network. 

“When it comes to asset discovery, utilities should carefully start with the system critical services and work in priority order to identify: what assets support the process; what hardware and software run on the assets; what network topology supports them; and what endpoints, devices, and non-network connected devices really constitute the asset in its entirety,” says Hunter.

“Utilities should put in place a framework of controls from asset discovery, hardware, and software asset management, configuration management, and vulnerability management, to building a blueprint for efficient and measurable risk reduction.” 

Story image
Spark's Mobility as a Service puts the right devices, in the right hands, at the right time
The solution includes mobile plan options bundled with hardware for a single monthly fee, and aims to address key organisational challenges like tighter budgets, ever-changing teams, focusing on more important business operations.More
Story image
Poly announces new Trio device and new personal speaker
The Trio C60 smart conferencing device and the Calisto 5300 personal speaker are bot Teams-enabled out of the box.More
Link image
How to validate the financial impact of CX to your C-Suite
These FAQs cover the most common questions, including how to quantify the financial benefits of customer experience.More
Story image
Interview: Hyland director talks CCM and why it's crucial in 2020
Techday spoke to Techday spoke to Hyland director of Asia Pacific Eugene Chng, who walks through the benefits of Customer Communication Management and its myriad benefits.More
Download image
Strengthen the weakest link in your security chain
Globalisation. Remote working. High-turnover workforces. These factors and more add up to make increasingly dynamic workforces - and without proper management, your business could fall behind.More
Story image
Closing the cloud skills gap: How certification can maximise cloud investments & keep staff happy
You probably wouldn’t buy an expensive computer program if you didn’t know how to use it. Yet so many organisations invest in costly cloud programs, without having the necessary skills and training on board to make the most of the program.More