If you’ve been in cybersecurity for a while, you’ve probably heard the term “Shadow IT”. But did you know that there are even bigger blind spots inside operational technology (OT) infrastructure? Security and executive teams almost always have an incomplete picture of what’s happening inside their operational systems even though these are critical, moneymaking parts of a business. This is the phenomenon of “Shadow OT”.
Shadow OT refers to unidentified, unmonitored or forgotten assets or networks inside of a company’s cyber-physical systems which are frequently missed by existing device inventory tools. Shadow OT creates enormous risk for a company because it impedes its ability to identify and respond to a cybersecurity threat quickly enough to avoid the impacts of an attack.
As the adage goes, you can’t protect what you can’t see, and this hidden infrastructure can put organizations at risk. If you can’t identify, monitor and manage your operational systems, detecting and responding to cyberthreats quickly enough to avoid the impacts of an attack, which could include anything from process disruption to fatalities depending on the industry, becomes almost impossible.
OT assets’ criticality differs from the criticality of IT assets. When planning for information technology (IT) security, you’re protecting data. If you have a good plan in place, even if the worst happens, you can restore data from a backup. If an incident occurs in an operational environment, you can't restore the physical world. Physical damage to a plant, wind turbine, vessel, nuclear reactor or, in a worst-case scenario, the loss of human life can't be restored from a backup.
Unique or legacy OT systems are frequently missed by existing IT cybersecurity technologies that create device inventories because they weren’t built to gather data from these environments. Over the past decade, many tools offering visibility into OT infrastructure have come to market, but the approach has been sporadic at best.
OT visibility for most companies today is limited to a plant-by-plant basis and is not easily accessible at the corporate level. Most specialty OT visibility tools on the market today haven’t done a great job of normalizing the vast amounts of data they receive from these systems, which has resulted in OT alert fatigue for SOC teams. They are almost always frustrated by the lack of context about a potential issue or threat. Getting this data out of a plant or site and into the corporate SOC has proven to be a challenging undertaking, and we still see CISOs struggling to answer basic questions about their company’s OT security posture.
The OT security industry as a whole is also going through an “aging out” process, where older operators who possess important understanding about devices and systems, are retiring and taking that tribal knowledge with them. Younger practitioners don’t have an easy way to quickly uncover this information, which is why it’s so important to put the right processes and technologies in place to support people in their OT cybersecurity efforts.
According to a 2022 Ponemon Institute study, only 45% of respondents say their organizations are effective in discovering and maintaining an inventory of all devices attached anywhere on the OT network throughout the asset lifecycle. To combat Shadow OT, security and operational teams need to work together to create a single source of truth for their asset base.
Centralizing all your asset and security data in a single location makes it easier for everyone to see and act on cyber or operational issues before they cause a problem in the physical world. OT asset management tools are a great way to do this. Be sure to look for one that can ingest data from many different sources and can also share data with the enterprise tools that the SOC and executive teams use.
To learn more about how Industrial Defender’s asset management solution shines light into your OT systems, check out our solution page here: https://www.industrialdefender.com/solutions/ot-asset-management.
