Enhancing Security in Converging IT and OT Networks

As Enterprises accelerate their digital transformation, and information technology (IT) and operational technology (OT) worlds continue to converge, security is paramount. Cyber threats are growing exponentially, while also becoming more sophisticated and harder to detect. Increasingly, mission-critical OT networks, which control and monitor complex physical processes, are being extended into the data center and combined with more typical IT traffic. This makes them attractive targets for cyber criminals looking to cause maximum disruption and extract as much money as possible from their victims. 

In recent years, a long list of high-profile enterprises in a variety of sectors have seen their OT networks fall prey to damaging cyberattacks, including ransomware, malware, and distributed denial-of-service (DDOS) attacks. In 2021, the Colonial Pipeline was hit by a ransomware attack that was responsible for temporarily cutting off 45 percent of the gasoline supply to the eastern United States. The company eventually paid the ransom but restoring all the systems affected by the attack took many months. Other recent victims of attacks on their OT networks include a water treatment plant in Florida, a meat processing plant with facilities across the US, and a water reservoir system in Israel. 

To avoid experiencing these types of attacks, network operators need to put in place a comprehensive defense-in-depth strategy, one that will reduce the attack surface and protect critical systems and infrastructure used for industrial operations. For example, as OT traffic continues to the data center, a key component of this security strategy involves segregating it from less-critical IT traffic, such as traffic that resides in the public cloud.

As well, to meet the low-latency performance needs of mission-critical OT applications, Advanced Encryption Standard (AES) 256-bit symmetric encryption must be applied within the data center or out at the data center edge. Techniques such as MACsec, IPsec, and Anysec are essential and also need to be supported with quantum-safe cryptography, which helps protect against attacks from a quantum computer. To further protect the data center from cyber threats, enhanced security protections also need to be embedded in the network silicon and network operating system (NOS). 

Security hardening is another essential requirement, especially for preventing distributed denial-of-service (DDoS) attacks. The NOS must be capable of protecting the CPU and control plane from DDoS instances, and the network must provide telemetry to the network’s analytic systems, which will provide the data required to detect DDoS attacks. When an attack is detected, the network must also be equipped with the capabilities needed to defend against it.   

In many industries, smaller edge data centers are frequently being deployed in the OT field networks and not just in centralized locations, which further supports the convergence of IT and OT requirements. In these small data centers, the OT network attributes of resiliency and security are merged with the IT cloud network consumption and DevOps attributes of flexibility and agility. 

 As IT data centers are increasingly used to host OT applications, this will increase cloud-native and DevOps flexibility, along with iterative approaches to deploying new OT functionality. However, this capability needs to be balanced with the exacting requirements of OT networks, which prioritize robustness, stability, security, latency and failure resiliency. In fact, there are growing threats to OT resources and services which will require security solutions that can be applied in the OT field network as well as in the data center. 

Author's Bio

Allan Jerrett

Director, Data Center Switching Business Development, Nokia