Here we will explore the Shadow IT Risks for OT Departments. Operations Technology groups can be an integral part of important business functions like production, maintenance and more. This means there are a lot of IT-related functions which can be handled by the OT department members in terms of functionality. However, not involving the IT department could mean these IT functions could cause potential security concerns. The OT department member might not be aware of the exact way of handling the IT function like a professional IT member can. Easy attack vectors like servers, and insecure IoT devices can pose as common security threats.
Shadow IT has been an increasing trend in the LoB departments. According to a C-space report, LoB managers spent more than 30% of their time making IT decisions. A likely reason is, that it’s faster to get things done sometimes without going through an IT department who already bandwidth-constrained. With the rise of high-tech industrial equipment, the dependence on IT-related operations increased. According to an IDC report, it predicts IoT spending will reach $1.1 trillion in 2021. This is placing a higher demand on IT functions, thus needing IT guys in the OT departments.
What’s The Problem?
In short, OT Department is responsible for major functions in the organization and doesn’t necessarily coordinate with the IT department for all IT needs. The enormous small activities get work done faster but this ends in orphaned assets and various other vulnerabilities that the OT department person didn’t have the skills to handle.
Possible Mitigation Strategies
- Stricter IT Policy
Stricter IT policy for connected OT systems could be a solution. However, there are implementation challenges. The OT department may not deem it necessary to contact the IT. OT Department has the responsibilities of production, maintenance and thus like might to retain the authorities here. The IT may have to enforce more severe actions.
The IT concerns may be well founded based on the trending reports. According to a Gartner report, it predicts by 2020, IoT will be involved in more than 25 percent of known enterprise security attacks.
The OT-IT convergence and departmental cooperation seems like a healthy balance to lower costs, increase efficiencies and minimize Shadow IT.
- Using Third Party Vendors With Integrated Solutions And Converged Skills (OT-IT)
These parties can have a set of understanding on both departmental skills (major ones), thus bringing in great flexibility. Advanced OT technologies can be complicated in terms of implementation. This third party adds in a pool of skill resources which are transferable between the OT and the IT departments.
- Continuous IT – OT Asset & Risk Identification
Various tools like Shodan can help in achieving this. The continuous tracking /risk identification of all IT – OT (inter-department) assets can help. The IT department can then formulate their policy to meet the needs of the OT department and even formulate training programs for the simple requirements empowering OT department.
Reference :
About FireCompass:
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Feel free to get in touch with us to get a better view of your attack surface.
