Interdependence of critical infrastructures

Industrial systems are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies. This dependency often leads to the interplay of more than one organization or business entity.

In the case of critical infrastructure, this collaborative model is often referred to as a system of systems. The Industrial Internet and Industrie 4.0 further enhance this concept, as IIoT solutions typically involve multiple technologies, systems, and ecosystem collaborators. A failure in any one part of the system of systems can directly or indirectly cascade into other connected systems, thereby intensifying the consequences.

Consider the example of an electric power transmission SCADA system, where a cascading failure can be initiated by disrupting the wireless communications network. In the absence of adequate monitoring and recovery capabilities, such failures could take one or more generating units offline. This event can, in turn, lead to the loss of power at a transmission substation, which could subsequently cause a major imbalance, triggering a cascading failure across the power grid. This would ultimately result in large-scale blackouts and could potentially impact dependent operations such as oil and natural gas production, refinery operations, water treatment systems, wastewater collection systems, pipeline transport systems, and so on, which rely on the grid for electric power.

In spite of these differences, it is important to note that there are areas where IT and OT security overlap and converge. According to Gartner's 80/20 rule of thumb (GART-IIoT), with the growing adoption of IT technologies in OT, 80 percent of the security issues faced by OT are almost identical to IT, while the remaining 20 percent are diverging and involve critical assets such as people, environment, and systems.

On the topic of air-gapping OT environments, here's some comprehensive guidance excerpted from GE-Wurldtech' s research paper (WLT-ICS):

"The common notion that industrial assets are immune to cyber-attacks if parts of them are isolated from the internet (or other vulnerable corporate networks) is no longer practical in a hyper-connected enterprise. Although total air-gapping of an industrial network is possible, there are several reasons why this may not be a reliable security measure for industrial enterprises. For example, Wi-Fi, Ethernet ports, and USB ports present vulnerable attack surfaces. File transfers between the company and outsiders are inevitable as a hacker can infiltrate the organization's network by installing malicious software through such file transfers. An increasing number of companies are encouraging their employees to adopt the bring-your-own-device (BYOD) trend; however, the probability of a cyberattack through compromised personal devices is high. Even if an industrial network is completely air-gapped, it is still vulnerable to potential threats from accidental or intentional damage from its internal workforce. The only way to control this internal attack vector is by continuously monitoring the network and by implementing rigid access control mechanisms."

To summarize this section, the differences in operational dynamics and risk patterns between ICS and IT systems necessitates careful consideration when building IIoT security strategies. To counteract these new attack vectors that have been exposed by IIoT adoption, industrial enterprises need to factor in these differences. Merely applying legacy IT security in OT may cause more problems than what it solves. Vulnerabilities and attack surfaces that are specific to the OT infrastructure need to be assessed; advanced security best practices that exist in the IT side of the house, for example, increased visibility into assets and traffic, need to be adopted. The measurement of "security success criteria" between IT and OT need to be aligned by accounting for human and environmental safety. OT-specific vulnerabilities would need to be prioritized, and existing security gaps would need to be addressed.