Enrico Frumento: IT-OT Convergence of Security

Okay, thank you. So this is a brief table of content of what we are going through. First of all, is the definition of what is the operational technology, because it's normally not, not so well ate concept probably, and which are the difference between the it information technology and the OT, and also why we are talking about the IOT integration now and why it is become worrisome, especially after the surge of COVID that changed as in many other sectors, the let's say shuffled the cars as in many other other sectors, and which are the cybersecurity, which is the cybersecurity in this area, especially because it has special threats, the problem has very peculiar and therefore it asks for a specific, let's say cybersecurity model. That is what I call the cyber model. Well, the German is not invented by me, but is something that fits very well in this topic.
So first of all, Gartner defines the operational technology, has the set of hardware and software that detects and goes a change through the direct mountain and control of industrial equipment, assets, process, and events. So they are called also in some other, let's say in erritory they are also called cyber physical systems, but the server physical systems are just one portion of the operational technology because operational technology includes also, for example, things like the industrial PCs, robotics, industrial IOT, everything that stays in the production floor, essentially. So the difference between it and OT in terms of functionality are, and culture are different because functionality, of course, because the set of technologies are specific for their OT context are several, we have different types of protocols. They are only and Mely used in the industrial sector. And also because we have different cultures, normally in a company, in a manufacturing company, the it and OT teams are completely separated each other.
And often they are not even speaking the same language in terms of technicalities and jargon, for example. But at the same time is one of the most rapidly increasing area of cyber crime just before the surge of COVID the IBM force released a trade intelligence index that was reporting an increment of 2000% of the threats of the attacks to the OT infrastructures compared to the previous year. So it is an extremely incrementing area of, of security. And this is the reason why we are talking about cybersecurity in the OT context, but, but also mostly in the convergence of these two words. Cause as we, we see in a moment, the OT is not something that lives alone on its own systems, but is something that is incrementally integrated inside the it part of a industry. So what, which are the differences, especially between the two world there is, first of all, things that is the roots of all the things that I'm going to stay in the following slides.
The first of all, first of all, the it security as mostly, probably anyone knows is based essentially on the TRID or the three of these three terms, confidentiality, integrity, and availability. While on the other hand, OT security is mainly based on three otherwards that is safety, reliability, and productivity. So in terms of data, this will brings again to the availability of data, to the integrity and other things like that. But the system is, so let's say integrity is based on these three different terms that is to have the safety, to keep the reliability and to stay productive.
10 years ago, the IOT systems were physically separated from data systems, as I said before. And so the trend environment that threat landscape was more or less limited. So you had to give, to have access physical access to the OT implants or through speak key. Like for example, the, the case of, of stocks net several years ago, or through other let's say means to bridge the gap between the it and OT connectivities nowadays, instead, the situation is completely different. But the point is that the OT common components often are not even designed to handle their own safety. They accept in most of those cases and execute comments of firm updates, even from untrusted parties. And for example, even some protocols. So like for example, the Mo bus are not even built using cybersecurity counter manages. So we data convergence to a convergence, not only of the technologies, but also the travel landscape.
So protecting critical infrastructures require information, technology capabilities and operational technology expertise. So the cybersecurity approach must be Omni inclusive or in other words, holistic. Okay. The point is that it's interesting also that the cybersecurity can measure needs to be extended from the production floor up to the governance of the entire implants. For example, it is relatively famous. The case of nos hydro that is a fam large Foundry in the Northern country in Sweden. If I remember con correctly or Norway, no, nor. So it is Norway that was stopped. The production line was stopped after a attack over somewhere. So the decision at the governance level was taken stopped. The production line use an incomplete often data coming from the lower layers. So this is something that needs to be solved, how somehow even at the level of OT security to include the governance and give also all the required information to take the right decision, let's say, then I was telling that the OT alignment is something that comes from from many years about gut and acceleration after the surge of COVID.
I will say something about this, looking at the Gartner hyper hype cycle on I ONT here essentially in the 2015, the IOT, it OT alignment was entering in the true of this illusion. So somehow it was in the third phase of this slope, but in the 2019, the same concept started to right again, towards the plateau of productivity. As a matter of facts in this last hype cycle, from the internet of things, the terminology is disappear because it's completely outside the curve. So it is nowadays something that is completely mainstream, I would say, but is mainstream also for the cyber criminals that are, as I said before, taking a chance to, to launch new tax and to launch new trust. Somehow let's say the OT is still while is called in cybersecurity, low hanging prove. So something that is relatively easy to be, to be a treated in a way or another.
The other things is important when speaking about the cybersecurity of the OD and it systems is that commonly the let's say what was, what is common in the, in the it field is not so common in the OT area because also the skilled persons or skills that are relatively common. If even if, as we discussed this morning, relatively rare skills are not common at all in the OT industry. So we have very important shortage of skills able to speak the language of cybersecurity in the OT, sorry, in the environment. But at the same time is also important to know that most of the OT cyber security products are appear on the market. And every day there are some new products here and there appearing on the, especially in the European cyber security market are not that much mature as the, their it counterparts. So this is something that is evolving, of course, but also since the party is different, I said before safety, reliability, and productivity, the trends are different.
Cause we can treat the system in a different way. For example, oil and gas firms targeted by the trap group, the attack, I dunno, fishing. So something that start from the it side and in the OT side and the last drop was something that was very basic in terms of malware complexity. I just wrote some, let's say no in the last line of side, telling that it was indeed very, very simple. So the threads are different. And the point is that the threads also start from the side and ends in the it side. So the problem solve today, protective boundaries, OT machines needs to be protected because they have a long lifetime. So it is not easy. Theta in the middle is in the middle because something, the companies are, or their devices are used to attack other entities and they are in the middle of a longer, really long supply chain.
Usually they also have the probability, the probability, the, the risk of losing their reputation towards the final client. For example, those who are selling the OT machineries, for example, and the other problems of it today is the low maturity as a set of cybersecurity industry for zero. And the evolution of the things like the international data space association that is opening for the European data marketplace that is increasingly working on the, the, the industry. And of course that's what is the integration of the industry 5.0. But what changed to completely is the appears of the COVID 19 of course, because one of the things, of course the COVID has been one of the accelerators of the digital transformation that impacted also the OT and the explosion of work from home. For example, had an impact on the OTC system in order to increase extremely increased number of assets required to from the remote locations, for example, increase in external connectivity. There has to be added to do the industrial implants and therefore created a lot of problems and created new and new opportunity Forex. So the, the point is that the OT implants have been caught, let's say somehow off guard.
The cyber crime of course, is on the rise as before, because when people are working from remotely deploy, is that poorly connected, small entity and easily attacked attackable individuals have merged. And the point is that attacking a big company, attacking an industrial system or attacking a small company is somehow more or less the same thing for a cyber criminal. Because most of the time the people are working in those organizations are living, are working at homes and they are left alone. So most of the times without much protection. So let's say they not have the same type of support while they are inside the, the, the ized zone of the company. So the point is that the need is to reconcile it cybersecurity, and we need to do that in many ways. First of all, as I said before, we need a sort of holistic process that includes cybersecurity, physical security and cyber physical security, that all three aspects of threats that can be uses against the OT implant, and also to include the governance, the governance model, because it must be the same to span across the it and OT systems and IOT domains.
Because as I said, most of the trends are starting in the, it, it war and ending into the OT domain. For example, some is many people speaks about the security of iron OT, so internet of things, but there is another type of things that is the industrial IOT, which has different type of devices with different. They are built of course, using the different product where they are built on safety, reliability, and productivity. So they have to be completely type, completely different type of project criteria. And then we need for the reconciliation of these two words, what I am proposing and what we are investigated as Jeff real is actually the sort of inclusive model that spans through 15 layers of cybersecurity. As you can see, probably while this readable from geographical lab, because it's, when you are speaking about OT, it also is important where your machinery is told, where is the production floor, if it is in a nation or which is under political tension or in another one.
So from starting from the geographical layer up to the government layer. And as I underline here, only some of this layer are usually target of cyberspace are living in the side space. What about is that every one of these, when we combine cybersecurity, cyber safety, cyber, physical security, all of these layers becomes important and influence each other. For example, even in terms of tracks, a small relatively, let's say under hackable delay of data, flowing from an industrial IOT to a control floor of the, of an industry in the it indu information technology world. This wouldn't be problem in the OT world. This could be a problem because it delays the control of the anomalies and could create even some problems leading for example, to an explosion or something else. So the point is that the tactic threat and procedures of cyber criminals are evolving, and we need to have a common, let's say your infrastructure to do you ever wanna be assessment that covers everything, what we are doing, and I'm going to, to finish my speech is that even as Jeffrey, we are slowly this, this, this relatively long stack through some, some research projects.
So like for example, I just put the names. The harm is something about the calculation of the risks of having of falling specific attack tactics. So it is sort of risk calculation engine that assigns the likelihood of being attacked to the different assets of a company. The project of which I made a talk two years ago at this conference was about the vulnerability assessment assessment of the human layer. So doing what is now mainstream, but than wasn't the performing of simulated deficient campaigns and calculating the risk of the human labor that is important, not only sends to, let's say to unconscious victims. And then other point of which we working is also the cyber risk estimation specific for the OT assets and the execution of food, spectrum, vulnerability assessment, or integrated vulner assessment. There is an extension of reliability assessment that also includes the presence of OT devices or of the industrial IOT devices. So this was more or less the conclusion, and I just took 90 minutes. So I hope to be in time. And this is the, my last ride.