In this deep dive, Nasstar’s Darren Hogan and Pat Rodgers explore the convergence of IT and OT, breaking down the essential strategies for securing your digital factory.
Navigating IT-OT convergence and security threats in Industry 4.0: Trends, challenges, and solutions
Industry 4.0 is transforming manufacturing, but with innovation comes new security challenges.
Published at
26 March 2025
Transcription:
IT-OT Convergence: What you need to know
Darren: Hello, and welcome to our session today discussing the topical topic of IT and OT convergence. I'm Darren Hogan, I manage the portfolio here at Nasstar, and I'm delighted to be joined by Pat Rodgers Managing Networks Product Manager.
Pat. Hello. Welcome.
Pat: Hello, Darren. Pleased to be here.
Darren: Fantastic. We're in salubrious surroundings today. We've made it into the studio. Lots to cover today. So we're going to dive right in. In terms of this, this topic of IT OT convergence around manufacturing. And I guess if we start off by what our customers are talking to us about, really, what I get a sense from a portfolio perspective, is that manufacturers are really eager to try and grasp this concept of Industry 4.0, the fourth Industrial Revolution.
Okay, so here we're talking about data, using data to make quick decisions, data-driven insights. Harnessing the power of things like IoT, Artificial Intelligence, Machine Learning, in order to be able to move away from traditionally how manufacturers would move information around a factory floor, which is a piece of paper. I hand you a piece of paper. You can then do something with that piece of paper, to a much more digital exchange, a highly connected digital factory. In order to do that, we have to do things like harness the power of the cloud.
So really what we're talking about is taking instrumentation from IOT sensors, programmable logic controllers, that kind of thing, sending it to a cloud environment for processing and then delivering those insights. But all of that means we have to, in effect, connect the factory floor to the internet. Now, that doesn't sound like a very secure thing to do. I'm sure there are some challenges.
Pat: Absolutely. You know, both you and I come from a networking space, so we understand the challenges of anything being connected to the network. The risks connecting to the big bad internet, shall we say. These components that we're connecting, these operational technology devices that form part of the operational infrastructure, are unsecured by design, right?
Typically it may be an OEM Nic card, if you like, that's connected to these devices. That allows us to establish that connection from them into the cloud. So we need to make sure, we need to come up with a way of how we can protect them from the threats that are coming from outside and even inside. We'll talk about that in a bit more detail. But that's the fundamental challenge. These devices are now connected to the internet, and we need to protect them. How do we do it?
Darren: Correct. Yeah. So I think if we take a step back then, and look at a worst-case scenario, we're connecting our factory floor to the internet. Let's think about how a threat actor might take advantage of that. So everything from compromising an IT system to try and get access to the OT environment. You mentioned air gapping there, but very often now we find that that's not the case. The two need to be connected to do the things that we're discussing, which is this Industry 4.0 transformation.
So how do we protect that environment? Worst-case scenario. Um, an organisation could be shut down by this. So, taking a line down, taking a production facility down by compromising an IT or an OT system, in order to extract information and extract revenue, close the plant down, use ransomware. So, in the worst-case scenario, the factory goes offline. If we think about data exfiltration, then we start to think about brand reputational damage. We start to think about legal liabilities. We start to think about fines for not being compliant, GDPR, HIPAA, those kinds of frameworks, then start to come into sharp focus.
And then from a brand and reputation perspective, if we think about an organisation that has some intellectual property, maybe it's a recipe that is their brand, then having that locked down or exfiltrated and then shared, you know, with the world, it's catastrophic for an organisation. So there are many, many different ways that a threat actor could cause harm to a manufacturer. So given that, what can organisations do?
Pat: Well, some scary thoughts there Darren. But yeah, organisations need to then think about: how do we secure these devices? Yeah. There's two ways to do that. The first thing is about the technology and the solutions that we talked about, secure networking. That's how we can protect these devices.
The OT components themselves, like I said, have Nic cards. They could be OEMs. They can be, there's no CPU resource if you like to put some agents on there, like you would typically see on your Windows device or your mobile device, where you can put some antivirus. You can put some Windows Defender in the Microsoft space. You can't do that on these Nic cards on these OT components. So secure networking is the way to go.
Providing security at the network right up close to that point at which that device connects to the network. And we do that multi-layered. One of the layers we can take is around Zero-Trust access. This is about, let's say, someone remotely needs to access one of these OT devices to do some level of maintenance or to extract some, some data. And they are people who work for the organisation, but before we establish that connection, let's do that check.
Are they who they say they are? We can do that through multi-factor authentication. We can have rule-based access to make sure they can only access the things they're permitted to access. We can also check the device itself. What device are they using to connect to that OT network? Has that device been compromised? Are there any vulnerabilities? Can we do a scan on it to check if there are any vulnerabilities before we establish that connection? And even after the connection has been set up, can we check the content of the data that's being passed from that remote user outside of the factory floor, if you like? Now, connecting inside to this, really quite critical, certainly to the business, like you said, in some of the worst-case scenarios, but it's critical infrastructure.
Darren: Absolutely. Yeah. So when we think about Zero-Trust networking, access is a bit of a buzzword and has been for a while now. It really is that ability to be able to say, right, Pat has access to this system because of his role, but to your point, is the device that he's using secure, does it meet the minimum compliance standards from a corporate perspective? Is it patched? Is it dated? Is it running the correct firmware, and is it running antivirus, anti-malware software as well?
So from a conditional access perspective, it's really important that we understand that we can start to bring these technologies to bear, to make sure that it's not a one-size-fits-all anymore in terms of trusted behaviour. Darren accesses the network, and he passes a single control point, which is a firewall or a username and password. You know, single factor - not multi-factor. And because I have done that now, I have access to everything that's trusted behaviour. This is where Zero Trust comes in. So we do not trust that at all. We constantly verify, and we assume breach in most instances, which is the level of scrutiny that we apply to that connection.
Pat: And then take that to a level further. We can talk about network segmentation. So you mentioned the firewall, which is pretty standard. Every organisation should protect you from the internet. But what about inside the network? We talk about east-west traffic. That's where there may be subnetworks behind, that may be bad actors or compromised devices, that are already behind the firewall, and could potentially propagate attacks between networks inside the organisation.
So how do we protect against that? It could even be within the OT Purdue model, where we've got different layers of assets that we've categorised. So the ICS, the industrial control systems, the SCADA systems, we want to protect them more than maybe the sensors. So, how they communicate between each other, we need to make sure that a compromise sensor doesn't actually then propagate an attack and compromise one of those more critical systems.
So that's about network segmentation, and we can take that to a level where we go right down to micro-segmentation, then define who's connecting to those micro-segmented networks, those devices where they're connecting from, and build policies - real, fine-tuned, granular policies around just that.
Darren: Yeah, it's interesting, isn't it, because what we're talking about is separating and segregating traffic at the Purdue model from an industrial control system base component of a programmable logic controller. How does that talk to the SCADA system if that is compromised? How do we limit the amount of traffic or limit the threat in terms of what that particular thing can talk to? Segmentation can be an answer. So we just allow that particular device to talk to that particular system and limit that ability to go east to west, as you described it, to compromise other systems.
And to my mind, it's really improving the level of security all the way down through the model that you described coming away from a, an IT OT boundary, which is typically what we see today in our customers and moving to a much more fine grained solution, whereby we really get down to the nitty gritty of what can talk to to what. Assuming the worst-case scenario, and making sure that we can still keep that factory running and being productive.
Pat: Absolutely. And then the next layer again, if we want to go deeper, is we said what and who can talk to what. But whenever they're talking, what are they talking about? What is the content of the data that's in between each other? Inspecting not to see if that is actually an attack being propagated is about detection. We want to be able to detect that, and we want to be able to respond to that. Response may be an automated response. The response may be that we just block that traffic, redirect it, or sandbox it, for example. We can do that through AI.
So AI is really quite powerful for us in this instance, because it allows us to be able to detect unknown threats, zero-day threats, as they're known. Expecting that content and making an informed decision about how we can protect the OT based on the live content being sent across that connection that's been established after we've done the checks of who and what.
Darren: So, another level again, then, which is around detection and response of a threat. So once we have all of these inspection points in place, what do we do about it? Being able to say right, well we've got some suspicious behaviour here. We've got an anomaly here, and they might be different points of the network. It's only when we use the power of AI to be able to correlate that activity with that activity that could potentially look like a threat, with the line speed of AI these days, it's very, very quick for a system to be able to say, well, actually that doesn't look quite right, let's do something about it. And you couple that with a human response effort, which is cyber threat analysts looking at these systems. 24/7, 365 to be able to advise the manufacturer that actually we've seen something. We think you should take action. This is our recommended action based on a playbook. You probably want to look at this and the speed of that response, I think is critical. I can absolutely see how that weaves into this story of, you know, defence in depth, if you like.
Pat: Absolutely. Because you alluded to the speed. Speed is key in this. We want to make sure these devices are operational 24/7. Anything that compromises that is a risk to the business itself, providing the services to its customers essentially. We need to make sure they're protected. So it's finding that balance always. Another layer I would like to talk about is virtual patching.
Darren: Okay.
Pat: So virtual patching is, like we said, these OT components. It’s really difficult to put a software patch on them, really. The release may not even be made available if it's an OEM off-the-shelf Nic card. So how do we protect them? How do we patch them? We can't.
The network, though, can do what's known as virtual patching. And this is whereby we, the networking infrastructure provider, the vendors, if you like, collaborate with the OT industry to be able to identify threats, to be able to categorise those threats and get a signature, if you like, of what those threats look like. Once that's agreed, that can be released, then out to all the secure networking vendors, appliances that are doing the protection of the infrastructure, and then we can create a policy around that. So if we see this, the signature of this type of attack that's just been identified, block it if it's coming into this specific OTT component, block it. That's virtual patching in action.
Darren: So that's really important then. So what we're talking about here is looking at these signatures that are specifically designed to look at industrial control systems, communications, creating a policy blocking the threat traffic that's coming in without actually touching the ICS itself, without touching the mechanics of how that plant works.
So what we're not doing is saying we have to shut the line down for three hours before we update that particular component. We can keep the plant running. We can keep it safe. We can keep it secured. By using this kind of virtual patching technology, you called it, which is keeping the plant alive and running, but keeping it safe at the same time. So that's really important for manufacturers.
Pat: Absolutely. Yeah. And that comes about, like I said, that collaboration, if you like, between those secure networking vendors, the players in the forefront of that secure networking technology, collaborating with the OT industry itself. So they're working together to do these identifications, do those classifications, and ultimately help to certify accredited solutions that will work for the OT industry and help them drive compliance, to make sure their infrastructure, that OT infrastructure, is protected.
Darren: Sure.
Pat: It's really quite key.
Darren: Yeah, absolutely. And I guess the skill set there is really key. So when we're looking at organisations and partners who want to make a change in the environment from a manufacturing perspective between this IT and OT boundary, the skill set's really important; they have to know what they're doing. They have to understand the protocols and the technology. So, a trusted partner with skills and expertise in this arena has to be advantageous to manufacturing organisations that want to adopt this industry for this era.
Pat: Exactly that. So we talk about the idea that it needs to be a secure network. There are secure networking skills out there. But mapping that and aligning that to OT infrastructure, OT components, aligning that to the OT Purdue model. You know that different levels of components require a different level of protection. What sort of features, what sort of configurations, what sort of solutions? What sort of services do we need to apply for each different level in the OT Purdue model? For the SCADA system versus the sensors, like we talked about before, versus the PLCs. That's the skill doing that mapping. Secure networking to the OT Purdue model.
Darren: As I understand it. The Purdue model is a secure way of describing those ICS systems. So all the way from PLCs to HMI's to SCADA systems, there is a segregation level at each level of that Purdue model. I think there are five levels. So at the top we have it. And then all the way to the bottom, we have level zero, which I think is the actual physical components of the line. And then in every single one of those levels, there is a security component that can do things that you talked about earlier, which is around network segmentation, virtual patching again. There is the ability to be able to do that.
So it's important that the partner understands that in order to be able to dovetail into that environment, to get the best use out of that technology.
Pat: Absolutely.
Darren: Okay.
Pat: So that is one part of the multi-layered, if you like, defence, the technology, the solution itself. The next thing, approach, if you like, is to have operational security operations. Essentially, this is about processes. So this is about us looking at detection and response.
We talked a little bit from an AI perspective. But AI is not going to cover everything. We need to have real people behind detection. We need to have systems to be able to detect a potential threat before an action is taken. Let real people evaluate that. That's where you get a security operations centre. Teams of people checking these, collaborating with other sources of information, having conversations with the organisations IT teams, with the organisations OT teams to make a decision as to whether this is actually a security attack that's happening and what remediation action, what response are we going to put in place, to deal with that attack or that threat that's been detected?
Darren: Sure, and I guess that that response and that detection and response mechanism could highlight, for example, if we're seeing a number of different attack vectors, then there might be a risk, and then that risk should be formally surfaced within the organisation in terms of something like a risk register, for example.
I think a key thing here is that, as technologists, we can't own the risk register for the organisation. The organisation has to own the risk register. Somebody like a CISO would need to have the governance and the ownership of that risk register in the application of the solutions in order to mitigate that risk.
Pat: Exactly that. But that team, that SOC team, did attack it and bring it to those decision makers. That's key. That's part of the process.
Darren: And I guess that's an extension of the organisation, isn't it, really. So that could be a first-party SOC. It could be a third-party security operations centre. The harmonisation of that, between the manufacturer and the SOC provider, I think is really, really key to your point around skill set and understanding the criticality of some of these alerts.
I think there's real value in working with the SoC provider that can put together playbooks that address those specific challenges. The whole idea of a playbook is that there is a pre-prescribed way to address a security challenge that you know is coming down the line. So shut this down, take this off, remove this particular aspect from the environment whilst we analyse it, and have a really immediate response to something that could potentially take that factory down.
Pat: Absolutely. Yeah. And whenever those new attacks and, you know, let's not sit on our laurels here, we might build a solution. We don't just walk away because, you know, the security attackers, the bad actors, the threats, they're not going to just sit around waiting. They're continuously developing things. They're continuously coming up with new ways to infiltrate the network and see what they can achieve. So we need to have a team who's able to then see those new attacks, see those new threats once they're identified and collaborate with the OT organisation, the IT organisation, and come up with new runbooks to mitigate a similar sort of attack. The new attack we discovered and categorised, similar attacks happening again.
Darren: Absolutely. It's a sad state of affairs, but it is the truth, the threat actor doesn't sit idle. So, constantly having that constant improvement, constant re-evaluation of the assets and making sure that those runbooks are kept up to date. It is really important. So I think, you know, there's a lot to take in there, isn't there? If we look at the summary of all of those security aspects. Zero Trust network access, making sure that we have the right people with the right credentials, accessing the equipment and the assets at the right time. That multi-layered approach, when we talk about network segmentation, I think is really key.
You talked, also, about the virtual patching and the security operations centre that kind of sits outside of that. These are all aspects that, you know, there's no one-size-fits-all. And I guess what I've got from this chat part really, is that there's many components that have to come together cohesively to address the threat of cyber security in the manufacturers that are trying to adopt this way to get to digital zero.
Pat: Exactly that. And we should not forget the fact that this secure networking approach, this multi-layered defence approach from a networking perspective, can allow us to collect quite a lot of insightful information about who's connecting with what device to what device, what applications are they using, what content is traversing that network, and where they're connecting from.
All that information can be collected centrally for auditing purposes, for management purposes, but also for compliance purposes. So we can provide reports that maybe demonstrate the risk posture, if you like, of the OT infrastructure. From the secure networking infrastructure, we can do network assessments as well. Have reports associated with that so that we can continuously look at that on a periodic basis, not just reacting to the, you know, detected threats, but periodically doing those network assessments, looking at the reports, looking at how we can drive that threat, that risk down through, like I said before, more better configuration, tighter controls, more granular controls, new features, new technology that's been released by the technology vendor. More services, better runbooks, all that sort of stuff feeds in continuously, not just off the back of incidents, but continuously. To do that, like we said, is that continuous service improvement.
Darren: Plan, it's absolutely vital, isn't it, that continual continuous service improvement. It's interesting you touched on auditing there, I think I read a stat recently that talked about the fact that 80% of manufacturers only run one cyber threat assessment or vulnerability assessment. Isn't it the fact that we can offer that split of co-managed, fully managed, based on what the customer wants? To your point, they want to take some action themselves. They're really comfortable in certain technology domains, but they want to lean on a trusted third-party, such as Nasstar, to be able to do some of the heavy lifting and some of those higher-level functions and services.
So, I think that co-management aspect, and I was speaking to a customer a few weeks ago, actually, one that we've been working with for some time around their technology deployment. And one of the things that they turn around to me and said is, “Darren, the fact that you can listen to us and make sure that we've got the controls in a secure way, the controls around ZTNA, again, to be able to have access to the systems, to be able to do the things that we need to do on a day to day basis. But then we can rely on you to take care of all of this other, you know, this other technology that allows us to do business” was really powerful for them.
So thank you for putting that into the portfolio, Pat. I think that's really, really important. Definitely. So, I think we've covered a lot today. There's a lot to get. There's a lot to get our heads around this, this drive that customers have around digital transformation industry 4.0, which is really paving the way for using data to make decisions easier for manufacturers. But with that comes significant risk in terms of cyber security. And, you know, we've covered some of the measures that we can take in order to be able to make that safe and make manufacturers have that entirely digitally connected factory. That is the, you know, the dream. Really. So, Pat, thanks so much for joining me today. It's been really interesting.
Pat: Thanks for having me.
Darren: No problem at all. I've learned a lot. So thank you for that. And hopefully that's been of interest to yourselves watching the session today. If any of the topics that we've discussed resonate, or you just want to learn more about the world of IT and OT convergence, then please do reach out to us here at Nasstar.
