During “Behind Closed Doors,” Easi takes a comprehensive look at the security landscape. A lot of attention is being paid not only to IT, but also to OT, and this is no coincidence. OT and IT are becoming increasingly similar, but they are also fundamentally different.

Easi is once again bringing together many people from a wide range of industries for its “Behind Closed Doors” event. Fortunately, the doors of the Van der Valkhotel in Ghent, which overlooks the neighboring football stadium, are not yet closed when we arrive. After the welcome, everyone who comes in quickly looks for a free seat at one of the sixteen tables.

Behind closed doors there is a “marketplace” for security. At each table, the selected vendors give their best during eight 40-minute sessions. Like on a speed dating evening, the participants move from table to table. A diverse range of topics is reviewed: from pentests to SOCs to (of course) AI. The presenter keeps a close eye on the schedule and a loud alarm signal indicates that it is time to move on to the next table.

Weak link

The roundtables are not limited to IT security. Operational Technology, or OT for short, is also regularly discussed. IT and OT have long been viewed as two separate worlds, but partly due to pressure from European regulations such as NIS2, they are increasingly merging. However, OT is still often viewed as a “weak link” in security.

We ask Jeroen Colpaert whether this dubious reputation is justified. Division Manager with Easi and his colleague Gerrit Neyrinck, Senior Safety Engineer. Neyrinck immediately puts his finger on the painful wound. “When it comes to security, IT has a twenty-year lead over OT. If machines are running and working, then keep your hands off them, because shutting down production costs a lot of money. Most “old guard” OT engineers also have little to no knowledge of security. Previously, OT remained local, but with IoT there is more convergence with IT.”

“The scope is completely different,” adds Colpaert. “IT security is all about the integrity of data. Availability, reliability and security are the three keywords of OT security. OT and IT must learn to understand each other and share knowledge. Too often they don’t know what the other person is doing.”

When it comes to security, IT has a twenty-year lead over OT.

Gerrit Neyrinck, Executive Security Engineer Easi

Emergency button

The intersection of IT and OT does not happen smoothly, precisely because the two worlds are so different. OT security often starts from IT principles, but this approach doesn’t work, Neyrinck notes.

“There is no ’emergency button’ for OT: then your factory will blow up, so to speak. Patching, as is common in IT, also doesn’t work because you can’t test in an OT environment. Once the upgrade has started, you cannot restart it as it would take too long to get it back into production. The risks are much higher in the OT context, so the approach is more cautious.”

“Previously, production was carried out in one air gap Environment, but today everything is tied together. Secured Remote access also becomes crucial for production machines. How do we know if it’s safe if someone presses a button remotely? When everything is running, everything is fine, but if a machine fails, the consequences can be catastrophic. You can’t isolate devices: That just doesn’t work in an OT environment. The impact of OT problems is very large: not only financially, but potentially also for the safety of people or the environment,” warns Colpaert.

The presence of outdated technology adds additional complexity to security. Neyrinck: “OT systems can last up to thirty years and have to run around the clock. Additionally, no two factory environments are exactly the same. If a provider of a particular machine goes bankrupt, there is a risk that you will no longer have anyone to contact if problems arise. In IT, a hardware update is carried out approximately every five years refreshmentbut we can’t ask production companies to replace new machines every five years that cost millions of euros?”

Visibility

Colpaert and Neyrinck agree that OT security deserves its own approach. It all starts with gaining visibility in your environment. Colpaert: “You not only need to know what is in your factory, but also what components are in the machines. You then examine where vulnerabilities exist in the network and which policies may be in conflict. If you don’t know that, you can’t apply security to it. It’s about gaining insight into everything you have and how to operate it safely.”

“We see that the market is evolving,” says Neyrinck. “Providers from the world of IT security see their opportunity to make profits and are incorporating OT. Personally, I believe there is a need for dedicated OT solutions that understand the specific protocols.” “Manufacturers of chips for the machines also play a role here. Vendors want to help develop tools. But it’s not about how you get from IT to OT, it’s about how you bring both worlds together,” adds Colpaert.

Today, there is a lot of focus in IT security on training people to use technology safely. Colpaert and Neyrinck also see this as added value for OT, but make a comment. “People need to understand how they interact with machines in the context of safety, not just from an operational perspective,” says Colpaert.

Neyrinck continues: “A different approach is needed. Your production teams don’t work behind a PC. You cannot achieve this with mandatory video training. Flashcards for example, are more effective at raising user awareness. Physical security is still the most important thing in OT.”

The impact of OT problems is very large: not only financially, but also for people and the environment.

Jeroen Colpaert, head of the Easi division

Get out of the sand

Neyrinck sees a positive change in security awareness. This is a must as NIS2 makes no exception for OT environments. “Previously, companies knew OT security existed but didn’t do anything about it. Now the ostrich tactic is no longer possible. Companies will be punished if they don’t do it. Standards for OT will be given the same importance as IT standards.”

“I think it’s good that NIS2 also takes OT into account and not just IT,” Colpaert sounds approving. “The frameworks are about the same thing Theories, just the way you approach it is different. Companies are looking for the right people with the right skills. These are rather limited in the OT world.”

In short, there is still a lot to do, concludes Neyrinck. “NIS2 makes a strict distinction between SMEs and large companies. Therefore, SMEs do not know whether it will also have an impact on them. We also need to think more about backups and disaster recovery. Large companies can more quickly deploy a team of dedicated people to their OT, but even then, a twenty-year backlog is not easily eliminated.”

This is an editorial contribution in collaboration with Easi. Click here for more information about the security solutions.