In order to protect the growing overlap between production and information technologies, companies need to adopt an interdisciplinary approach. By having an integrated IT/OT Security Operations Center (SOC), organizations can obtain a holistic view of their infrastructures, illuminate blind spots, and identify and prepare for cyberattacks across divisions more quickly and effectively.
Humming, hissing, clattering – over and over again: a feed belt stoically moves new stainless steel blanks to the pickup position on a lathe. From there, the workpieces automatically enter the cutting chamber, are processed into axle journals for the automotive industry, and are transported out again via the conveyor belt. This is an everyday occurrence in many German factories. Although these machines often continue to perform reliably 20 years after purchase, operational technology (OT) has undergone serious changes in production. Trends such as the Internet of Things (IoT), edge computing, and big data analytics are driving industrial companies to connect their manufacturing processes to an ever greater extent. And they don't usually stop at the "old-timers" in the machine park – if in doubt, they simply retrofit them. The result: IT and OT are becoming increasingly intertwined. As more and more machines are given network access, however, the opportunity for cybercriminals to attack also grows.
Once a machine is connected to the network, it can become a target for cybercriminals. And this isn't just a theoretical scenario; it's a very real danger. In the last twelve months alone, 75 percent of the companies surveyed reported attacks on their production infrastructure, according to a study by T-Systems and Techconsult. It is often the vulnerabilities inherent in outdated operating systems and remote access that open the door for attackers. The most recent SANS survey regarding security incidents in the OT environment cites "external remote services" as the most common "initial access vector." Yet even the latest operating systems often conceal serious security vulnerabilities that attackers consistently exploit. In order to prevent situations like these from arising in the first place, companies need to adopt interdisciplinary security concepts that take a holistic view of IT and OT.
Although many companies are aware of the increasing connection between production technologies and IT infrastructures, it still proves difficult for them to view the two areas together from a security perspective. A study by Fortinet found that 51 percent of the companies surveyed said their IT and OT teams still work in isolation from each other. This means that in these facilities, only the system experts are concerned with the security of the process, control, and automation systems. The IT professionals, on the other hand, are solely tasked with protecting information technologies. This practice creates unintentional blind spots that cybercriminals can use to their advantage. This is why companies need to adopt holistic security strategies that focus on the interaction between industrial facilities and information technologies. The foundation for this: more transparency.
To get a clear view of the entire area of vulnerability, managers must first conduct a cross-functional (IT, OT, physical) assessment. Finally, a Security Operations Center (SOC) can take over the operational "orchestration" of monitoring and defense activities based on the results of and strategies derived from the assessment, or the concrete implementation of measures, in order to detect and respond to anomalies using OT-specific technologies, among other things. All security-relevant information is analyzed and evaluated in real time in a central SOC and, if necessary, countermeasures are initiated together with those responsible for the process.
In addition to a team of analysts with interdisciplinary training, a modern SOC employs AI-based tools, among other things, to monitor the "behavior pattern" of the infrastructure and OT processes around the clock. By doing so, the system helps to move beyond isolated structures and establish end-to-end security across IT and OT systems and processes. If the SOC sensors detect irregularities, the first step is to use correlation and orchestration tools (SIEM and SOAR) to perform additional analyses in a matter of seconds to help the SOC analyst evaluate what is happening. In the event of an actual cyber incident, this system will alert the relevant parties and immediately initiate countermeasures in accordance with specific cross-IT/OT playbooks.
As the operator of the largest SOC in Europe, we deliver a high level of interdisciplinary expertise in IT security and operational technology. Not only do our SOCs protect the Telekom Group's own IT systems and networks, but also the OT infrastructures of many of our customers – from power plants to complex production facilities. We support companies in every phase of strategy development and implementation – regardless of whether a customer is at the very beginning of developing a strategy or is already in the midst of implementing it Telekom's OT security experts work together with the companies' machine control experts to analyze the OT systems, identify hidden vulnerabilities with targeted penetration tests, and draw up comprehensive defense concepts. When combined with integrated, end-to-end SOC operations, companies can achieve the highest levels of security for their infrastructures and minimize the risk of costly production downtime or loss of data and control.