In this Feed & Grain Chat, OT architecture and security expert Dave Smit, with Interstates, explains the differences between IT and OT networks, emphasizing the criticality of OT network security due to potential safety hazards and operational disruptions. Smit highlights the benefits of OT-centric solutions, such as firewalls, defense in depth strategies and asset inventory, to minimize security risks.
Transcription of Feed & Grain Chat with Dave Smit, OT architect operational technology, infrastructure and security, Interstates:
Elise Schafer, editor, Feed & Grain: Hi, everyone, and welcome to Feed & Grain Chat. I'm your host Elise Schafer, editor of Feed & Grain. This edition of Feed & Grain Chat is brought to you by WATT Global Media and FeedandGrain.com. FeedandGrain.com is your source for the latest news, product and equipment information for the grain handling and feed manufacturing industries.
Today, I'm joined on Zoom by Dave Smit, OT architect operational technology, infrastructure and security, for Interstates. He's here to explain why you might want to consider an OT-centric solution to securing your grain elevator’s network. Hi, Dave, thanks for joining me.
Dave Smit, OT architect operational technology, infrastructure and security, Interstates: Thanks for having me, Elise
Schafer: Absolutely. Now, can you explain the difference between an IT and an OT network and why OT network security is particularly critical for feed and grain facilities?
Smit: Yeah, absolutely. Fundamentally, when you think about IT and OT networks, the technologies behind them are typically the same. It used to be — if you would go back 10 to 15 years ago — and you talked about OT networks and how devices are communicating, a lot of people would start talking about protocols that are using blue hose and some older methods of communication.
Today, everything, or most things are using Ethernet IP as their communication protocols. And so from a network infrastructure standpoint, our IT and OT networks start to look similar. And I think that can have some dangerous caveats if we're not careful. And just because the networks look similar, doesn't mean we should treat them similar. And so there are a couple key things to note when you're talking about OT and IT networks, and typically, I like to think of them around criticality.
When you think about your IT network, if you lose access to your printer, or your file share or your email server, those are usually inconveniences, right? If you can't make a phone call, most of the time, that's an inconvenience. When you think about the OT side of things on the OT networks, a lot of times that switches from an inconvenience, to potentially a safety hazard or an operational expense, right? If my OT network goes down, I maybe can't make product anymore. And instead of just printing out a receipt, now I can’t actually make the product to make those receipts and deliver those to my end customers.
But really, the more critical side of things is the safety side of things. Within our OT networks, we start to have different impacts that could happen. Say you lose communications to a grain leg, say you start to lose communication with your sensors that are monitoring your bin dust saturation in the air. Now, all of a sudden, you lose visibility, you lose access, and you start to have safety impacts. Well, if my combustion level gets too high and I can't be aware of that and now I start to have safety incidents and safety hazards. And so that's really the big one for me.
I think a lot of times, we've also overlooked our OT networks. We've said, ‘Nobody really cares about me on my OT side, right? They're going to go after my IT assets. They want to compromise my people's email accounts. They're going to go after the IT things. And more and more today, we start to see people attacking OT networks and so that understanding the criticality of that really becomes important.
Schafer: So what are some OT network security best practices and which measures would you say are absolutely necessary or non-negotiable?
Smit: Yeah, that's a great question, Elise, and you know, we can really talk about a lot of different best practices that are out there today. But for me, my first non-negotiable is having an OT Centric firewall. Being able to secure your OT network from the rest of your corporate network is critical. I just kind of said that a lot of attackers and exploits are going after the IT networks first and if we don't have separation between our IT and OT networks, things that happen in our IT network can automatically bleed into our OT networks without us even knowing.
Typically, our OT networks are running older hardware, older software, older firmware. And those things are much more susceptible to some of the risks that are even inherent in our IT environment. You know, aside from a security risk, having an OT firewall in place also helps from an operational risk perspective, you can prevent people from accessing things that maybe they shouldn't access. You can help prevent some user error just in the crossover between the things. In addition to having an OT firewall, I think it's really important to understand the concept behind defense in depth. I think a lot of times people want to go and buy this grand solution, and it's going to fix all of their problems, right. ‘I'm going to put a firewall on my network and it's going to fix all my problems,’ or ‘I'm going to put antivirus’ or ‘I'm going to do patching,’ or you name it. ‘I'm going to put Zero Trust in, if you want to throw another buzzword out there — and it's going to solve all of the problems. And I think it's important for us to understand that there's no one size fits all solution in our OT networks today. We have to really start layering these things together. So defense in depth, of course, is having multiple solutions compiled on top of each other, so that when they have gaps — when there are coverage deficiencies between the products — they can work in tandem to better secure your networks.
Probably the last best practice that I would really recommend is understanding what's on your network. So doing an asset inventory, doing a vulnerability scan and really understanding what you have, and where you have it allows you to understand how to, first of all, better secure your firewall in the first place, but also allows you to understand and make remediation plans for the future. If you don't know what you have on your network, you can't even start to have the conversations about risk management and understanding what your risk appetite is, and any of those types of concepts that you need to have with your leadership. Because you don't really know where your risks are. So identifying your risks are critical, absolutely.
Schafer: Can you give us an idea of the investment required for a facility to fully secure its OT network, and what's the justification for this investment?
Smit: The answer is really it depends. And I think I go back to a little bit of what is your risk appetite? And what is your risk acceptance? And what do you as a company deem to be to be acceptable to yourselves? I think if you're just talking about maybe a small facility, just a single standalone facility, and you want to do some of these things, you can go buy a $5,000 firewall and put that in place and start to have immediate security. If you start to talk about some of these large companies who are doing things, some of them are spending hundreds of million dollars to re-evaluate all of their security controls within their facility.
And so, again, it starts with what is your risk appetite and I think that leads into what is the justification. And how do you justify that cost to leadership and management is by asking them a little bit, ‘What are you willing to lose if I stopped making production for two days?’
How much does that cost you as a company that needs to play into how much am I willing to spend to potentially not have that risk later. And it's not terribly hard to start little steps. If you don't have some of these security controls in place. I think the hardest thing is usually getting that ball rolling. And then I think once you can start having those conversations, you can move that forward. Again, I want to emphasize though, I think it's really important to make sure you have those conversations and you get that buy-in all the way up to your executive leadership, and so that they can understand why you're doing things and you can really sell the value to them.
Schafer: Excellent points. Well, thank you so much for your insights today, Dave.
Smit: Absolutely.
Schafer: That’s all for today's Feed & Grain Chat. If you'd like to see more videos like this, subscribe to our YouTube channel. Sign up for the Industry Watch daily eNewsletter or go to feedandgrain.com and search for videos. Thanks for watching and we hope to see you next time.