See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/352330231

IT/OT convergence and cybersecurity

Article  in  Computer Fraud & Security · July 2021

CITATIONS READS

0 924

1 author:

Maleh Yassine
Université Sultan Moulay Slimane
144 PUBLICATIONS   333 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Edited Book: Blockchain for Cybersecurity in Cyber-physical systems View project

The Second International Conference on Big Data and Advanced Wireless Technologies (BDAW 2020) View project

All content following this page was uploaded by Maleh Yassine on 25 December 2021.

The user has requested enhancement of the downloaded file.

 FEATURE

6. ‘Economic loss from natural disaster ending-world-hunger-by-2030-would- 2021. https://www2.deloitte.com/us/

events globally from 2000 to 2020’.
Statista, 9 Apr 2021. Accessed Nov
2021. www.statista.com/statis-
tics/510894/natural-disasters-globally-
and-economic-losses/.
7. Ackerman, Frank; Stanton, Elizabeth.
‘The Cost of Climate Change’. Natural
Resources Defense Council, May 2008.
Accessed Nov 2021. www.nrdc.org/
sites/default/files/cost.pdf.
8. ‘World military spending rises to almost
$2 trillion in 2020’. Sipri, 26 Apr 2021.
Accessed Nov 2021. https://www.sipri.
org/media/press-release/2021/world-
military-spending-rises-almost-2-tril-
lion-2020.
9. Ahmed, Kaamil. ‘Ending world hunger
by 2030 would cost $330bn, study
finds’. The Guardian, 13 Oct 2020.
Accessed Nov 2021. www.theguardian.
com/global-development/2020/oct/13/
cost-330bn-study-finds/.
10. ‘The cybersecurity skills gap: 4 mil-
lion professionals needed worldwide’.
HDI, 16 Dec 2020. Accessed Nov
2021. www.hdi.global/infocenter/
insights/2020/cyber-skills-gap/.
11. Mickos, Marten. ‘The cybersecurity
skills gap won’t be solved in a class-
room’. Forbes, 19 Jun 2019. Accessed
Nov 2021. www.forbes.com/sites/
martenmickos/2019/06/19/the-cyber-
security-skills-gap-wont-be-solved-in-a-
classroom/?sh=51f182391c30.
12. Walters, Heloise. ‘6 cyber-related stats
in financial services’. Finextra, 9 Oct
2020. Accessed Nov 2021. www.finex-
tra.com/blogposting/19411/6-cyber-
related-stats-in-financial-services.
13. Bernard, Julie; Nicholson, Mark.
‘Reshaping the cybersecurity landscape’.
Deloitte, 24 Jul 2020. Accessed Nov
en/insights/industry/financial-services/
cybersecurity-maturity-financial-insti-
tutions-cyber-risk.html.
14. ‘Why human error is #1 cyber security
threat to businesses in 2021’. Hacker
News, 4 Feb 2021. Accessed Nov 2021.
https://thehackernews.com/2021/02/
why-human-error-is-1-cyber-security.
html.
15. Fingas, Roger. ‘FBI warns public to
reboot Wi-Fi routers to counter
‘VPNFilter’ malware’. Apple Insider, 28
May 2018. Accessed Nov 2021. https://
appleinsider.com/articles/18/05/28/fbi-
warns-public-to-reboot-wi-fi-routers-
to-counter-vpnfilter-malware.
16. Torbet, Georgina. ‘How smart light
bulbs can put your home network
at risk’. Make Use Of, 26 Feb 2020.
Accessed Nov 2021. www.makeuseof.
com/tag/smart-light-bulbs-security-risk/.

IT/OT convergence
and cyber security
Yassine Maleh
Yassine Maleh

A study by Forrester, commissioned by Fortinet, reveals the growing exposure

of industry players to cyberthreats – one of the consequences of digital the other half more vulnerable, especially
transformation.1 The lack of collaboration between IT teams and those in
since 55% of respondents have no plans to
charge of industrial or operational technology (OT) is also a hindrance to cyber
security for companies wishing to take full advantage of IT/OT convergence to deploy cyber security technologies in the
increase their competitiveness. next 12 months.
Another important finding is that indus-
The convergence of these two universes to boost their productivity and improve trial control systems are at significant risk,
offers a real competitive advantage but also their ability to collect data related to their given the lack of collaboration between IT
a disadvantage in the form of cyber attacks. production processes. Some 66% of the and OT. Around 51% of respondents said
Disruption of service following a cyber respondents to Forrester’s survey indicated they operate in a compartmentalised man-
attack can severely impact the economy. that their plants have IP networks and use ner: OT teams manage critical industrial
Therefore, it is essential to carefully exam- real-time data in their decision making. equipment and OT cyber security, while IT
ine the impact of this convergence on the However, these IP networks generate teams are responsible for IT cyber security.
cyber security level of critical infrastructure. new cyber security risks and an expand- Between a quarter and a third of those
ing area of attack, as 73% of respondents surveyed do not know who has primary
Tool transformation recognise. Simultaneously, only half of the responsibility for cyber security solutions
respondents believe that their production associated with processes, control and
Manufacturers are committed to the digital tools are sufficiently prepared to combat automation systems, business planning
transformation of their production tools cyber security threats effectively. This leaves and logistics. However, some 91% believe

13
December 2021 Computer Fraud & Security
 FEATURE
that production machines’ security should
be a shared responsibility between IT and
OT. In comparison, 58% believe that clear
and regular communication is important
to exchange views on the vision of IT/OT
convergence and thus help to achieve it.
What kind of
convergence?
Until very recently, the worlds of informa-
tion technology and industrial systems were
separated at the technical and organisa-
tional levels. Companies’ digital transfor-
mation, especially in the industrial sector,
forces companies to revisit this paradigm
and lead projects of convergence between
these two worlds.2 A certain number of
triggers have led to this need for rapproche-
ment between IT and OT, as shown in
Figure 1. We can list those that are com-
mon to the various companies. The need to
decompartmentalise data to better realise its
value is also a significant challenge for com-
panies. However, this decompartmentalisa-
tion and the almost inevitable convergence
of the systems directly affect the stakes
involved. The growing concern about cyber
security is a source of problems for leaders:
IT/OT convergence is leading to a new
challenge in terms of cyber security.
The arrival of industrial applications in
information system infrastructure has led
to an awareness of the need for synergy.
OT has a growing need for IT skills to
operate industrial applications. Operators
face more and more constraints and wish
to use the latest technologies to improve
the quality of their processes and to
transform their supply chains and build
new industrial sites. The convergence of
Figure 1 : Convergence between OT and IT.
14
Computer Fraud & Security December 2021
technologies makes it easier for systems to
cover both worlds. OT technologies embed
IT (OPC servers, cloud and edge comput-
ing, machine learning). At the same time,
IT technologies are moving towards OT
(programmable logic controller virtualisa-
tion, accessibility of technologies, etc).
A large number of challenges is disrupt-
ing the convergence of industrial and
information systems. The collection of
data and its smooth processing within the
enterprise must be addressed in the same
way as cyber security.
Risks, vulnerabilities and
threats
OT environments are by nature exposed
to risks and threats as we see more and
more industrial organisations moving from
Industry 3.0 to Industry 4.0. In recent
years we have seen an exponential increase
in attacks on OT, including Stuxnet, Dark
Energy and many others. The attackers are
abusing existing vulnerabilities and a lack
of knowhow and understanding of what
makes this environment unique. This is
also a primary challenge.
First, it is essential to realise that vulner-
abilities unique to ICS are poorly under-
stood, especially when comparing them to
the extensive amount of research around
IT vulnerabilities. They can be found in
the context of:
• Management – lack of enterprise risk
management (ERM) practices, exercises
and/or documentation, RACI matrix,
or management engagement.
• Operations – lack of network segregation
between IT and industrial control system
(ICS) networks, weak remote access pro-
cedures, incident detection, response and
reporting procedures, among others.
• Technique – in hardware, software or
networks.
Furthermore, we need to understand
that OT environments rely on two main
paradigms: ‘safety comes first’ and ‘if it is
working, do not touch it’. Therefore, we
are talking about environments with (but
not limited to) unpatched systems, obso-
lete operating systems, lack of visibility and
many other challenges, creating a unique
domain in which to work. For most pro-
fessionals operating in this field, many of
the tasks rapidly become onerous. The
primary challenges are:
• Lack of a professional workforce that
understands both OT and IT.
• Lack of communication between OT
and IT staff in general and also due to
differences in terminology.
• Risk avoidance is inherent within the
environment.
ICS targets
Industrial control systems used in critical
infrastructure and manufacturing indus-
tries are the targets of sophisticated cyber
attacks. We commonly see ICS vulnerabili-
ties in a number of areas.
Legacy software: OT systems operate
with legacy software that is not sufficiently
authenticated by users and the system and
lacks data integrity verification features.
This allows attackers to gain uncontrolled
access to systems.
Default configuration: The use of simple
or default passwords and basic configura-
tions makes it easier for attackers to enu-
merate and compromise OT systems.
Lack of encryption: Older supervisory
control and data acquisition (Scada) con-
trollers and industrial protocols cannot
encrypt communications. Attackers use
sniffing software to discover usernames and
passwords.
Remote access policies: Scada systems
connected to unverified dial-up lines or
remote access servers provide attackers with
convenient access to the OT network and
the corporate LAN.

Policies and procedures: Security gaps are
created when IT and OT personnel have
different approaches to obtaining industrial
controls. The different parties should work
together to create a unified security policy
that protects both systems.
OT security
OT security generally covers security con-
trols around process control systems (PCS),
distributed control systems (DCS) and
Scada environments, which are also col-
lectively referred to as ICS environments.
The ICS environment will also use com-
mon computer systems and devices such
as authentication servers, IP-based network
switches and firewalls and PC workstations
that run the engineering software to man-
age the ICS devices.
Although most industrial control sys-
tems use Ethernet and IP protocols, there
are many industrial protocols that make
it more difficult to apply security controls
consistently. Protocols such as Common
Industrial Protocol (CIP), Modbus,
MTConnect, DNP3, Profinet and
EtherCAT have been built for different
purposes and are often exposed to more
attack vectors than traditional IP-based
protocols.
The most critical differences between
security management in an ICS environ-
ment and an IT environment are the dif-
ferences in industrial processes’ operational
priorities compared to IT systems.
ICS environments face different opera-
tional challenges than IT environments,
and they tend to be targeted by different
attackers. ICS environments are primarily
concerned with government-sponsored
attackers; some organisations also face the
attention of hacktivist groups, who may
view ICS as a high-impact target. On the
other hand, financial threat actors have lit-
tle motivation to attack ICS environments.
Critical controls
There are numerous critical security con-
trols for ICS environments, so we’ll look at
the most important.
December 2021 Computer Fraud & Security
System design verification/validation:
OT network-monitoring products can
provide detailed asset management, threat
detection and vulnerability management
capabilities for OT environments. These
products require passive scanners in the
ICS network to observe all OT network
traffic between ICS assets and identify
details of those assets in the ICS environ-
ment. Asset and vulnerability information
can be derived from network headers or
metadata sent between ICS assets by pas-
sively intercepting network traffic. The
products can also monitor communica-
tions between ICS assets and report poten-
tial threats.
Remote access: Vendor engineers and
staff should only connect to ICS environ-
ments using multi-factor authentication.
They should connect via a privileged access
management platform so that each person
can administer only the ICS assets they are
authorised to access.
Whitelisting applications: ICS assets and
processes typically operate with very few
changes and minimal user interaction. A
whitelisting application works very well
in a static environment like ICS because
there are no frequent changes that require
administrative intervention.
Micro-segmentation: This is a network
control that gives access to network flows
between systems on the same logical
network. Micro-segmentation effectively
isolates any unknown device connected to
the network and requires that a policy be
applied to a newly integrated device before
it can communicate with other devices.
User and entity behaviour analytics
(UEBA): This is a control that integrates
authentication and user and application
activity logs, profiles user and entity usage
behaviour and performs anomaly detec-
tion using analytical approaches. Profiling
focuses on five characteristics – users,
hosts, applications, network traffic and
data repositories. UEBA is a very effective
detection control in ICS environments
since operational activities are highly
structured and predictable, making it easy
to detect abnormal behaviours, including
malicious activity.
FEATURE
Cyber IT-OT approach
First of all, a cyber IT-OT conver-
gence approach requires having a
clearly defined target, a starting point
for excluding everything else that is not
strictly relevant. Sponsoring at the high-
est level allows for good acceptance of
the chosen approach throughout the
organisation, without bias.
It is necessary to set up, disseminate
and infuse a ‘cyber’ culture and a ‘securi-
ty’ culture by creating a dedicated chan-
nel and community, regardless of the
hierarchy in place. Defining the perime-
ters is very important: all responsibilities
must be defined from the outset.
Aligning cyber IT-OT strategies is
crucial to ensure that you don’t forget to
deal with elements without overlapping
too much. Working group participants
have sometimes highlighted that there
are often several departments in charge
of cyber security in companies, depend-
ing on the areas concerned – IT, OT,
sales or linked to service providers. Here
are some organisational approaches for
an IT/OT convergence around cyber
security:
• Have clear and robust policy develop-
ment and management to protect the
IT/OT environment.
• Establish security roles and responsi-
bilities that clearly define the separa-
tion of roles and responsibilities for
IT/OT systems.
• Carry out an audit at the group
level showing the ‘non-governance’ of
cyber security in the company (audit
requested at the CEO or CIO level).
• Make cyber risk visible in business
programmes.
• Develop an internal profile from
within the OT community to main-
tain proximity to OT teams in cyber
security.
• Create a channel and a community
dedicated to cyber security, including
IT and OT security.
• Raise awareness of OT among IT staff
and vice versa to understand the spe-
cificities of each one.
15
 FEATURE

• Enable co-location to help teams col-
laborate.
• Industrialise methods and processes
with a forward-looking vision (at least
18 months into the future).
• Implement a risk-based approach and
report on security sub-risks.
• Train OT teams in IT cyber security
to speak the same language and, con-
versely, train IT cyber security teams
in OT to be aware of the issues being
addressed.
• Set up a security operations centre
(SOC) dedicated to OT in parallel
with a SOC dedicated to IT.
The challenge
Mastering cyber security in IT-OT will
require security throughout the entire
project lifecycle, and at several levels, from
strategy to operations and implementation.
It will require:
• Strategy: Risk assessment, definition
of a governance structure, monitoring
tools.
• Implementation: Integration of secu-
rity and data protection at all stages
and in all components of the solution
(development, deployment, testing,
documentation, etc).
• Operations: Protection of systems in
operation; securing the means of trans-
mission; regular audits; supervision and
detection of threats.
The OT ecosystem includes a multiplic-
ity of stakeholders: sensor manufacturers,
telecoms operators, cloud and data analysis
solution providers, industrial system opera-
tors, etc. These players must cooperate to
ensure end-to-end security on both techni-
cal and organisational levels.
IT/OT security will require security to
be taken into account from the earliest
stages of projects. Cyber security should be
taken into account through a governance
structure, analysis and treatment of cyber
risks, technical solutions for continuous
protection and monitoring, reinforced
compartmentalisation and security of criti-
cal parts, as well as regular user awareness
and security audits.
About the author
Yassine Maleh is a senior IEEE member and
professor of cyber security at Sultan Moulay
Slimane University. He is a cyber security
researcher and practitioner with industry and
academic experience. He worked for more
than 10 years with many large organisations
in Morocco as a CISO. He is the editor in
chief of the International Journal of Smart
Security Technologies (IJSST). He serves
as an associate editor for IEEE Access, the
International Journal of Digital Crime and
Forensics (IJDCF) and the International
Journal of Information Security and Privacy
(IJISP). He has edited and authored a num-
ber of books on cyber security and privacy.
References
1. ‘Independent study finds that secu-
rity risks are slowing IT-OT conver-
gence’. Fortinet, 2020. Accessed Feb
2021. www.fortinet.com/content/dam/
fortinet/assets/white-papers/wp-re-
port-ot-forrester.pdf.
2. ‘Convergence IT – OT’. CIGREF,
2019 (in French). Accessed Feb
2021. www.cigref.fr/wp/wp-content/
uploads/2019/12/Cigref-Convergence-
IT-OT-Rapprochement-fructueux-
Systemes-Information-et-Industriels-
Decembre-2019-light.pdf.

Zero-width text steganography

in cybercrime attacks
Keshav Kaushik and Akashdeep Bhardwaj, University of Petroleum and Energy most commonly UTF-8. Because almost
Studies, Dehradun, India any written language in the world needs
Unicode support, counterintuitive charac-
Steganography is an ancient practice historically used by kings and other rules
ters such as ‘non-joiners’ with zero width
to conceal messages. Its aim is to hide a message within some other medium.
Steganography has different forms, depending on the media used, such as and nullification spacing exist. For exam-
audio, video, network traffic and so on. However, those are not the only ways ple, the non-joiner zero-width element is
to communicate in secret. It’s possible to create secret correspondence with the used in languages such as Persian where
aid of textual steganography – text within text – concealing the information in the appropriate form of word is needed.
plain text with the aid of ‘null-width’ characters. The zero-width non-joiner (ZWNJ) is
a non-printing character that separates
With image and audio steganography, bits that one could exploit to hide the other characters that, in most cases, would
concealment is carried out by changing the secret information. Unicode, on the other be joined to form a ligature. The ZWNJ
least significant bit in a pixel or audio byte. hand, does have this type of advantage. keeps the characters apart, but closer than
However, characters used in plain texts do The standardised text-encoding format they would be if a space were used.
not have the concept of least significant used in most web browsers is Unicode, Figure 1 shows how, using a ZWNJ,

16
Computer Fraud & Security December 2021

View publication stats