cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Why you need a separate IT and XIoT security system

Key differences between IT and extended internet of things (XIoT) security mean businesses that provide critical infrastructure cannot use one security strategy for both, an executive has warned.

user iconMalavika Santhebennur
Thu, 09 Mar 2023
Why you need a separate IT and XIoT security system
expand image

Ahead of the inaugural Cyber Security Summit 2023, Claroty ANZ regional director Leon Poggioli said that organisations that are at the core of providing water, electricity, and transport tend to be fairly mature in their IT security posture.

“But when it comes to OT and the broader cyber-physical world — including IoT and industrial IoT — there are some significant differences,” he told Cyber Security Connect.

“This means you can’t just translate your IT security approach across to XIoT.”


The first difference, according to Poggioli, is that XIoT devices are not owned by IT, and as such, it is difficult to understand what that attack surface looks like.

“Ultimately, a chief information security officer still usually owns the cyber risk across the entire organisation, so it’s critical to understand that attack surface and prioritise how you protect it,” he said.

Secondly, XIoT assets are often connected to production and safety systems, which means that an organisation cannot simply disconnect a compromised asset like it could with an infected user machine, Poggioli explained.

Finally, he continued, an organisation’s XIoT estate has a wide variety of remote connectivity, which is difficult to lock down and govern access to.

Third-party contractors, internal users, reporting and analytics portals, as well as vendors all often require access to these systems, Poggioli explained.

“It’s important to understand what those connections are, make sure remote users are only accessing the systems you want them to access, and provide assurance that your cyber physical estate is protected,” he said.

For these reasons, it is vital to differentiate between IT security and XIoT security because traditional IT cyber security approaches cannot be applied to the cyber physical world.

“That’s not to say you need to duplicate all your people and processes to handle incident response,” Poggioli reassured.

He suggested that a mature security operations function — which is a collaboration between IT security and the operations team that integrates tools, processes, and technology to ensure enterprise security while curtailing risk — could be extended to also handle operations technology incident response.

“This is why we integrate with third-party ticketing and workflow technologies to help streamline the operations technology incident response handling of our customers,” Poggioli said.

Poggioli’s comments precede his session at the first Cyber Security Summit in June, where he will provide insights on the latest threats in operations technology, how companies could future-proof their critical infrastructure protection strategies, and how securing industrial environments differ from IT security.

He highlighted that attacks on critical infrastructure such as power grids, transportation, oil and gas, and communications systems can impact human lives, either through the compromise of safety systems or the flow-on effect of loss of basic utilities like electricity or water.

The best case scenario in case of an attack, he added, would be an impact to production, which would have a direct financial impact on the organisation.

Citing the Triton malware attack, which was first discovered at a petrochemical plant in the Middle East, Poggioli said the malicious code could have disabled safety systems and released toxic gas or caused an explosion.

“It was the first time an attack was designed to explicitly cause loss of life,” he said.

While noting that the attack was sophisticated, Poggioli said it highlighted what is possible when a vulnerability is identified and exploited with malicious code to then move laterally through the network.

“Properly segmenting the network and having visibility around which machines are talking to which can help identify suspicious activity or network traffic between operations technology assets,” he suggested.

“Of course, it’s also important to follow the right business procedures around change management, to ensure loopholes aren’t left open for attackers to exploit.”

To hear more from Leon Poggioli about the unique threats that industries that provide critical infrastructure face, why they pose potentially catastrophic risks if their systems are left vulnerable, and how organisations can secure operational technology assets, come along to the Cyber Security Summit 2023.

It will be held on Thursday, 1 June 2023, at Hotel Realm, Canberra.

Click here to buy tickets and don’t miss out!

For more information, including speakers and agenda, click here.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.