IT professionals and OT managers often ask us what is the best way to secure industrial machines and devices. And of course there are many cyber-protective technologies to work with.

But the question often comes down to the placement of the protective technology: “Should I put protection on the devices themselves, or in a gateway at the IT/OT boun

dary?” The short answer: Yes.

It’s always best for a connected device to incorporate strong security protections, whether it’s a computing device on the IT side, or an industrial device on the OT side. As one CISO put it to me: “I want my machines to be secure wherever I put them.”

In other words, he wants device-level security to be intrinsic. He doesn’t want it to come from architecture or network topology.

The makers of industrial machines and devices think the same way. They need to reassure customers that their products aren’t vulnerable to cyberattacks. But most machine makers aren’t cybersecurity experts (as they’ll readily admit).

Plus, there have been relatively few widely-publicized attacks against industrial assets. That makes it harder to justify investing in onboard protection.

So the makers will say: “We take cybersecurity with the utmost seriousness. You can expect future generations of our products to incorporate strong cyber protection.”

Does a statement like that make you willing to postpone your next capital-equipment investment until your vendors sort out security? I didn’t think so.

To go a step further, think about the technologies that are actually needed to protect machines. Some are very familiar from IT security practice: network segmentation, stateful-inspection fire-walling, encryption, asset discovery, and anomaly detection/DPI solutions.

But some are distinctive to ICS/OT. And these technologies are new and different, because IT professionals really haven’t focused much on OT protection to date. For their part, OT managers think more about safety, process integrity, and efficiency than about security.

We need to protect both the IT and OT realms from cyberthreats originating on the other side. To do this, some new technologies need to be deployed, including process-specific transaction whitelists. (I’ll come back to this in a future post.)

To put the pieces together, connected machines need a package of protections like encryption, anomaly detection, and transaction filtering. And that brings us back to the question: where do you deploy that package?

Again, you really want to see cyber-protection right onboard your devices and machines. Capital-goods makers are certainly moving in this direction. But the costs are very high. Some classes of machines (such as industrial robots and high-end PLCs) already have the compute power needed for the job. But most don’t.

Today’s machines already support connectedness. But adding enough extra compute power to support strong crypto and other tough-to-manage security technologies is a much bigger stretch, both operationally and cost-wise. For some machines, these capabilities will come very soon. For others it‘ll take longer (5-10 years). And for many, it will never make sense.

So what’s the best path for IT and OT professionals?

For many, the answer will be an IT/OT gateway. This is a computing device deployed at or near the network boundary between IT and OT that can supply a range of cyber-protective capabilities.

While not as satisfying as intrinsic device-level security, the gateway approach meaningfully improves cyber assurance at modest cost. Deployed properly, gateway-level protection is also highly manageable and cost-effective at scale.

The key thing about gateway security is that it needs to deliver the same protections that will eventually migrate to machines themselves. This makes management and future-proofing of industrial infrastructure seamless and cost-effective.

Ask your security vendors and your equipment providers to show you that they can use standards-based security technologies. You don’t want to train your people to handle challenging IT-oriented cybersecurity products now, and then retrain them later when your equipment providers bring you something different.

The last point I want to make here is about defense-in-depth, a core strategy recommended by many security experts. To get defense-in-depth, you should consider a combination of gateway protection (now) and machine-level protection (when it arrives)... as long as your vendors can work together to keep management simple and cost-effective!