What would life be like without traffic lights, mass-produced food, electricity at the touch of a button, water supply or easily available petrol and gas?
Operational Technology (OT) makes these possible and pervades our lives in obvious and hidden ways. It automatically monitors and controls processes and equipment that are too dangerous, too demanding or too monotonous for manual operation.
Modern day OT networks run today’s society as we know it, and we’ve taken these conveniences for granted to always be readily available and safe to use. Hence, it is a smart and malicious criminal who knows that targeting OT infrastructures will make us vulnerable.
Case in point: in February 2021, a hacker breached Florida city’s water treatment plant and attempted to poison the water supply. This cyber-attack is not the first on an OT system, but it generated shockwaves not only through the utility and processing industries but also stirred up national security concerns. This incident showed that governments and companies alike must not only be proactive to anticipate and manage the evolving cyber threat landscape but also invest to replace or upgrade ageing critical infrastructure systems.
Some governments have already introduced regulations in response, e.g. the Network and Information Systems Regulations by the European Union. However, most regulations are not enforced, and non-compliance are not met with any real consequences. Therefore, adoption and compliance are not set as a business priority.
Business leaders tend to underestimate the potential threats towards their organization’s OT network. Allow me to address the common myths about OT cyber security:
Myth #1 – If an OT system is not connected to the internet, it is safeguarded against cyber threats.
This does seem plausible BUT most OT system updates are done by using removeable media (USB, CDs, portable hard drives, etc.) which is a main source for malwares to be introduced into OT systems. You don’t need to be connected to the internet to be infected.
Myth #2 – My OT system is safely behind a firewall and therefore protected.
A firewall is generally the first line of defense for network security but requires a person to configure the firewall securely and to continuously maintain the firewall hygiene. However, in practice, firewalls tend to be badly misconfigured and not maintained.
There are also examples where engineering teams establish an unauthorized external connection to provide an Original Equipment Manufacturer (OEM) remote access for corrective maintenance tasks using modems. These types of connections bypass the firewalls and establish an insecure connection directly between the OT system and the internet.
Myth #3 – Hackers don’t understand OT systems and layout.
Reported cyber incidents like the one mentioned earlier directly contradicts this myth. Hacking is not just a fun activity anymore; it is unfortunately a very profitable business – the Financial Times reported that hackers profiteered more than US$350M in 2020 using only ransomware. Hacking-as-a-Service is very real and OT systems of all types are now common topics at “DEFCON” and “Blackhat” conferences.
Myth #4 – Our facility is not a target.
This is a naïve thought process as we just covered that hacking is a very profitable business and therefore any facility may become a target at any point of time. However, you don’t have to be a target to become a victim. A lot of organizations were purely collateral damage of attacks on a completely non-affiliated target, for example Maersk was not the target of the NotPetya cypher but still suffered a US$300M loss as a result.
Myth 5 – Our safety systems will protect us.
The core function of a safety system is captured in its name, but modern safety systems are micro-processor based programmable systems configured with a Windows PC – therefore vulnerable to all discovered and yet-to-be-discovered Windows system vulnerabilities.
A key takeaway for business leaders is this: To manage your OT cyber security risks, you need to understand the past, present and future state of your facility. Yes, facility – not plural because every facility is unique in design, operations and maintenance.
In the PAST, when most of the existing processing and manufacturing facilities were built, there was no business requirement to have the IT and the OT environments connected; therefore, the domains were completely separated (air gapped) and independently governed by IT and Engineering. Legacy or obsolete systems are commonly found. Cyber security hygiene practices were non-existent.
TODAY, due to efficiency and costs, advanced network connectivity between IT and OT is required. This brought confusion with regards to governance, risk management and control implementation effectiveness between IT and Engineering. Cyber security is no longer just “an IT problem”.
TOMORROW, the intercommunication of all components – from the supplier to the customer – will be the reality. Therefore, sustainable governance, risk management and control implementation effectiveness between IT and Engineering MUST be established.
Digitalization is a double-edge sword that brings significant benefits through advanced connectivity but also seriously increases the threat landscape. Malware is not the only risk challenging OT cyber security. Among the most pressing issues are insider threats, hacking or hacktivism, weaponization of AI, unmanaged third-party risks or simply human error.
Understanding the past, present and future requirements for each facility is fundamental to develop a robust OT cyber security protection plan but what are the absolute must-haves?
Consider the following five pillars for effective safeguarding of OT systems against cyber threats:
In conclusion, OT systems monitor complex processes and critical infrastructures that deliver power, water, transportation, manufacturing and other essential services BUT it is seen as easy targets by hackers. Without adequate OT cyber security safeguards, vulnerabilities within OT systems may result in consequences that threaten far more than just the organization under attack.