Operational Technology (OT) is the hardware and software that keeps things, for instance, factories, power plants, facility equipment etc. running. It monitors and manages industrial process assets and manufacturing/industrial equipment.
Gartner predicts that by 2025, cyber attackers will have weaponized OT environments to successfully harm or kill humans. It also predicts that the financial impact of attacks using OT resulting in fatal casualties will reach over $50 billion by 2023.
While we do not discount that the threat on OT is real, there remain on-the-ground issues that limit the instant resolution of these threats.
For one thing, while it is easy to assign overall security to the CIO or CISO, Eaton’s Asia-Pacific Director – Cloud and Data Centre Segment, Richard Farrell questioned whether IT staff have the understanding and experience to do so.
Prevailing misconceptions around securing OT
He pointed out that OT is not limited to devices like servers, switches and storage. It encompasses lighting, air conditioning, backup power systems, and more.
He acknowledged ongoing misconceptions including that cybersecurity is an IT team’s problem.
“IT people are not electrical engineers or mechanical engineers. They would have issues trying to administer anything on a backup power supply or chiller, not to mention the safety issues that come around that as well."
“You have to remember that a lot of these devices run on mains power. Some of these switchboards in buildings and data centres run on up to 100,000 volts. It's not like replacing the power supply of a server by popping the server out. You can't do that with operational technology,” he emphasized.
He also pointed to the misconception that cybersecurity breaches do not affect operational technology. While he concedes that data may be the target for attacks, the Colonial Pipeline is a clear example of operational technology crippled as part of the process.
OT protection
According to Farrell the starting point is discovering or knowing what OT assets are connected to the internet or the network.
“Whether these are IT or OT is irrelevant. It is about making sure that you are aware of what devices are on the network. Only then can you enact security policies to protect these devices,” he explained.
He also suggested giving importance to the use of social engineering as a means of attacking the organisation. Incorporate these as part of the security and security compliance components of your employee onboarding programme.
See cybersecurity as a holistic service – a lifecycle service. This involves having a continuous programme of audit and assessment of the network, devices and upgrades of facilities. Have the latest software upgrades and always update security patches.
Who is involved in OT security?
For Farrell, OT should not be isolated from the rest of the organisation. He cited the example of personnel, including facilities managers and engineers, that operate and maintain the integrity of the data centre.
“We see a breakdown in communication between OT and IT, say between the IT manager and a facilities manager inside the data centre. To be effective against threats requires both OT and IT to work together,” he insisted.
Farrell believed that the best way for this to happen is to have a mandate from the top.
Where to start?
Don’t look at cybersecurity in isolation. “Start with your current infrastructure partners. Make sure they understand your operational technology set up and have people capable of helping to develop a cybersecurity programme that includes OT. These services could be electrical, mechanical, or other engineering services,” elaborated Farrell.
Cybersecurity Ventures predicted that, globally, businesses in 2021 will fall victim to a ransomware attack every 11 seconds, down from every 14 seconds in 2019. Cybersecurity researchers estimate at least 31.5 million ransomware attacks will occur in 2021.
Farrell warned that cyberattacks do not have to be as big as that against the Colonial Pipeline. He cited the example of the attack on Singtel in January 2021 when 129,000 customer records were stolen off the Accellion file transfer appliance the company used.
How to manage OT security
Farrell acknowledged the difficulty of generalizing the response to the question of who should manage OT security. Every organisation, even within the same industry, is different.
He suggested that a potential starting point would involve making sure that endpoint devices are secured using tools like firewall, authentication software, intrusion detection, and the like.
While larger organizations like financial institutions and governments may have cybersecurity programmes in place, the risk is that OT is not included. “Or even if OT is included, they would not have that holistic view,” he warned.
“Start with an audit: know what’s on your network. Review your cybersecurity programme and what’s not included. Finally, if you don’t believe you have the capability, expertise or time to do that, there are a lot of organisations that can do that for you,” he added.
Three questions for the CIO-CISO
What 3 questions should those leaders involved or tasked with OT cybersecurity be asking when they're trying to decide what solution they should be looking into?
Farrell chided that likely 300 questions should be asked. He also cautioned about the psychology of wanting to be the smartest person in the room.
“I think we all love to overcomplicate it. As technologists, we all like to sound super smart and try to sound like the smartest person in the room. With cybersecurity, it's very easy to go down that rabbit hole of talking the very clever stuff, particularly when you start talking about UL certifications, IC certifications and everything which are essential as well.” Richard Farrell
He suggested first take a holistic approach and not treat OT in isolation from the rest of the organisation. “Second, partner up with somebody who understands your complete business in the complete facility. Third, ask for help,” he concluded.
Click on the podchat player and hear Farrell share his opinion on the viability of weaponizing operational technology.
- Is the prediction by Gartner of the weaponization of OT real or is someone just watching too many ‘Die Hard’ movies?
- What are some common OT cybersecurity misconceptions?
- OT encompasses more than just what is inside the data centre, how should businesses improve the security of facilities, including factories, warehouses, shops and malls, utilities, offices, and hospitals?
- Who should be involved in the OT security programme?
- Where does one begin their OT cybersecurity programme?
- What security management actions should be included in the programme?
- How should an OT security programme be managed?
- What 3 questions should a CISO/CIO ask when choosing an OT cybersecurity solution?
