Most enterprises know that cyberattacks in the information security realm are continuously growing in sophistication, severity and number. However, up until now, many organisations that run plants, factories, pipelines and other infrastructure have paid less attention to the threats they face in the realm of operational technology (OT).
Recent global, OT-focused cyberattacks highlight why South African utilities, manufacturers, oil & gas companies and other organisations that run industrial infrastructure would be wise to take note of the growing range of cyber threats faced by their OT systems and infrastructures.
In one example, an intruder breached a water treatment plant in Florida in the US. The attacker briefly increased the quantity of a corrosive chemical called sodium hydroxide in the water from 100 parts per million to 11,100 parts per million before an operator intervened. In another, cybercriminals launched a ransomware attack on the Colonial Pipeline, which disrupted a major supply of fuel to the East Coast of the US for a week in May.
As these examples show, OT attacks can be even more serious in nature than information security breaches because of the level of economic upheaval, supply chain disruption and human harm they can cause. This has prompted Gartner to warn that attackers may have ‘weaponised’ OT environments to hurt or kill people by 2025. Gartner says that threats to OT environments have evolved from process disruption threats like ransomware to a more alarming type of attack: compromising the integrity of industrial systems.
Let’s look closer at what OT security is, before delving into why OT threats are growing and what organisations can do about it.
Defining OT and OT security
OT is the hardware, software and other technology used to monitor and control physical processes, devices, and infrastructure. Examples include the Supervisory Control and Data Acquisition (SCADA) systems used to manage processes such as water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, and electric power transmission and distribution, or to monitor and control manufacturing processes on a production line.
By the Gartner definition, OT security is “Practices and technologies used to (a) protect people, assets, and information, (b) monitor and/or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems.” There is a maturing toolbox of specialised OT security solutions, including firewalls, security information and event management (SIEM) systems, identity access and management tools, and early-stage threat detection and asset identification solutions that companies can implement to enhance their cybersecurity posture.
Yet OT security remains neglected in many organisations because the engineers in the OT environment usually don’t have much background in cybersecurity, while IT teams tend to regard OT as outside their responsibility and core competence. On a technical level, OT uses vendors, technologies, platforms and protocols that are unfamiliar to IT professionals. Plus, OT networks were, in the past, run independently of IT networks and were usually not connected to the Internet.
Misconfigured networks and Internet exposure brings threats to OT
The only way a hacker could access OT systems was if they could get to a physical terminal that controlled them or if a misconfigured network allowed access between the IT and OT environments. However, that all started to change 10 to 15 years ago as more OT systems started to be connected to the Internet, with the goal of gathering data to drive analytics and create new business efficiencies. Along with the benefits of converging IT and OT networks, and connecting OT to the Internet, this trend has exposed OT to a growing range of cyberthreats.
Yet even as OT and IT networks converge, the two disciplines tend to run as completely separate functions with little sharing of information. This is somewhat understandable, given how different IT and OT security are in practice: IT cyberattacks are more frequent, OT attacks are more destructive; and IT systems tend to be upgraded and patched more often than OT systems.
In the world of the Fourth Industrial Revolution, it is clear that OT will become more digital in the years to come. Even though there are many differences in the risks, objectives and operating models for OT and IT, there are clear benefits to getting the teams responsible for each into closer alignment. In so doing, the C-suite gets a better sense of the overall risk and threats the business faces and who should be accountable for managing them.
Gartner recommends that enterprises align their standards, policies, tools, processes, and staff between the IT and the business to the changing OT systems. This is called IT/OT alignment, and it is about crafting a strategy that spans the security lifecycle, from the production floor up to the enterprise.
Given the lack of visibility that most organisations have into their OT environment, the place to start with a coherent OT strategy is with a risk and vulnerability assessment. There are powerful tools to help enterprises identify assets that could be affected by cyber-risks, so they can prioritise controls and responses. Since most companies lack in-house skills that straddle the divide between IT and OT, they can often benefit from the skills of a systems integration partner that knows both worlds.
- Paul Lowings, Security Executive at new-age solutions and systems integrator, +OneX