Kicking off a recent episode of the “Into the Breach” podcast, Mitch Mayne stated, “Attacks on operational technology (OT) — the systems that control industrial equipment, processes and events — were once the domain of Hollywood, which roll out special-effect-ridden disaster movies about nuclear power meltdowns, collapsed power grids and poisoned water systems,” but now they may not feel so far-fetched. Attacks with potentially large-scale impact on general safety became very tangible in 2021 with events such as the Colonial Pipeline incident and attempted breach of the Oldsmar, Florida water facility. While these were luckily not successful at causing complete chaos, concerns over increased activity such as this are mounting. One of the main worries arising is that bad actors will continue to look beyond IT systems and expand targets on vulnerabilities associated with OT systems.
Convergence with IT Drives Concerns for OT Security
As Colonial Pipeline and Oldsmar demonstrate, a major issue with OT systems being the sites of cybersecurity threat targets is that they are often connected to critical infrastructure. Although attacks on OT systems were once rare, Fortinet’s “State of Operational Technology and Cybersecurity Report” found that “9 out of 10 OT organizations experienced at least one intrusion in the past year,” according to Rick Peters’ piece for IT World Canada. An article in Forbes also pointed out that Skybox Security concluded that vulnerability developments in OT devices were up by about 46% in the first half of 2021 compared to the same timeframe in 2020.
So, what is causing this surge in OT risk? Much of it comes down to the convergence between IT and OT systems. Before diving further into that, it is helpful to understand the difference. In Forbes article mentioned, Saryu Nayyar, CEO of Gurucul, provides a good description. Gurucul explains that “IT systems pertain to daily business operations, such as the creation, dissemination and storage of business information, documents and records. OT systems monitor and control the physical functions of processes in manufacturing and industrial environments, for example, monitoring the flow of fluids through a conduit or releasing pressure through a valve.” For a long time, these two existed as very individual entities. However, the age of IoT has changed that, allowing organizations to realize the benefits of being able to share data from OT sensors to IT databases. While enhancing efficiency, there are still important differences that are stirring the escalation in cybersecurity issues.
For one, most security measures are created with IT in mind and do not necessarily translate to the needs of OT. On the same episode of “Into the Breach,” Chris Kubecka, Chair of the Cyber Program at the Middle East Institute, also highlighted that part of the problem with OT’s security is that OT is built to last longer than most IT equipment. She used satellites as an example of OT tech that has lasted for up to 50 years, whereas an IT program may need to be changed every three to five years. Plus, there is an organizational divide that prevents the fluidity of security. As Gurucul notes, IT network management is typically “centralized and standardized.” On the other hand, OT is often managed remotely and by various OEMs.
Addressing OT Security
Just as IoT is inevitably creating concern as it unites IT and OT, it also holds potential solutions for maintaining security for both. The key will be figuring out and deploying the proper exchange of communication among the networks. This begins by ensuring that cybersecurity is an utmost priority, which we are seeing signs of especially around critical infrastructure. President Biden recently approved the Cyber Incident Reporting for Critical Infrastructure Act. This legislation requires private companies to file a report with the Cybersecurity and Infrastructure Security Agency within 72 hours if they believe that they have been hit by a cyberattack. Organizations covered under the act include those that fall under the critical infrastructure sector, while report-worthy events include cases that may lead to “substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes,” according to coverage in The National Law Review. While this may be just the tip of the iceberg for protecting OT and infrastructure security, such a legislative move does reflect a growing trend. As Security Boulevard points out, similar initiatives are occurring around the world. For instance, France and Germany’s cybersecurity agencies have already put threat intelligence sharing requirements into place in their respective countries.
- “Operational Technology Attacks: The Curse of Cassandra or the Hype of Chicken Little?” – Mitch Mayne, Security Intelligence
- “Critical infrastructure is the new front line” – Rick Peters, IT World Canada
- “Bridging The Cybersecurity Gap Of IT/OT Convergence” – Saryu Nayyar, Forbes
- “Biden Executive Order Requires 72-Hour Notice for Cyber Incidents” – Colin R. Jennings &
Ericka A. Johnson, The National Law Review
- “OT Cybersecurity Concerns Are Increasing Across the Globe” – Anastasios Arampatzis, Security Boulevard