By Wayne Olsen, Managing Executive: Cyber Security at BCX
The security issue keeping CISOs awake at night isn’t the one you’re thinking of. It’s probably not even the third or fourth one you think of. And it’s likely one most of your business isn’t even aware exists.
I’m speaking of operational technology – OT. The convergence of OT and IT has made waves this year in cyber security circles as real-world attacks have elevated hypothetical risks into worrying reality.
Operational technology – the systems that operate, automate, and manage industrial machinery – is a critical element in industry. These are the physical mechanisms – like production lines or cooling plants – that transform raw materials into finished goods. And they are under threat.
Traditionally, information technology and operational technology occupied two entire separate realms within an organisation. Information technology resided in the office, bringing information and communication to executives and office workers. Operational technology lived on the mine, the factory floor, and the power plant.
If OT was connected to anything, it was through isolated networks that extended only within the boundaries of the facility in which it was housed, to a PC or server in the same facility. Security, such as it was, was concerned with protecting the physical installation, as the network wasn’t connected to the internet or any other network, cyber security was never a consideration.
Over the years this has changed, to the point where IT and OT have merged on a technological level, and it’s become impossible to separate them. The IT and OT executives managing that technology, however, are driven by vastly different business imperatives.
IT security is worried about the security and integrity of information. OT teams are worried about uptime and safety. If you have a conversation with an OT person, security isn’t even on their watch list. Uptime, downtime, health and safety, compliance and records drive their worlds, and downtime isn’t an option.
These are two worlds that do not meet. The acceleration of automation and digital transformation initiatives, however, has seen OT networks being introduced to IT networks at a massive rate. This wouldn’t be a problem except that OT systems tend to be run (at best) through PCs running Windows XP and the like, or servers running NT or 2000. In other words, old operating systems, that are hugely insecure, not supported by vendors anymore, and that are not being patched and upgraded to keep abreast of new types of security threats.
They remain in OT environments because of the downtime that will result if they are taken off-line and replaced. As PwC notes, OT systems typically have a lifespan of ten years’ and unless they break, it is are not upgraded or updated at all during that time. This means there are many, many systems out there with no vulnerabilities that attackers can exploit.
And they’ve been doing just that. Fortinet’s 2022 State of Operational Technology and Cybersecurity Report found that 93% of organisations surveyed had an intrusion in the past year, 61% of those intrusions impacted OT systems. Ninety percent of those, Fortinet states, required hours or more to restore service.
Most of us will remember Stuxnet, back in 2010, which caused substantial damage to Iran’s nuclear facilities by targeting the programmable logic controllers (PLCs) that control the centrifuges used to separate nuclear material. The worm travelled via USB drive – still a massive OT threat today – and programmed the PLCs to speed up the centrifuges while hiding that data from the cooling systems, with predictably disastrous consequences.
In the IT world, we understand the need to upgrade, patch and secure systems. In the OT world, this mindset shift to protecting systems from logical as well as physical threats hasn’t yet been made.
Business leaders under-estimate the threat, they don’t have clear visibility into just how many OT devices are connected to networks and computers that are now being exposed to the internet, and they often struggle to extrapolate the risks to lives and livelihoods.
This is the part that keeps CISOs awake. Instead of encryption and denying access to email servers, attackers can shut down the airflow to a mineshaft, and every other control system related to that mine shaft – with devastating and fatal consequences.
Attackers in 2015 facilitated a widespread power outage in Ukraine. A phishing attack on a petrochemical facility in the Middle East in 2017 destroyed the systems designed to safeguard human life. The current geo-political landscape has seen cyber-attacks against IT and OT increase dramatically as nation states seek to gain advantage.
Businesses (and state actors) need to take a holistic approach to securing systems, and they need to do so urgently. It’s not just a database, or a power plant. It’s the risk to business operations as OT has become more central to how businesses survive and thrive. It’s the risk to human life. It’s the risk to the sovereignty and security of nation states.
Business decision-makers including OT and IT executives need to understand what is connected to their IT environments, and how. They need to do an inventory of every asset – IT or OT – that is connected and the interdependencies between them. They need to understand the attack surface (which is vast). Playbooks need to be created to govern responses to the different types of threats that exist across OT and IT systems. Organisations need to run red team exercises so people know their roles and can respond effectively and rapidly as intrusions occur.
Businesses need to start linking IT & OT. This affects lives, businesses, economies, and nations. If a database gets compromised, we have backups, we can restore it. If you’re running a smelting plant, and your cooling system gets shut down by an attack the resulting explosion will destroy that facility, and possibly kill people. There’s no backup in the world that can restore human life. It’s time for the various players to understand where their common ground lies and to act for the greater good.