Putting The O in Cybersecurity
15 July 2019
Phishing. Malware. Spoofing. Rarely a week, sometimes even a day, goes by without word of a new threat or attack. We live in an age when bits and bytes are currency, sometimes literally. So while not justified, it makes sense that there are efforts to get information by any means. In parallel, there’s an acute and ever-evolving focus on protecting this critical information and the systems which allow us to effectively share, interpret, and utilize this information for personal and business purposes.
These systems typically involve Information Technology (IT) related processes; however there is an entire category of technology that may not dominate cybersecurity headlines, but is equally if not more important, especially for people who manage and maintain control systems that regulate everything from building comfort to the power grid. And that’s Operational Technology or OT.
What’s worse, someone getting access to millions of credit card numbers or taking control of a campus that houses tools critical to national security?
A rhetorical question, of course, since both outcomes are unacceptable. But that means organizations — and the companies that provide OT systems — need to be as vigilant about securing OT environments and their associated systems.
Here’s why OT matters and what to do about it.
In basic terms, IT covers the spectrum of technologies that transfer, store and manipulate information while OT, according to analyst firm Gartner, “Is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and enterprise events.” Think data versus things.
There are other significant differences, though. OT systems, for example, typically have a longer lifespan than their IT counterparts. Whereas a company might give employees new laptops every two to four years, a fire alarm could sit on a wall for a decade or more. Plus, most corporations have a few (or a fleet) of people responsible for IT, while OT usually falls outside the traditional IT scope, and is left to control, process engineers or in many cases – no responsible party. These are just a couple reasons why OT systems tend to be outdated, and related hardware and software are more susceptible to compromise.
It’s an issue that will continue to grow — in the facilities realm in particular – as the internet of things balloons. These “things” are slowly becoming an integral part to our business success and the market is expected to reach 14.2 billion in 2019 and 25 billion by 2021. Halfway in between that relatively short span, smart buildings will account for more than 80 percent of connected devices, according to Gartner.
The combined risk of an attack with the sheer scale of potential entry points means it’s time to get OT practices in order and locked down.
There are several means to that end, but here are five key, broadly applicable starting steps:
- Don’t forget about OT security. Seems almost too elementary, but experience suggests otherwise. Out of sight, out of mind. Out of mind, out of date. That’s an all-too-common OT scenario. Operational cybersecurity should be a stated priority. Subsequently, it’s critical
to raise awareness and educate system users.
- Ensure appropriate ICT hygiene. There are a lot of information and control technology (ICT) security basics that OT folk can learn from the IT side. Employ best practices related to backups, patch management, password management, removable media, etc. They are already proven, so take these lessons, implement and adapt as necessary.
- Review OT systems best practices. These exist as well. To name a few that come to mind, the National Institute of Standards and Technology, the U.S. Department of Homeland Security, through its Cybersecurity and Infrastructure Security Agency, and Australian Signals Directorate via the Essential Eight Maturity Model have all published and continue to provide OT cybersecurity guidance.
- Look for ‘unknown’ internet connectivity. By identifying (with MAC and IP addresses) and monitoring all the devices that should be connected to a network, it’s possible to see those that shouldn’t be connected, and take proactive and reactive steps to block them.
- Ask more from OT suppliers. There’s one group that should be most attuned and attentive to cybersecurity, and that’s the companies that engineer and manufacture OT systems. Know the steps they’re taking to help protect customers and conduct cybersecurity assessments.
Although it can feel theoretical when obvious danger isn’t present, the consequences of OT cyber incidents are quite real and measurable. For instance, in 2017, a malware attack blocked access to the systems that a shipping and logistics giant used to operate its cargo depots, shutting down one of the largest terminals at the Port of Los Angeles. The resulting equipment damage and business disruption was estimated to cost up to $300 million.
Fortunately, companies can take action to minimize threats. To learn more, read our whitepaper “Building Resilience, Through Visibility.” Or reach out for information about an OT security assessment tailored for real-world environments with practical remediation outcomes.