A growing risk of cyber-attacks on operational technology (OT) highlights the need for organizations to prepare for breaches that take down or take over industrial systems
By Laurent Duperval
Until recently, cyberattacks focused primarily on electronic data, such as login credentials, credit card information, and other types of both personal and business information. According to a report from IBM, such a breach could cost an organization an average of about $9.44 million. Not to mention the bad publicity a brand may suffer. Yet, the cost of those IT breaches can pale in comparison to the devastation to both property and people that an operational technology (OT) breach could unleash.
In fact, Gartner predicts that by 2025, cyber attackers will have weaponized operational technology environments to successfully harm or kill humans. The reports estimate the financial impact of cyber-physical systems (CPS) attacks resulting in fatal casualties will soon reach over $50 billion USD.
While IT cybersecurity—which protects servers, laptops, and phones, for example—is fairly mature, OT cybersecurity is in relative infancy. Operational technology, where technology interacts with the physical world, includes industrial control systems (ICS) that monitor, control, and automate processes such as those on a manufacturing floor or within critical infrastructure.
“For the last 15 years, we’ve all been focusing on IT security,” said Paul Bellack, a former CIO of a $40 billion global manufacturer with 160,000 employees. “Five years ago, few people were talking about OT cybersecurity. OT is a separate and distinct domain of technology and a more complex cyber problem to solve. There is a lot to do to address it, and many people in charge don’t realize it.”
OT cybersecurity can’t rely on IT cyber tooling
With today’s digitalization, the IT and OT worlds are no longer separate. In fact, on May 7, 2021, the world got an unexpected demonstration of how an attack on an organization could put its OT systems in jeopardy. On that day, Colonial Pipeline suffered a cyberattack that forced it to shut down its operations for several days.
In response, people lined up at gas stations to stock up on fuel, causing shortages across several eastern U.S. states; airlines diverted planes to ensure they could refuel; and the price of gas reached its highest peak since 2014. Colonial Pipeline paid the ransom, put its business continuity processes into place, and within a week, operations were mostly back to normal. The attack was costly and generated bad press for the company, but fortunately, nobody got hurt.
Even with no casualties, the attack on Colonial Pipeline should serve as proof to industry leaders that OT systems are vulnerable to cyberattacks.
“It used to be that OT was air-gapped,” explained Bellack. “Meaning that OT was isolated and not connected to the internet. However, the two domains are now merging, and there is a need to exchange information between IT and OT. This merging is accelerating, driven by the rise of digitalization and IoT. As a result, the attack surface is much larger and more difficult to defend. OT security has now become a cybersecurity problem.”
As an example, an attacker could plant a virus in the IT domain that spreads to the OT domain. This can be attributed to the fact that just about every industrial or production environment, including plants, hospitals, and energy management, now have industrial control systems that connect to the physical environment, making them part of an OT domain.
Furthermore, the cybersecurity remediations that apply to IT, such as password management and antivirus software, are not as effective or simply do not apply to OT.
The risk profile is also different between the two domains. In an IT attack, a cyber breach may cause data loss. But in OT, it can force a plant to shut down and machinery can be taken over— possibly injuring or killing people.
To compound the problem, OT is typically much more decentralized than IT. With IT, companies can set up a centralized monitoring system and push updates and reboots simultaneously to thousands of devices, such as phones and laptops. There is no equivalent approach for OT. Updating and restarting machinery can often require a complete plant shutdown and may even require advance notice and planning.
Who’s responsible for what?
While cyber threats are always changing, CIOs and CISOs are always working to stay one step in front of a potential IT attack. However, on the OT side, it’s often unclear who’s responsible for securing the systems.
There is a need for a separate security program for OT that includes different tools, governance, and processes. Companies can’t simply extend their IT security program to OT, as the differences between the two domains are too great. It may require two security operation centers (SOCs), which adds to the complexity and costs of cybersecurity management.
Bellack explained that some CEOs or CIOs underestimate the risks associated with an OT attack.
“It’s a relatively new set of risks and a lot of executives don’t understand that they are indeed in danger,” Bellack said. “Companies build smarter, faster, cheaper factories using digital technologies because it’s great for business. But it also expands their attack surface, and many people in charge don’t realize the impacts or what they need to do to protect themselves.”
When it comes to machinery, Steve Boals, chief revenue officer at cyberconIQ—which pioneered the use of behavioral science to measure and manage cybersecurity risk in IT—said there is too much of a narrow view.
“Machines are components in a complex, revenue producing infrastructure that is a mix of physical, digital, and human elements. Safety and availability are the key focus, and security is sometimes forced to take a back seat if either of those may be compromised,” explained Boals. “This is a foreign concept to IT, but the day-to-day reality for a production plant.”
It comes down to the need for IT and OT teams to work jointly on processes, procedures, and controls to address the cultural gaps and mitigate the overall risk to the organization.
Addressing the OT cybersecurity problem
OT also has to contend with realities that IT doesn’t. For example, IT devices have an average life span of 3 to 5 years. OT systems, however, can be 15 to 30 years old. Sometimes, the manufacturer may no longer be around to repair or upgrade a system, which will require a separate approach to protect it.
When an IT infrastructure component goes down, it can often be rebooted in a few minutes. However, factory machinery in OT often can take much longer to get up to speed and the financial impacts can be considerable when you consider that some machines are responsible for millions of dollars of output per day.
Faced with these dilemmas, many organizations simply don’t even know where to begin addressing the OT challenges. Fortunately, the cybersecurity industry is slowly beginning to build out the kind of roadmaps needed to tackle OT cybersecurity.
As part of that, cyberconIQ has outlined a 5-step framework for building a culture of mindfulness for operations executives, management, and operations teams when addressing OT cybersecurity.
- Raise awareness and understanding of OT cybersecurity
- Conduct an audit to validate OT maturity
- Map best practices (based on NIST and ISO requirements)
- Devise a custom playbook and accompanying policies
- Provide training tailored to specific populations (plant floor, plant management, etc.)
This comes as companies are facing stricter compliance obligations from the National Institute of Standards and Technology (NIST), as well as pending legislation.
“There are a number of pending bills out there that could make CEOs personally accountable for a cyberattack,” added Boals. “If there’s a death or property damage, and leadership has not taken the appropriate steps to secure their cyber-physical systems, then they could be found liable.”
As automation and digitization surge, OT cybersecurity will continue to increase in complexity and priority, requiring organizations to dedicate additional resources in order to protect against potential attacks.
Some cybersecurity operations, including cyberconIQ, offer free consultations as a way to give companies a jumpstart on their path to addressing OT cybersecurity.
Laurent Duperval is a Montreal-based freelance writer with more than 20 years of experience writing for the IT and cybersecurity industry.