Manage Cyber Risks Across an Organization
Cyberattacks are everywhere. Today, the most effective defense centers on individuals: strategic thinkers who can bridge gaps between security policies, information technologies, and human behaviors. Protect systems and data with a Master's in Cybersecurity Risk Management from Georgetown. Learn More.

 

Operational technology (OT) is everywhere in organizations as well as in everyday life, and it’s one of the biggest cybersecurity targets of the moment thanks to the disruption that an OT outage can cause.

Cybersecurity professionals work mostly with information technology (IT) – servers, laptops, routers, switches, Wi-Fi kit, and so on. And because we’re used to such technology, we know pretty much how to defend those systems against cyber-attack using kit such as firewalls, anti-malware software and the like.

What About Operational Technology (OT)?

In its simplest form, OT is all about the technology that is connected to our networks, but which isn’t part of the everyday IT infrastructure. In a hospital this might be X-ray machines or CAT scanners and their associated support equipment, for example; in a mine it might be drilling or conveyor equipment; in an oil company it could be the drilling rig or the pumping equipment (and everything monitoring it). OT has often been around for a long time (a $10million drilling rig might have a lifetime of 10 or 15 years, for example) and may well not have been built with cybersecurity and long-term software updates in mind. It might originally have been built without even a thought that it might one day be connected to a global network for management or monitoring purposes. The common factor we see is that you generally can’t install commoditised (say) anti-malware or Endpoint Detection and Response (EDR) onto OT equipment, and nor can you configure it easily (or at all) so it only accepts management connections from a specific IP address range (that of the management station).

What Can We Do?

First, we can remember that there’s more to life than using agent-based vulnerability scanners. If we’re going to secure our systems, one of the key things we need is visibility of their vulnerabilities. Now, there are dozens – hundreds, even – of vulnerability scanners out there for which you install an agent app on each system and let them report to a central console. However, just because your scanner doesn’t have an agent app available for a given piece of OT equipment, this doesn’t leave you powerless – you simply have to do what a bad actor would do and have a scanner that probes kit to see what ports are opened and what versions of software are listening on what ports, and checks against a big database of known vulnerabilities before alerting you to problems. Doing so puts you one step ahead of an attacker in this respect anyhow – not only do you know (well, we hope you know) what is attached to your network, but you can put your scanner inside that network and configure the routers and internal firewalls to permit them to run their scans. Agentless scanning of this type is commonplace for IT systems today (you’ll seldom find a scanner that has an agent for, say, Cisco routers) so extending the concept to OT should be straightforward.

The other key question is how you defend a device that can’t defend itself. Easy: pretend it’s Britney Spears (other celebrities are available) and ask yourself what you’d do. The answer: get it a bodyguard. If it can’t defend itself, put it behind a big, solid wall with a sturdy door to which only you have the keys. Firewall it to death, strictly limit the connectivity between it and the main network and have monitors that alert you to the merest sniff of bad activity. If you can, try to get to a situation where the only communication that happens is initiated by the OT device making an outbound connection to the outside world, because this means you can have a “deny from any to any” rule for all inbound traffic.

Should It Even Be Connected?

There is one other consideration, though – and it’s one that is constantly forgotten. One would hope it’s kind of obvious, but sadly it isn’t: the act of asking the question: “Does this thing have to be on the network at all … and if so, then why?” This correspondent was chatting with the manager of a data centre a while back, inquiring about the network security of the massive generators in the (high-fenced and alarmed) back yard. “Oh, that’s easy”, he answered, “I didn’t order the network modules”. His reasoning was more around reliability – he would rather have engineers come to site than break his world remotely – but it had a tremendous accidental security benefit.

Wherever we turn, we see stuff connected to the network (and even to the internet). Chances are that if you’re reading this you’ve at least heard the story of the casino network that was compromised via the thermostat of its lobby fish tank. But did you realise that the infamous Colonial Pipeline attack didn’t in fact hack the pipeline systems themselves but were instead aimed at the billing system? The company, not the bad actor, shut down the pipeline – as a precautionary measure.

Defending OT is a long way from being rocket science. If it can’t defend itself, build something around it that carries out that task on its behalf. It doesn’t have to be expensive – and in most cases for big OT the cost of the security systems will be a fraction of what you paid for the OT kit itself.

But before you spend a penny, do take a step back and ask: why is this connected to anything in the first place?