The digitalization of organizations is pulling OT into the wider IT and cybersecurity space, creating a new set of surface areas that need to be defended and protected as they become more interconnected.
Operational Technology, or “OT” as its usually abbreviated to is the term we usually assign to hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.
But what does that actually mean? In its most basic form, OT is equipment that wouldn’t traditionally have been connected to the company’s network in the same way as PCs, servers, storage and printers might be, but which over the years has become connected so it can be monitored and/or managed remotely, without the need to be physically near it. Think of any system that wouldn’t have been on your network 25 years ago and you’ll find examples today where it’s hooked up and producing a data source, from obvious applications such as air conditioning systems in office buildings to esoteric ones such as systems that control the amount of water in canals.
The Interconnected Risk Factor
Cybersecurity has been with us for a long time and yet despite everyone knowing that anything connected to the company network is a potential risk, OT security has arguably lacked a great deal of focus in the average organization. The annual budget has lines for anti-malware, EDR, SIEM, SOAR, firewalls, operating system patching but do we ever see the entries for, say, replacing the end-of-life SCADA interface on the backup generator? Why is OT security such a challenge?
The first reason is that it’s often Shadow IT – that is, the IT department aren’t aware that this equipment has a network connection. To a certain extent that’s hard to forgive – the network team shouldn’t have any switch ports enabled unless they know for sure what’s connected to them – but in reality, it’s very difficult to enforce this on all ports all of the time. Also, what if the device has its own 4G interface so it can call home to the vendor’s management portal? A great example of this are modern smart energy meters, as well as things like vending machines and emergency call facilities in elevators. That won’t even be visible to the network managers. How about if someone connected an OT system to the “guest” Wi-Fi network, nine times out of 10 that won’t be monitored. (Incidentally: if you’re think the “guest” Wi-Fi isn’t connected to the private LAN you’d be right, but it is connected to all the other Shadow IT that’s illicitly hooked up to it).
Responding to the OT Cybersecurity Need
How do we deal with this? First, police the network to the greatest extent you can. Use inventory tools that crawl over the network and discover what’s there, and if the tools can see something but not identify it, go and physically trace the cable and see what’s at the end of it. It’s unacceptable not to know what you have on the network. Second, go for a walkabout – you’d be amazed what you can find simply by walking around the building, poking your head into cupboards and generally looking about. Question every cable that looks out of place – people who hook up Shadow IT devices and connections seldom do a neat cabling job. Third, police the whole Wi-Fi network, both private and “guest” – in the latter case you would expect devices to come and go, so be suspicious of anything that stays connected or appears regularly.
Challenge number two is skills. Imagine for a moment that your company has a factory with an industrial boiler, that has a network-connected control unit. As a cybersecurity specialist there’s every chance you have zero knowledge of industrial boiler control systems and it’s also highly likely that the boiler engineers have limited knowledge of IT or cybersecurity. At the very least, then, you will need to work with the engineering team to schedule and conduct upgrades on the control systems to ensure everything is patched to current, secure versions.
Cost is the third challenge, because it is entirely possible that software updates are chargeable. No IT firm would ever get away with trying to charge its customers for a security update for its products, but in an OT world where everyone is used to paying for updates (mainly because they’re often hardware or require on-site intervention to facilitate, hence they have a tangible cost) the same isn’t necessarily true. If something is chargeable then that’s the way it is – you just need to make sure it’s in the budget so there is no argument when an update becomes necessary.
Asset Lifetime Differences
There is an extra “gotcha” with the cost of updates: equipment lifespan. In our example, the typical industrial boiler has a working lifetime of around 20-25 years. The interface module is basically a computer, which may run proprietary software but could even be a cut-down PC-style device running Windows or Linux. We depreciate our laptops and servers over maybe four or five years, because as time goes by the OS and software get bigger and we need more processor power and memory. As we know, Windows 10 will be reaching end-of-life in late 2025, replacing instances of that in organizations is a high priority. So, if we’re buying an industrial system now, we need to plan for the cost of regular control module upgrades over the lifetime of the system. If we have an existing system that’s been around for 20+ years … well, that goes back to the era when Windows XP was exciting and new, so you can be forgiven for being nervous of what – if any – security was designed into it.
That’s the final main challenge: what if updates aren’t available, or there simply aren’t enough (if any) security features configured into the device? The usual approach (which is fairly common in medical applications, in fact, where an expensive piece of equipment such as an MRI scanner relies on a legacy version of Windows to drive it) is to firewall every aspect of it. If you can’t secure the device itself, build some defenses around it.
We have hunted down all the technology, considered the cost and skills required to conduct updates and have bolstered the security around legacy equipment whose own security is inadequate. There is one further action we can consider, though.
A former data center manager was very proud of the three buildings he ran until recently. Outside each is a row of big, green generators that kick into life if the mains electricity goes out. The company that maintains them is a two-hour journey away, which makes them a perfect candidate for remote management and monitoring … except he deliberately didn’t buy that module, because his view was that if an engineer is changing anything, he wants them on site in case something bad happens.
Which brings us full circle and lands us at the final action we can take to mitigate the risks of OT. We said earlier that “OT is equipment that wouldn’t traditionally have been connected to the company’s network”. Don’t forget, then, that an excellent way to secure something against attack is not to have it on the network in the first place.
- Read more in this article looking at cybersecurity’s shift from IT to OT
- ISC2 Security Operations Skill-Builders include courses on OT, including Cybersecurity in Industrial Control Systems
- ISC2 Zero Trust courses provide learning options for implementing Zero Trust to protect OT and IT systems