Why We Can’t Afford to Sleep on OT Cyber Security
If there’s any certainty in life, aside from death and taxes, it’s that things change. Environments change. Circumstances change. Technologies change. People change.
Charles Darwin taught us that change doesn’t always happen quickly, sometimes taking generations to occur. He also concluded that, “it is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change.”
In the world of operational technology – or OT – the ability to respond to change can have existential consequences for us all. These are the networks that monitor and manage our nation’s critical infrastructure, including the operation of industrial equipment and processes – from manufacturing and transportation, to electrical grids and water treatment facilities. OT also plays a key role in the operation of the networks managing our nation’s defense systems. In short, the water we drink, the food we eat, the power we consume, the security we rely on – it’s all possible, in part, due to the use of operational technology.
Clearly, there’s a lot riding on our OT networks, so getting it right is imperative, even despite the inevitability of change. But what’s chilling is the fact that historically, OT is an area of technology that has been underserved when it comes to network security due to the assumption that it was “air-gapped,” which means disconnected from the rest of the world.
While most everyone is familiar with the importance of keeping up on IT security – reminded by the constant headlines of hackers compromising consumer data – not many are aware that OT security vulnerabilities also exist. And when these vulnerabilities are attacked, they do not get reported on by mass media like IT security breaches do. As the IT industry occupies the spotlight, OT exists in the background, invisible to most of us – until the lights suddenly go out, water quality is compromised, supply-chains get disrupted, or much worse.
The old adage, “out of sight, out of mind,” couldn’t ring more true when it comes to OT cyber security. It wasn’t until our nation’s largest oil pipeline, the Colonial Pipeline, which carries gasoline and jet fuel to the Southeastern United States, was shut down in 2021 by a cyber attack that the nation woke up to the vulnerabilities that exist within its OT infrastructure.
In general, the management of OT network security simply hasn’t kept up with the rise of the Internet of Things (IoT), sensors and remote devices – what many are calling “Industry 4.0”. OT devices that have traditionally been kept separate from the public internet and accessible only by authorized users, can now be controlled and monitored by IT systems or remotely via the internet. While this makes it easier for organizations to operate OT devices and monitor performance, it also potentially exposes the OT network to internet-based attacks.
Tom Sego, cofounder and CEO of BlastWave, told VentureBeat that, “IT revolves on a three- to five-year technology-refresh cycle. OT is more like 30 years. Most HMI (human-machine interface) and other systems are running versions of Windows or SCADA systems that are no longer supported, can’t be patched and are perfect beachheads for hackers to cripple a manufacturing operation.”
There are fundamental differences between maintaining IT network security and OT network security. IT systems are widely connected, ever changing, and are run using common operating systems such as Windows or MacOS. OT systems are siloed and run autonomously on proprietary software. But the line between IT and OT gets blurred when connected devices and the IoT enter the picture. This is problematic given that there’s very few network administrators that are trained to effectively oversee the security of both OT and IT environments. They’re like unicorns, and many wonder if they even exist.
Further compounding the issue is the fact that attacks are happening more frequently. Security Magazine noted that “critical infrastructure is, and will continue to be, highly targeted” by state-sponsored hacker attacks. The publication’s 2022 survey for OT security found that 72 percent of OT operators had been disrupted with a security issue more than five times in a year, but, in general, they couldn’t identify whether the disruptions were caused by IT or OT.
The Biden administration recently responded to the rise in attacks, allocating $11 billion toward civilian cybersecurity spending. This is important given that the U.S. has fallen behind other countries that have more fully adopted the technologies and security practices of Industry 4.0, and are already exploring Industry 5.0.
As citizens of the U.S., we should all be demanding greater OT security. The world has changed and continues to change – and it’s imperative that the technology operating our nation’s critical infrastructure is prepared for an attack, and has the ability to remain operative when it happens – not if it happens.
Robin Berthier is Co-Founder and CEO of Chicago-based Network Perception, a startup dedicated to designing and developing highly-usable network audit solutions. Berthier has over 15 years of experience in the design and development of network security technologies. He received his PhD in the field of cybersecurity from the University of Maryland College Park and served the Information Trust Institute (ITI) at the University of Illinois at Urbana-Champaign as a Research Scientist.