It’s time to update our definition of operational technology (OT). OT once described a group of technologies that directly monitored and controlled our equipment, assets, processes and events. Today, it is far more complex.
The addition of sensor networks, embedded computing, feedback loops and external stimulus allows our process plants to self-activate communication, control and compute functions. OT today is better defined as a cyber physical system (CPS) which includes any device that exists in both the cyber and physical worlds. You have one in your pocket and possibly on your wrist, if you use a smartphone or smart watch.
Weaponisation of operational environments
The proliferation of CPS into operational environments is accelerating. Internet of Things (IoT) devices are collecting data everywhere, robots are walking our plants reading gauges and smartphones are being used to listen to machine noise. Most operational networks were not designed or built for CPS, and their mere presence creates new security risks which cyber attackers have noticed. Gartner recently predicted that by 2025, cyber attackers will have weaponised OT environments to harm or kill humans. The threat is serious, and our operational environments are the new target.
Obscure is not secure
Gone are the days of security through obscurity and isolation. Cyber attacking is big business, driven by profit and innovation with attackers constantly in search of easier, softer targets. With the government and industry investing significant resources into securing IT systems, attackers are turning their attention to operational environments. Cyber attackers have recognised OT as being easier to access, with more serious potential impact, and therefore more lucrative.
Government intervention increasing awareness
The Securing of Critical Infrastructure (SOCI) Act recently expanded coverage of specific entities from four sectors to eleven sectors, capturing almost all entities with operational environments. Utilities are classified as critical infrastructure and systems of national significance, requiring positive security obligations to be met or harsh penalties be imposed, and directors held responsible for cyber incidents. The Federal Government focus is helping to motivate change at the highest levels within organisations, and the increasing awareness is increasing knowledge of our vulnerabilities.
Not an IT job
Many organisations have been forced into a firefighting mode and tasked the IT department with the job of securing – what is to them – a foreign environment. IT cyber security skills, methods and techniques are rarely transferable to operational environments. Our process plants are built for safe and reliable production, often at the expense of cyber security.
Retrofitting cyber security capabilities therefore requires an engineered approach. Deep asset visibility, process knowledge, as well as safety and control systems expertise, are critical. You cannot secure an environment you don’t understand, and the specialist skills required are not easy to come by. Increasingly, organisations are seeking partners that can provide operationally focused, engineered cyber security services.
Independent integrated approach
Over the past 20 years, IT/OT convergence outcomes have been varied. What we have learnt is that some functions should not be converged, and cyber security is one of them. The solution is independent but integrated cyber security operations. Leading organisations are establishing a dedicated operational technology security operations centre (OT SOC) that sits parallel to their information technology security operations centre (IT SOC). The key to success is the integration and ongoing optimisation of common functions, such as threat intelligence, monitoring, planning, governance and incident response. The two SOCs work ‘hand in glove’ in proactively defending the organisation and reactively responding to cyber incidents.
Look after the basics
Your cyber defence is only as strong as your weakest point, which for most organisations, is the hygiene of the operational technology environment. Unidentified, unpatched, or unsupported software and hardware create easy to exploit vulnerabilities within the operational network.
Zero-day flaws, uncontrolled IoT deployments and increasingly sophisticated social engineering attacks are exposing new vulnerabilities daily, often requiring immediate action. Operational teams tasked with safe production rarely have time to address these vulnerabilities, meaning the risk remains neglected when it shouldn’t be. This type of routine work is easily outsourced as a managed service to cyber security capable automation vendors.
Start with intelligent cyber recovery
Recent events have demonstrated that all organisations will experience a cyber incident at some point. Post-incident reviews have painfully exposed the inadequacies of enterprise backups for rapid recovery of operational environments.
IT back-up solutions are built for data protection and the restoration of IT capability. Configuration of operational environments is sometimes excluded or only partially backed up by IT. The result is a slow, manual and time-consuming recovery to pre-incident production capacity.
New cyber vault solutions are available and can be purpose built for the rapid recovery of operational environments. Advanced features including artificial intelligence (AI), hybrid deployment, automation and orchestration allow backups to be isolated, immutable and intelligent, greatly reducing recovery time and effort.
The evolution of our operational environments is ongoing. Each day comes with new cyber physical systems and new cyber security threats targeting our operations. The choice to neglect these threats has been taken from us and we now need to act urgently to reduce our risk.
Thankfully, many of the solutions are readily available and easy to adopt. The key is ensuring the changes are engineered and supported by people who really understand your operations.