Ask most people about cybersecurity, and they might be able to tell you about email phishing scams or ransomware attacks. However, operational technology cybersecurity is less well understood because these systems have mostly been hidden from public view, often deployed in factories, manufacturing facilities or embedded into the built environment around us. In many cases, they’re custom built for a single purpose in a specific setting.
Yet these systems are critical to running essential parts of the world around us. And as they increasingly connect to the internet, and interact with IT networks, the more vulnerable they become to the same cybersecurity risks that those IT systems face every day.
Businesses and boards of directors need to pay closer attention to this overlooked part of their infrastructure because it is a growing business risk.
Against this backdrop, BT Ireland hosted its inaugural Secure-OT23 event which explored the challenges involved with securing OT in today’s always-connected digital environment. The day-long conference gathered thought leaders, security practitioners and subject matter experts who:
- outlined the OT security landscape today
- examined the risks on the horizon
- shared best practice on how to protect OT from threats that could disrupt operations.
Over the course of this four-part blog series, I’ll share thoughts and key takeaways from the event.
What is operational technology (OT)?
The first speaker was Richard Bainbridge, General Manager for the Cyber Security Portfolio at BT. He set the scene by defining OT. “When we talk about it, we really mean hardware and software that's directly monitoring or controlling industrial systems,” he said. The term can cover HVAC and building heating systems – even sensors in soft drink dispensing machines, or generators, industrial robots.
In the past, the assumption was that these systems were safe because few people knew where they were, or how they worked. “The approach was ���security through obscurity’,” said Richard.
But that’s changing. Richard described a “perfect storm” of a skills shortage in industrial security operations, together with tightening of national laws to mandate protecting critical infrastructure and operational technology and industrial control systems.
Why OT is a business risk
And the single biggest trend that’s increasing the risk to OT is that these technologies, which have often been operating for decades, are now being linked to IT networks. “The more connected it becomes, the more vulnerable it is,” Bainbridge said.
Richard explained how threats against these systems are increasing. “Malware is starting to emerge that specifically targets OT,” he said. The number of vulnerabilities is also growing by 20% year on year, he added.
Trish McGill, a subject matter expert in OT and IT, said attacks against industrial systems have been happening for many years. “But not everything is reported. Hardly anything is reported or announced in public. So this is not something new,” she said.
Industries under attack
No industry is spared. Some of the most prominent attacks during 2022 included 14 plants of one large car manufacturer being shut down for a day, which led to 10,000 units of production lost. An aircraft manufacturer was forced to close its operations, halting all orders for a week. An interruption to a food processing company’s production caused a two-month delay in deliveries.
What all these examples have in common was criminal ransomware that targeted either IT systems or suppliers that OT systems are dependent on.
Incidents like these have real-world consequences. Guest speaker Rohan Vermeulen, Automation Infrastructure Lead (OT/ICS), Pfizer, summed up the difference as: “IT is concerned with confidentiality… OT is different. If the production line is down, you’re losing money.”
The business cost of cybersecurity incidents
Put it another way: many organisations find it hard to quantify what it would cost their business if their IT systems were unavailable for a period of time. But if a production line was stopped for an hour or a day, you can be sure they’d quickly find a calculation to tell them how much money they were losing.
And these examples aren’t just happening in other places. Trish McGill pointed to AON’s survey which found that almost one in five Irish businesses experienced a cyberattack or data breach in 2022. She noted that larger companies with more than 250 employees are more at risk.
The consequences might not just be financial in nature. In 2021, ransomware also brought the HSE to a standstill for weeks.
Three steps on the OT cybersecurity journey
Boards and businesses need to know the risks, but they can also take steps to address them. In this and the following blogs in this series, I’ll share advice from the guest speakers about how to do this. Even for organisations that are just starting to understand the need to secure operational technology, here are three tips to guide you:
1. Figure out where you are on your OT journey
Understand the scale of the challenge for securing OT in your business (this is something I’ll return to in future blogs in this series), decide on the priorities, and understand how much budget you will need.
2. Focus on business resiliency
Determine which are the most critical sites for the business: that might only be a percentage of the total but focus on protecting them first so there’s minimal impact on production in the event of a security incident. Make sure it can keep running for a period of time, even if there’s an interruption to your IT systems.
3. Plan to make the OT and IT stack work together
This will sound like a contradiction: businesses need one single, unified strategy to cover both their IT and your OT security, but they you also need to enable them to run independently of one another so an attack on one doesn’t affect the other.
In the next blog in the series, I’ll take a closer look at one of the biggest myths in OT security.
Paul McEvoy is a seasoned professional with an extensive understanding of the cybersecurity industry. With a comprehensive technical knowledge of security products, services, vendors, and processes, Paul helps customers to navigate the evolving threat landscape and avail of governance frameworks to manage their security more effectively. Currently serving as a Cyber Security Deal Architect at BT Ireland, Paul strategically drives BT’s Global Security Services through innovative marketing campaigns, industry events and workshops.