Operational technology (OT) makes our factories run and ensures the critical infrastructure can fulfill its services. Yet, when we talk about manufacturing and systems in terms of cybersecurity, the focus tends to be on protecting the IT networks, rather than protecting OT.
“The OT that automate production and ensure safety in the industrial sector are different from IT,” said Eddie Habibi, founder and CEO PAS Global, who put together an ebook project, “Advice to CISOs: How to Approach OT Cybersecurity.”
“To secure industrial facilities and ensure safe, reliable production,” he wrote in the ebook, “OT and IT security—traditionally two separate disciplines with different priorities—must come together to share cybersecurity and risk management best practices.”
But how do you make that happen?
The Challenges to ICS and OT Security
According to the ebook, some of the challenges their industrial control systems (ICS) face include:
• In IoT devices, the security fault line lies in the development and manufacturing; security isn’t built into the device, usually because the developer wants to get the device to market quickly and security is an afterthought to be dealt with later. In ICS, it is a similar problem in that security isn’t built into the system, but that’s because many of these systems are decades old—designed to last 30 or more years—and were in place long before cybersecurity was a concern.
• There is little outside incentive to deal with OT cybersecurity. Other industries like finance or medical are regulated; they have security compliances they are required to meet. But ICS doesn’t have that level of regulation, despite the risks.
• Vendors don’t look at OT security holistically and don’t see the big picture of how their ICS platform affects multiple customers.
These challenges seem to fit with those faced in other industries, so I asked Habibi what makes protecting ICS/OT from a cyberattack such a unique challenge.
“The critical infrastructure in every country provides the essential utilities, products and services that comprise the elements that drive the economy and provide the quality of life the modern world enjoys,” he told me. “Shut down clean water, interrupt power distribution or stop producing gasoline for two (to) three weeks in a region and what you have is the equivalent of a major natural disaster or a full-scale war. The criticality of the critical infrastructure is what makes it so important and unique to protect against cyberattacks. We all can survive without access to email or to our bank accounts for a couple of weeks. But none of us can go long without clean water for an extended period.”
OT systems such as distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems tend to be disparate, but are still proprietary, highly complex, and multigenerational. “While the IT community has been aware of cyber risks and protective of their cyber assets for more than two decades, many OT assets are still unprotected. It is only over the last few years that attention to OT security has intensified,” he added.
Protecting ICS Assets
At minimum, Habibi said, companies must implement foundational security practices that include the following:
• Protecting OT assets in every industry begins with the establishment of an accurate and complete inventory of all components that make up such assets. These include field instruments such as sensors and actuators, process control computers and process control network devices such as operator consoles.
• Once an accurate inventory is secured, companies must identify and address known vulnerabilities, e.g., Microsoft Windows patches and upgrades to antivirus software and firewalls.
• Strict management of change must be implemented to protect against unauthorized modifications to programs and configuration of control systems.
• Every company must assume that at some point their OT system will be compromised. Preparing for such a situation is critical to business continuity, and it begins with a robust and automated backup and recovery system.
“The good news,” Habibi added, “is that board members and executives at most infrastructure companies are aware and are taking action to protect their OT systems, the very systems that ensure safe production.”