Organisations are still underestimating the risks created by insufficiently secured operational technology (OT).

One current example comes from Germany. According to a report by heise.de, external security testers consider it “likely” that a successful serious cyberattack against the publicly owned water company Berliner Wasserbetriebe could lead to a complete failure of the German capital’s waste water management.

The good news, at least for Germany, is that a combination of engineering standards and legal requirements often prevents many worst-case scenarios from happening. One such regulation requires that utility companies must be able to control their grids manually, if necessary. This is not the case in all European countries. If the legally required basic IT protections are in place, and two-factor authentication and other best practices are used, many potentially damaging incidents can be prevented or at least contained. Germany has a number of guidelines and standards that aim to minimise cybersecurity risks, including a law on basic IT security, ISO 27001, IEC62443 standards and a compendium published by the BSI, Germany’s equivalent to the UK’s National Cyber Security Centre. There are even free tools to check and document compliance with these guidelines, like the Light and Right Security ICS.

But while these tools can be helpful, they also require a considerable amount of work by qualified personnel. Many public institutions are struggling to find such personnel and also the money to pay for the initial system assessment.  We should also not forget that despite all efforts, there will always be a remaining risk, especially with regards to compliance and the potential loss of reputation after a security incident.

IT versus OT?

Until fairly recently, OT and ICS environments were physically separated from enterprise IT and therefore not considered vulnerable to cyberattacks. Some OT networks are older than the security experts (Read more...)