Critical infrastructure and operational technology Critical infrastructure and operational technology Critical infrastructure and operational technology

When you think of cyber security, you probably don’t think of a baby monitor. What about an elevator or a fire safety system? Most people understand the need for cyber security when it comes to networks and endpoint devices, but rarely do they consider infrastructure or industrial systems.

Organizations have been affected by wildfires, floods, and severe weather events—all of which have been on the rise. Multi-year cyber security plans are being compressed into months as we try to keep up with and respond to the ever-escalating pace of change. Critical events are pressing organizations to think about the bigger picture—about how their information systems, industrial systems and people are working together.

The difference between IT and OT
Operational technology (OT) is the hardware and software that monitors and controls physical industrial processes and devices. Information technology (IT), on the other hand, is the use of computers to create, process, store, retrieve, and exchange digital information in support of business operations.

Engineers designed and developed OT to enhance things like manufacturing plants, gas pipelines, water treatment plants, and trains. But it’s the combination of IT and OT that produces better infrastructure, smarter devices and big data.

The impact of industrial control systems security
A member of my team here in Calgary, Owen Key, Director of Cyber Security, paints what I think is a pretty clear picture: “When you consider the ability of criminals to hack into your vehicle and disable the brakes,” he says, “innovations such as self-driving cars suddenly seem like a scary proposition.”

Owen specializes in the integration of both OT and IT, resulting in a comprehensive business perspective. He points out that, traditionally, IT and OT have not necessarily worked hand-in-hand. In fact, the way Owen sees it, there can be a “broad cultural divide.”

OT systems tend to be a legacy of add-ons. Their computers used to have no network interfaces, neither wired nor wireless. They were essentially air-gapped, and data was moved via devices like thumb drives. IT team members, on the other hand, work in an environment where upgrades are required and rolled out regularly. They were two different worlds.

These days, integration is increasingly critical. COOs want to remotely check and change systems—but so do cyber attackers. Attackers don’t care about silos—whether an asset falls under IT or OT. But Owen and I believe COOs and CTOs can be engaged over the issue of safety. After all, their adversaries are the same. Cyber criminals just don’t care about the disruption they cause. They relish it, and they’re after your money.

Cyber criminals are organized, well-funded, well-defended—and serious. And, of course, where human life is at risk, the responsibility on the C-suite to make careful, informed decisions only increases. Owen is relentless in his effort to educate business leaders so they can make sound decisions based on information they can understand.

There’s also the fact that major infrastructure generates huge amounts of data, which used to go to database administrators. That data is now being combined with other functions, such as billing and accounting systems. To give you an idea of the implications of this, an energy-sector firm in the United States was recently an entryway for hackers. In just under two hours, their data was stolen. Suddenly, a significant proportion of energy infrastructure was at risk, along with the entire North American supply chain, as the cyber criminals exploited the interdependency between IT and OT.

What do leaders need to consider?
As I see it, there are three priorities:

1. Developing processes and breaking down silos. One of the most difficult challenges is that a lot of times you can’t take the OT systems offline to test them—the facilities, after all, must keep running. But COOs can work with CTOs to investigate the controlling network. In addition to scheduled maintenance and security upgrades, replicating production environments for testing purposes will improve upgrade rollouts.
2.  Acknowledging the unknown and preparing as best as possible. It’s time to admit that your adversaries already know more than you do. Understanding the common goal of risk reduction is the first step in defense. Not only can attackers acquire physical access to a device, but they can also infiltrate through phishing, ransomware, wireless hijacking, and eavesdropping. Companies that are dependent on automated processes to make good on contractual obligations need to take extra care.
3. Keeping up to date on the ongoing development and establishment of standards. The Canadian Standards Association (CSA) is starting to look at OT standards, and there is more regulation around endpoint devices. Leaders should benchmark against these standards. Resources to consider are the Centre for Internet Security (CIS), the International Organization for Standardization (ISO), and the National Institute for Standards and Technology (NIST).

Whereas some practitioners say that you need to protect literally everything, Owen notes that may not be true. “There’s a lot you can do already with your existing infrastructure, he says. “To maintain a cyber-defensible position, however, there are three questions to ask at every level”:

1. What assets are at risk?
2. Is the program ready to meet today’s—and tomorrow’s—challenges?
3. Are both OT and IT personnel trained and tasked to work together toward the common goal of reducing risk?

To get started answering these questions, consider a cyber maturity assessment, which identifies gaps in compliance and risk management of assets, and assesses the scale of cyber vulnerabilities, whether on a site-by-site basis or organization-wide. Through the assessment, priorities can be identified along with an action plan, to ensure that you are mapping cyber practices against industry standards. It goes beyond technical evaluation and provides a rounded view of people, processes, and technology—turning information risk into advantage.

What we do now, as the environment between OT and IT becomes ever blurrier and new risk is identified, affects the future profoundly. No matter how far and how fast technology develops, both security and safety should be baked in.