Operational Technology Security: The Silent Guardian of Industry
Events at the end of 2023 have underscored the importance of operational technology (OT) security – a series of cyber attacks, suspected to be the work of an Iranian government-linked group, targeted US water facilities using Israeli-made technology.
One of those water facilities is in Pennsylvania. The Municipal Water Authority of Aliquippa was breached via a digital control panel by the group known as Cyber Av3ngers. This attack, part of a broader pattern of geopolitical tensions and cyber warfare, highlights the evolving landscape of threats to our critical infrastructure and the vital role of OT security in safeguarding it.
What is OT security?
First things first, let’s define OT.
OT is hardware and software that detects or causes a change by directly monitoring and/or controlling industrial equipment, assets, processes, and events.
And…
OT security is the act of securing OT.
How does OT security differ from information technology (IT) security? The main difference between OT and IT security is that while IT security focuses on safeguarding data, software applications, and networks, OT Security is about ensuring that physical operations, like manufacturing or energy production, run smoothly and safely.
Think about going to an airport. When you book a flight, you enter your personal data, receive a boarding pass, and use it to check in at a front desk, kiosk, and gate. From a technology perspective, every one of those interactions is with the airline’s IT systems. Security here means ensuring no unauthorized person can access or alter your sensitive data.
At this point, you’ve already dropped off your luggage on a conveyor belt, and now you’re on the plane and safely taxiing, guided by runway lights and the air traffic control system. Security here is OT, which ensures that these physical processes happen safely and on time so planes can land and take off without risk and your luggage arrives at the right destination.
While more technical than the above example, you can see how IT and OT differ fundamentally.
The real-world consequences
OT security stakes are not confined to the digital world; they have real-world consequences. Here are four riveting examples of OT networks that were breached:
Oldsmar water utility hack - An attacker came within a mouse click of tainting a Florida community’s water supply with lethal levels of sodium hydroxide. OT security thwarted this near catastrophe.
Ukraine power grid cyberattack - Orchestrated in 2015 using BlackEnergy malware, leading to short-term power outages affecting hundreds of thousands of people (we’ll look at this later in the article).
Stuxnet - The infamous 2010 attack on Iran’s nuclear enrichment facilities severely damaged centrifuges by manipulating the programmable logic controllers (PLCs) that operated them.
Triton/Trisis attack - Targeted safety systems at an industrial facility with potential catastrophic outcomes.
These incidents demonstrate the severe real-world costs of OT security and underscore the international scope of its problems.
Challenges in OT security
You may wonder, “Okay, OT security is clearly a problem. Let’s focus on it! Easy-peasy!” Well, there are distinct challenges to OT security, especially safeguarding its physical processes. Here are the main pain complications:
Lack of built-in security measures: Legacy OT systems, prevalent in critical infrastructures, often lack essential security features like encryption, intrusion detection, and authentication protocols.
Costs are high: Upgrading legacy OT systems to modern, secure counterparts is costly. The investment required can be substantial, often reaching millions or billions of dollars, making it difficult for organizations to allocate resources for security improvements.
Downtime causes disruption: OT systems often need to operate continuously. Interrupting these physical processes can have real-world consequences, making implementing security updates and patches challenging without causing disruptions.
IT and OT convergence: Integrating IT and OT systems for efficiency and real-time data analytics has excellent benefits but creates new challenges. These challenges include ownership ambiguity, mismatched update cycles, interconnected risks, and resource allocation issues.
A growing focus for bad actors: As cyber threats evolve, exceedingly well-funded nation-state-sponsored actors and malicious entities increasingly target critical infrastructures and OT systems. Defending against these sophisticated threats is an increasingly difficult challenge.
Network complexity: OT environments often have interconnected components that operate in real-time. Changing one element can impact others, leading to potential disruptions and complexities in applying security updates.
Addressing the above requires a new approach that recognizes the distinct nature of OT security and the critical real-world implications of security breaches in these environments.
What we can do now
It’s not all bad news! Instead of major overhauls, incremental steps can significantly improve an OT system’s security posture. Here are some actionable steps organizations can take today:
Layer security: Add additional layers of security, like firewalls or intrusion detection systems, that can work with existing OT devices.
Segment your network: Isolate OT networks from broader IT networks to minimize risk exposure. According to NIST Special Publication 800-82 Revision 2, effective network segmentation in Industrial Control Systems (ICS) environments involves “developing and enforcing a ruleset controlling which communications are permitted through the boundary.” Keep in mind that micro-segmentation requires heavy maintenance that tends to lead to flat network environments. Macro segmentation tends to be easier to manage and is thus more successful. Remote browser isolation, another way to segment your network, can be helpful as well.
Use universally compatible security solutions: When possible, use software solutions compatible with multiple vendor technologies, thus bypassing the need for vendor-specific products.
Engage in remote monitoring: Advanced, real-time monitoring can flag abnormalities instantly, allowing quicker responses.
Train your people: The most significant security risks sometimes come from within, as we’ve seen with many data breaches in the past. The 2023 MGM incident might be another example of it. Comprehensive security training for staff can often mitigate risks without any hardware changes.
Embracing the future
OT security is not just a technical concern; it's a vital element in ensuring the safety and reliability of critical infrastructure and industrial processes. Whether you're an industry expert, a policymaker, or simply someone who cares deeply about our digital future, your understanding of the significance of OT security is a positive step toward building a safer world.
Historically, OT security strategies have mirrored those in IT, a practice that overlooks critical differences. Recognizing these distinctions allows us to collectively safeguard our critical infrastructure more effectively.
As security events in the critical infrastructure space have shown, the urgency for robust OT security is at an all-time high. In the face of sophisticated nation-state cyber threats, the advice from policymakers and cybersecurity experts is clear: we must be vigilant, prepared, and proactive. Our journey towards a secure OT environment is a continuous, demanding engagement, and requiring action from all involved to mitigate these ever-evolving cyber risks.
Ready for more epic articles?
All we have to decide is what to do with the time that is given to us. So… you should probably share this article with your wizard friends and Shire folk alike.
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD