Operational Technology (OT), while crucial, is undermining Infrastructure Security

Posted on by Robert Ackerman

As a cybersecurity focused venture capitalist, I have mentioned more than once that the private sector, especially large corporations, has done a much better job in recent years in its efforts to protect their companies, including their infrastructure security. Cyberattacks and breaches nonetheless continue to increase because many hackers are highly sophisticated and keep evolving, and this cannot be addressed on the spot.

There is More Complexity to this Story

One especially important segment of the digital landscape—Operational Technology (OT) systems—which refer to the technology used to monitor and control a wide array of industrial processes—have made huge changes in the way they function in recent years, and these changes have sharply increased attack vulnerabilities.

For decades, OT was considered safe from attacks because it was connected on internal networks. Recently, OT devices are increasingly exposed to the Internet, creating new pathways for attackers to infiltrate the network. IT and OT are converging, meanwhile, because they now have more in common. Both are impacted by the Internet and the explosion of the Internet of Things (IoT) devices and need to be better managed.

Just how Vulnerable is the Aforementioned Increase in Attack Vulnerabilities?

Just last month, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and additional government players urgently warned companies to implement security mitigations to better oversee pro-Russia hacktivists conducting malicious cyber activity against OT devices and critical infrastructure organizations. The warning followed a Russia-linked hacking group claiming responsibility for a cyberattack targeting an Indiana wastewater treatment plant.

On the positive side, the federal government has helped companies in the private sector with cybersecurity and infrastructure issues. Overall, however, its rating has been mixed at best. A major reason crops up in the aforementioned Russian-related affair. The government wants companies to act, but seldom requires them to do so. So, while some companies respond to the warning, others do not.

There is no question that the federal government today plays a more active role in providing resources and useful frameworks—sets of documents describing guidelines, standards, and best practices for cybersecurity and related risk management—and these help reduce organizational exposure to cyber vulnerabilities. The government also promotes information sharing to improve security. Key participants include the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA) and Sector Risk Management Agencies (SRMAs), and the Department of Homeland Security.

Yet there are virtually no federal regulations that mandate specific cybersecurity measures for most businesses, and this has turned out to be a serious drawback. Infrastructure protection still ultimately lies with individual companies.

Securing critical infrastructure is vital to ensuring the American people have access to services like drinking water, electricity, and food. It’s also crucial to protecting high-value industries from cyberattacks, such as the chemical, communications, emergency services, healthcare, and information technology and transportation sectors. If hackers could breach the critical infrastructure of these sectors, the result could have devastating consequences for organizations and could also seriously threaten communities.

Industrial operations, in particular, are increasingly under threat. OT attacks are common, widespread and extremely frequent. Most attacks originate in IT sectors and spread, and ransomware has been a nemesis. A number of companies have been forced to shut down, undermining revenue and producing significant remediation costs. 

OT security is expected to keep growing, but implementing the proper solutions will not be an easy task. Among the obstacles faced by industrial operators is the siloed operations of OT and IT teams.

This results in misalignment on cybersecurity decision-making and cooperation. Research shows that seven in ten industrial OT attacks originate out of IT, signaling an urgent need for OT and IT departments, and technologies to start working more closely together. An example of the current situation, based on a recent survey of nearly 2,000 executives and practitioners by ABI Research and Palo Alto Networks, found that the responsibility for OT cybersecurity purchase decisions were shared by both OT and IT teams only 40 % of the time.

Partly because OT devices are impacted from IT, as well as OT sources, the number of hacking attacks hitting them is enormous. The survey found that three out of four OT organizations experienced a cyberattack in the past year. About one in four were breached and most were exposed to multiple attacks.

How can OT Players Cope with all of this?

They should develop a vendor and OT cybersecurity platform strategy. They should also deploy network access control technology—limiting user access and blocking access from endpoint devices that do not comply with security policies. And, too, they should also consider adopting a zero-trust access approach, providing continuous verification of all users and their devices.

The Federal Government should Expand its Offerings

Most important, the federal government should define a level of expected cyber resiliency and produce a methodology to protect it. The NIST framework does this in an advisory capacity—useful as far as it goes. Still needed, however, is a mandated level of preparedness with clear accountability and consequences for failure to meet standards.

Will things ultimately work out? The answer is likely yes, with a lag. “I think everyone is at least aware of the problem that OT cybersecurity needs to be more modernized,” says Paul Griswold, Honeywell’s chief product officer of connected cybersecurity.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Technology Infrastructure & Operations

operational technology (OT Security) Internet of Things hackers & threats risk & vulnerability assessment governance risk & compliance critical infrastructure infrastructure security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs