Operational technology: A target of cybercrime
Operational technologies (OT) that deliver electric power, move oil and gas or operate assembly lines in an enterprise are not untouched by IT systems, in the form of portable storage devices or network, and thus run the risk of being exposed to cyber threats. Initially installed as “fit-for-purpose” prosperity systems, OTs have now adopted more general-purpose IT systems and network platforms for many of their functions. Thus, in a technology driven world, physical security and information security are converging rapidly and it is becoming increasingly difficult to compartmentalize them. Today, as OT systems are vulnerable to cybercrime, the security of OT falls under the purview of cybersecurity. However, it is likely that IT professionals are not entirely aware of operational technology’s functioning and therefore, are not equipped to take on full control of these connected devices.
Different systems being brought under the same umbrella
In the backdrop of increasing use of mobility for data gathering from mobile field workers and open platforms for facilitating organization-wide integration of data, more optimization applications are being deployed over OT, leading to convergence of OT and IT. Although they share many underlying components such as sensors, actuators, meters, machine-to-machine communication and embedded systems, there remain few fundamental differences between these systems. Before bringing these converged OT-IT systems under the umbrella of common cyber security strategy, it is important to look at the following points of differences:
Legacy systems: Unlike open platform-based IT systems, OT systems are often based on vendor-specific, proprietary technologies operating in a real-time or near real-time environment. These systems have had default configurations for a long time and have not been updated by vendors after installation. This makes it difficult for IT professionals to fully understand the functionality of OT systems and accordingly install suitable security measures.
Siloed architecture: While IT systems are relatively standardized and can quickly adapt multiple technology trends such as mobility and cloud computing, OT systems are filled with silos of proprietary architectures because of their task-specific nature. This makes it difficult to adopt a “fit-for-all” approach while updating the system with enhanced security patches.
Less frequent maintenance: Traditionally, OT systems have been designed to run reliably for a long time before they need maintenance. For example, a refinery is designed so it can run continuously for at least five years before it is shut down for maintenance. Thus, reliability can often negatively affect the scope of incorporating innovative and robust security measures for these systems.
Limited skill set: Due to its legacy-based and proprietary nature, only a limited number of vendor personnel have manual-based basic skill sets to operate OT systems. Most of the times, their skill-sets are limited to shut-down and restart of systems. Vendors are hesitant to make smallest of changes in the functionality of OT systems, as they are unsure of the impact of any changes made.
Different development path: OT applications, hardware and networks have a different development path than IT. This has resulted in platforms and protocols that IT professionals may not recognize, except in principle only, making it difficult for IT security professionals to secure operational technologies that have typically not been under their purview.
OT vulnerable to cyber attacks
OT systems are not only difficult to secure, but they are also the ones which are more vulnerable to security breaches. OT historically has mechanical origins for many of its systems and was not built keeping in mind the upcoming trend of digital transformation. OT systems have administrative passwords that are published in devise manuals, which are easily available online. Furthermore, outdated government regulations make it difficult to make security changes in OT systems. For example, in the health care industry, regulations have been stringent to the extent of restricting IT professionals from implementing security patches.
Addressing these challenges has been difficult due to denial of many businesses about vulnerabilities with such systems. However, it needs to be understood that certain businesses will be at grave danger if there is an attack on unsecured operational technology. For example, in a facility where lighting is critical to worker safety, a security breach could lead to many deaths.