Security challenges of operational tech
By Andrew Sheedy, director OT solutions, Fortinet
Friday, 05 November, 2021
Operational technology (OT) is critical to keeping a society functioning. Government-owned OT must be protected against the risk of cyber attacks because an attack in the cyber world can have physical consequences in the real world, for example in health care and national defence.
In the past, OT systems were created to be air-gapped, meaning they had no connection to the internet or corporate networks. Instead, they worked fully independently and couldn’t be accessed remotely. This made these systems highly secure and the only way to launch an attack on these systems would require physical access to them, making attacks extremely difficult to execute.
Over time, OT has become increasingly connected to the internet, delivering a raft of benefits to governments including increased ability to monitor systems remotely. However, this has introduced security vulnerabilities that these systems were never designed to combat. Simply applying an IT security overlay isn’t always possible with these systems, patching is often impossible, and applying security agents can make systems unstable.
While upgrading to a new and improved system may seem like the obvious choice, governments need to grapple with potential disruptions to critical systems, as well as the fact that the existing systems still have years if not decades of life still in them, making it unviable to simply replace them.
Governments looking to embrace digital transformation must not overlook the urgent need to upgrade and secure existing OT systems. In doing so, they face four key challenges:
1. Threat of a severe attack
An average cyber attack can cause an organisation inconvenience, financial losses and reputational harm. A cyber attack on government-owned OT systems can result in mass societal shutdown and, in the worst-case scenario, large-scale loss of life. Therefore, the risk assessment for these programs needs to be different to an average crisis plan.
2. Staying online no matter what
The goal of IT security is to protect data. OT, in contrast, aims to protect the continuity of operations. A traditional IT attack will see system management teams shut down systems to block the attackers from important data and restart these systems when the threat has been remediated. In the case of OT attacks, shutting down systems is an attacker’s ultimate aim; governments need to avoid it.
Having these systems online and available at all times is critical, as key services like emergency communications and response, traffic management, or energy production shutting down even for a short period could result in disaster. Therefore, the challenge is to find ways to protect these systems without disrupting operations.
3. Patching is often impossible
When a new IT threat emerges, the immediate advice is usually to apply patches that address the known vulnerability. However, with many OT systems having a decades-long lifetime, systems may not be modern enough to make security patches possible. Replacing these systems is usually not a viable option in terms of cost and disruption, so unpatched systems remain in place.
4. OT security is built for different threats
Most IT security models are built for IT-focused attacks. This means that security tools are designed specifically for the IT network. With OT operating in such a different environment, IT security tools may not be able to detect or prevent attacks on OT networks.
While most attacks on OT that have been reported over the last decade have been halted before injury or loss of life could occur, this provides evidence that a risk to life isn’t just theoretical. By contaminating drinking water, setting safety systems to override controls, changing equipment settings, and more, cyber attackers can cause life-threatening catastrophes and the resulting widespread panic would exacerbate the impact of such an attack.
As attackers become more sophisticated, the opportunity to leverage artificial intelligence (AI) and other advanced techniques will see their attacks become more lethal. Over time these attacks could evolve to the point where they are much harder for an organisation to anticipate and prevent. This means that there should be no delay for governments looking to protect their CI assets with a robust, comprehensive, and strategic cybersecurity program.
As organisations move forward, the challenge of implementing an acceptable OT security strategy may seem overwhelming. It will require significant investment of both time and resources; however, with the right cybersecurity partners that can identify the most pressing priorities to focus on, these organisations can improve their OT security approach and digitally transform, ensuring that the community remains safe.
To embrace digital transformation safely, governments need to choose a solution that converges networking and security, and provides the ability to analyse, orchestrate and automate OT security with purpose-built solutions that overcome these four challenges.
Building a plane while you fly it: challenges in public sector digital transformation
Achieving flexibility becomes possible when implementing an agility layer, as it provides the...
Automated decision-making systems: ensuring transparency
Ensuring transparency is essential in government decision-making when using AI and automated...
Interview: Ryan van Leent, SAP Global Public Services
In our annual Leaders in Technology series, we ask the experts what the year ahead holds. Today...