The UK and the EU take IT security seriously, and several government initiatives have made them global leaders in protecting the data and the privacy of their citizens. Unfortunately, these measures largely ignore the unique and serious risks to operational technology (OT) controlling industrial processes essential to the safety and well-being of millions.
The EU took two significant steps toward improving cybersecurity in 2016. Firstly, the directive on Network and Information Systems (NIS) security was implemented in the UK in 2018 with the regulation applying to operators of essential services, e.g., energy, water, transport, etc. Secondly, the introduction of General Data Protection Regulation (GDPR). The NIS directive recognizes the economic and societal damage that the disruption of IT systems can do. GDPR deals with the privacy and data of EU residents and holds companies responsible for safeguarding that data.
Since GDPR went into effect in 2018, more than 950 fines have been imposed on companies and governmental agencies for violations. The two most significant fines levied to date have been €50m against Google in 2020 and €746m against Amazon in 2021.
In December 2021, the UK released its National Cyber Strategy, setting out how “the UK will solidify its position as a global cyber power.” The strategy’s goals of strengthening the UK cyber ecosystem, developing critical cybersecurity skills and creating a robust public-private partnership could, of course, apply to industrial cybersecurity.
Increasing Connectedness Between OT and IT Systems
OT manages and controls physical assets and processes that underlie nations’ critical infrastructure. Organizations rely on these systems for everything from managing supply chains and production lines to operating heating, ventilation and air conditioning (HVAC) systems. Government-OT controls dams, waste treatment plants and even traffic lights. Originally designed as proprietary stand-alone systems, OT now is often IP-addressable and connected to traditional IT systems. This makes it possible for administrators to remotely manage systems and gather valuable data about processes. Unfortunately, it also exposes these systems to outside attacks and compromises.
The connection of OT with IT systems has been going on for 30 years. This networking makes it easier to manage physical systems efficiently, but little thought is being given to securing newly vulnerable OT. The IT departments that are traditionally responsible for cybersecurity are often not aware of the connections being made to industrial systems and do not understand the unique requirements and challenges presented by OT. Additionally, OT managers often are not versed in cybersecurity.
Ultimately, the greatest challenges to effectively securing these industrial systems are the people.
The IT / OT Cultural Divide
IT and OT teams have grown up separately and work in different worlds with different priorities. According to a Ponemon Institute research report on The State of Industrial Cybersecurity, only about a third of organizations studied said their IT and OT teams have a unified security strategy. “The cultural divide between IT and OT teams affects the ability to secure both the IT and the OT environment,” the study concluded.
This disconnect is not surprising. IT and OT systems evolved with different missions, and critical differences remain in how the two types of technology are managed.
OT’s emphasis on physical operations prioritizes production availability and physical safety. Crucially, threats to OT can pose significant risks to business operations and human health and safety. The physical security requirements of OT often conflict with traditional IT cybersecurity. Availability is critical for OT, and downtime is seen as “the enemy.” As a result, OT is not updated regularly, and unsupported legacy systems with known security vulnerabilities continue to perform critical functions.
Creating a Sense of Urgency
Although a comprehensive solution for OT security will be a long-term process, the need for immediate action is urgent. The EU’s 2021 assessment of the cyberthreat landscape concludes that state-backed adversaries will continue to expand their cyber capabilities against critical infrastructure and operational systems. Additionally, hackers-for-hire, working for both states and private actors, are offering their services against operational and industrial controls.
Immediate steps toward improving industrial cybersecurity include understanding exactly what OT exists across an enterprise, its functions and the connections that exist between it and other IT systems. Security requirements can then be identified and plans made to implement them.
This cannot be done all at once. Yet, doing what is possible now rather than waiting for a crisis will help protect each organization, its employees and the community.