Once upon a time Operational Technology (OT) was just about safety and reliability. We had to know that our systems would operate long-term with minimal intervention and with zero chance that a malfunction would cause a hazard to life or property.
There are now people out there who don’t merely want to penetrate and play with our systems, for fun or to make money. They want instead to cripple OT systems in such a way that they cause explosions, fires or catastrophic environmental impact – all to further a political agenda and as part of a strategy of hybrid-warfare.
In other words, we are no longer just talking about accidents. We’re in a situation where hackers are quite deliberately and cold-bloodedly planning to cause massive harm.
Luckily, we have not (yet) seen an attack lead to such a devastating outcome. But recent evidence from the power-generation and oil and gas sectors shows all too clearly which way the trend is headed. It’s probably only a matter of time….
All of this makes it urgent that OT and IT security – traditionally two separate disciplines with different priorities – come together to share risk management best practice, and to work together to apply it across their functions.
The challenge is about the management of complex evolving risks, and this needs a change in mindset. We must think not just of safety and reliability, but also of what hacker would go after in our OT estate if they wanted to cause massive damage and disruption.
A first step is to carry out a detailed inventory of what is deployed in that estate, followed by a thorough examination of the five traditional areas of technology security vulnerability: the devices, their software and apps, the networks used to communicate between the devices, the system controllers and routers, and the databases used to store information produced by the devices.
Compiling this inventory is likely to be time-consuming but it is essential. And it is almost certainly going to throw up an uncomfortable fact: that the company’s security department has little idea of what cyber assets are in use. It goes without saying that if you do not know what is in your estate, then you cannot adequately identify its critical vulnerabilities and mitigate them – let alone give management an accurate picture of the company’s risk exposure.
Your thorough review combined with a study of recent incidents will also quickly demonstrate another reality: too many facilities rely on ineffective OT security measures, believing that they can rely on air-gaps - or more probably believing that their systems are too deeply buried in their infrastructures to be at risk.
These are no defence against state actors, who have the time, money and resources to study a target system in detail and to identify its vulnerabilities.
The deployment of the malware “Triton” in 2017 shows the point neatly. Attackers were able to achieve remote access to an engineering work station via a Microsoft Windows OS, using Triton to re-programme its safety back-up computers to ensure that they would not respond to a critical incident.
This is the point at which close collaboration across all security functions is essential. The deployment of malware will likely go hand-in-hand with the use of stolen user-credentials. This means that even a thorough campaign to eradicate the malware from the systems will fail if the hackers still have the credentials to allow them back inside again. Educating the work-force at all levels to a high degree of security awareness is crucial.
You must also ensure that your crisis management plans – traditionally developed to handle accidents – take full account of an appropriate response to a malicious attack.
Looking outside your company, I think that it is essential to have a close liaison with those parts of government responsible for the security of your area of the national critical infrastructure. They will have an overview of the threats you face and of successful means of mitigating them.
The same applies to industry bodies representing the interests of your sector. Meetings of security professionals will provide a safe space where you can share experiences and best practices. In this world where safety and security are so closely intertwined, there is no commercial advantage in holding back information that might have prevented death or serious injury in a competitor’s operation.
It’s unfortunately true that a determined state-sponsored attack may well succeed. What remains crucial is that all elements of security work together to minimise that risk and to ensure that they are fully prepared to deal with a catastrophic event.
Richard Knowlton, Strategic Adviser, AXELOS RESILIA (a joint venture between Capita and the Cabinet Office) and Chairman of Richard Knowlton Associates (RKA)
To read more articles from techUK's 'Cyber Campaign Week', please click here