Guest Blog: IT and OT security need to get it together

Once upon a time Operational Technology (OT) was just about safety and reliability. We had to know that our systems would operate long-term with minimal intervention and with zero chance that a malfunction would cause a hazard to life or property.

What’s changed?

There are now people out there who don’t merely want to penetrate and play with our systems, for fun or to make money. They want instead to cripple OT systems in such a way that they cause explosions, fires or catastrophic environmental impact – all to further a political agenda and as part of a strategy of hybrid-warfare.

In other words, we are no longer just talking about accidents. We’re in a situation where hackers are quite deliberately and cold-bloodedly planning to cause massive harm.

Luckily, we have not (yet) seen an attack lead to such a devastating outcome. But recent evidence from the power-generation and oil and gas sectors shows all too clearly which way the trend is headed. It’s probably only a matter of time….

All of this makes it urgent that OT and IT security – traditionally two separate disciplines with different priorities – come together to share risk management best practice, and to work together to apply it across their functions.

The challenge is about the management of complex evolving risks, and this needs a change in mindset. We must think not just of safety and reliability, but also of what hacker would go after in our OT estate if they wanted to cause massive damage and disruption.

A first step is to carry out a detailed inventory of what is deployed in that estate, followed by a thorough examination of the five traditional areas of technology security vulnerability: the devices, their software and apps, the networks used to communicate between the devices, the system controllers and routers, and the databases used to store information produced by the devices.

Compiling this inventory is likely to be time-consuming but it is essential. And it is almost certainly going to throw up an uncomfortable fact: that the company’s security department has little idea of what cyber assets are in use. It goes without saying that if you do not know what is in your estate, then you cannot adequately identify its critical vulnerabilities and mitigate them – let alone give management an accurate picture of the company’s risk exposure.

Your thorough review combined with a study of recent incidents will also quickly demonstrate another reality: too many facilities rely on ineffective OT security measures, believing that they can rely on air-gaps - or more probably believing that their systems are too deeply buried in their infrastructures to be at risk.  

These are no defence against state actors, who have the time, money and resources to study a target system in detail and to identify its vulnerabilities.

The deployment of the malware “Triton” in 2017 shows the point neatly. Attackers were able to achieve remote access to an engineering work station via a Microsoft Windows OS, using Triton to re-programme its safety back-up computers to ensure that they would not respond to a critical incident.

This is the point at which close collaboration across all security functions is essential. The deployment of malware will likely go hand-in-hand with the use of stolen user-credentials. This means that even a thorough campaign to eradicate the malware from the systems will fail if the hackers still have the credentials to allow them back inside again. Educating the work-force at all levels to a high degree of security awareness is crucial.

You must also ensure that your crisis management plans – traditionally developed to handle accidents – take full account of an appropriate response to a malicious attack.

Looking outside your company, I think that it is essential to have a close liaison with those parts of government responsible for the security of your area of the national critical infrastructure. They will have an overview of the threats you face and of successful means of mitigating them.

The same applies to industry bodies representing the interests of your sector. Meetings of security professionals will provide a safe space where you can share experiences and best practices. In this world where safety and security are so closely intertwined, there is no commercial advantage in holding back information that might have prevented death or serious injury in a competitor’s operation.

It’s unfortunately true that a determined state-sponsored attack may well succeed. What remains crucial is that all elements of security work together to minimise that risk and to ensure that they are fully prepared to deal with a catastrophic event.

Richard Knowlton, Strategic Adviser, AXELOS RESILIA (a joint venture between Capita and the Cabinet Office) and Chairman of Richard Knowlton Associates (RKA)

To read more articles from techUK's 'Cyber Campaign Week', please click here

FROM SOCIAL MEDIA

We're at #Lab18 chatting about the role of autonomous vehicles in #DrivingtheFuture. Come take part in the debate!… https://t.co/bxde4QPS0O
Did you know that many businesses haven't gone #digital yet? Join us at our #Lab18 event where we tackle the issue… https://t.co/Kc7yt7Sdr2
techUK Deputy CEO @techUKdepCEO comments on PM Statement saying UK and EU "must commit to finding a solution that a… https://t.co/T5dbsR8yPF
Get ready for techUK’s Cloud Week! From Monday, we’ll be hosting a week of guest blogs, podcast interviews, press… https://t.co/SVC5P9QKtL
#supercharging18 in Manchester on 18 Oct, will explore the ways #digital increasingly underpins Britain’s #economy.… https://t.co/sArqcyiKD5
Hear from @techUKCEO at the FutureTech Festival in December this year #GREATforCollaboration https://t.co/OzJkA9IjjG
What makes a 'good' Digital Board? Read more about our new report from SmarterUK in @ComputerWeekly https://t.co/UHCTccsH57
Delighted to see @techUK Health and Social Care Council Member @AndreasHT is on the panel https://t.co/4nCJotkAvx