Can OT escape the IoT takeover?
Historically, operational technology (OT) has held an air of separation from the rest of the technology arena and was perceived differently from the rest of the technology within an organization and never considered part of the CIO or CISO’s remit. However, as technology advances continue and the world becomes ever more hyper-connected, will OT finally lose its distinctiveness and become like every other aspect of organizational technology?
Many other parts of technology have been consumerised and succumbed to integration within wider business technology management, and indications currently are that OT will be the next in an extensive list of solutions to undergo momentous change.
These changes have occurred within data centres and mobile telephony through the advent of cloud to create disruption which was previously unseen. Much like the sentiment around Blackberry dominating the corporate mobile phone market during the 2000s, until the advent of consumerised mobile telephony bursting onto the scene through the iPhone during the late 2000s, are we about to see the world of OT taken over by cloud technology and simply becoming part of the larger Internet of Things (IoT) ecosystem?
For over 40 years OT was viewed as a segregated element of technology. It did not endure the same operating controls, nor did it face the same risks or security concerns as traditional IT. It was believed to be air-gapped and not susceptible to cybersecurity risks and the biggest concerns remain operational safety, availability, and integrity of operations.
This started to change during the early 2010s with the onset of digital transformation and the emergence of mass-scale cloud computing. Previously isolated OT systems were now being network connected, often without the knowledge of network administrators or cybersecurity teams. Back doors into the OT systems left by Original Equipment Manufacturers (OEMs) to enable ease of service maintenance were discovered and more integrated technology systems were deployed.
However, it was not until 2017 that the true situation about OT and its inherent cybersecurity risks were realised. Whilst there had been previous targeted OT cyberattacks such as Stuxnet and Shamoon, the NotPetya cyberattacks brought widespread and significant financial impact to many organizations OT landscapes. Maersk, Merck, Mondelez, and Reckitt Benckiser each reported financial impacts more than £100m, while many analysts indicated the true impact to be significantly more and widespread. Whilst the impacts on NotPetya were collateral damage, the ripple effects organizations saw firsthand was the significant impact on OT…and all of this was well before the continued advancement of cloud computing extended into the world of OT.
As Industry 4.0 has continued, and the IoT flourished through an ever-increasing volume of sensors and devices, the separation between IT and OT has become ever thinner with the arrival of the Industrial Internet of Things (IIoT). Further advances in technology evolved throughout the COVID years to the point where previous OT devices that had been physical in nature are now veering towards a state of convergence and cloud connectivity by design. Indeed, COVID restrictions accelerated the need for such connectivity to allow critical business operations to continue whilst safeguarding employee health and safety through lock-down periods, as it allowed remote maintenance and monitoring of systems and critical operating environments.
Whilst it is inevitable that technologically benefits are being realised through this state of convergence, it has rightly given rise to increased cybersecurity concerns. There is fear that an already outdated and “vulnerable” infrastructure will become even more vulnerable as CISOs struggle to implement the risk mitigation controls necessary to protect business operations.
A key question to therefore ask is should organizations look to stop this transition? Would a full-scale transition to cloud management of OT through extension to IoT enable a more stable approach? This environment could then utilize the benefits of cybersecurity built into the hyperscale IoT model by design.
What is inevitable is that as the EU NIS2 Directive, and other similar cybersecurity instruments of compliance are published by governments and regulators alike, a greater focus will be placed on achieving cyber-resilience of OT environments. Whilst traditionalists may see the benefit in continued isolation of OT from wider corporate networks and infrastructure, the reality of this being achievable continues to reduce over time.
Technologists and cybersecurity professionals require a decision alike – embrace the change and transition the management of OT to a converged and connected environment managed fully as IOT, or look to continue to sustain a legacy mindset of segregation and airgaps only to realise that this is impossible.
Upcoming Cyber Security events
Cyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.
Authors
Mark Brown
Brown has over 30 years of experience in cybersecurity, data privacy, and business resilience consultancy. He has previously held roles at Wipro Ltd. and Ernst & Young, among others. His wealth of knowledge includes extensive proficiency on the internet of things (IoT) and the expanding cybersecurity marketplace, always focusing on cybersecurity’s strategic enablement and risk protection elements.