Is OT really converging with IT, and what’s industrial cyber risk?
It is true that Operational Technologies (OT) are becoming more interconnected, smarter and internet-enabled allowing for the continuous monitoring and improvement of industrial operations. OT is fundamentally created to be efficient and effective in different cases than the more general Information Technologies (IT).
The IT world is fairly rapid and dynamic. If you think of an enterprise IT network; you might see thousands of PCs, mobile devices, printers, scanners, networking equipment and goodness knows what else. IT devices are replaced fairly regularly – those of us who work in tech, will often see our devices get sluggish after a couple of years, if not earlier. These devices all appear and disappear from an IT network; all sending their own data across the network to each other in one big complex system.
The OT world in comparison is predictable and slow to change. Devices are installed and are in place for the long term, for at least 10 years and in many cases for over 20 years. When these devices become faulty, the industrial approach is to replace the device like-for-like, meaning that OT engineers are often eagerly looking out for less-faulty second-hand OT equipment on eBay and the like. New devices are rare, and data flow across the network is very predictable in comparison to an IT network.
IT has, for a long time, had a small place in OT. Windows machines from 3.1 onwards have been placed in OT networks for the purpose of supervising (e.g. a Supervisory PC), operational logging (e.g. on a Historian), or newer Human-Machine Interfaces (HMI). Ethernet-based networks have also slowly started to replace serial connections (although they’ve not been replaced completely).
OT networks have typically had a level of “air gapping.” That is to say that there is no connectivity into other networks. It is true that this air gapping is becoming lesser as there is a push towards Industry 4.0 in particular, but there is still significant resistance despite the benefits due to the high level of operational risk involved.
We have the concept of cyber maturity, which I like to define as an organisations understanding and adoption of policies, procedures, and technologies within the general concepts of information security, data privacy etc. This is very well established within the IT world.
In the OT world there is still the concept of cyber maturity, but, as it stands, it is much more binary – OT environments essentially either have it (the minority), or they don’t (the vast majority). The minority of industrial organisations that have maturity are those with OT devices which are very new and are configured to look a lot like an IT network.
The risk is real. You only need to look at examples in the media, such as the cyber attack on the Oldsmar Water Company in February 2021, it was a very simple cyber attack, discovered by luck and thankfully solved relatively quickly by hand. Other examples include attacks on Honda, the Ukrainian electricity grid, and the most well known one being Stuxnet which hit the Natanz (Iran) nuclear enrichment facility in 2010. In fact, Bridewell Consulting commissioned the “CNI Cyber Report: Risk and Resilience” which found that 86% of critical national infrastructure organisations have detected and experienced OT cyber attacks during 2020. That’s a hefty percentage which cannot go ignored!
Learn from one another
IT, cyber security, and OT are all very different professions, albeit related. We have an opportunity here to share our knowledge, and most importantly listen to each other. We all want technology which is operationally functional, easy to use, safe, and secure. Here are some questions which I think we could discuss:
Is ISO 27001 applicable to OT?
How can we achieve the highest standards as defined by IEC 62443?
Industrial cyber attacks can cross the barrier into the physical, so is there a health and safety argument to be had in favour of cyber security?
What are the things which are most relevant in OT Cyber Security? And what really should not be borrowed from IT?
Are you ready to discuss?
Who is Awen Collective?
Awen Collective, a member of techUK, has the mission to make society safer by increasing the cyber resiliency and decreasing the cyber risks within the critical national infrastructure and manufacturing organisations on which we rely every day. Awen does this by developing software products from the ground-up, here in the UK, which are built for Operational Technologies (OT) and have engineering processes in mind. Awen’s products enable industrial organisations to take their first steps towards achieving cyber maturity.
Daniel is the CEO & Founder of Awen Collective. Before founding Awen in 2017 he was Senior Research Fellow in cyber security and digital forensics at the University of South Wales, did his PhD research at the University of Bristol in data mining on physical security events, and has a professional background in data science consultancy and software engineering. Awen is an active member of techUK, and Daniel sits on the techUK Smart Cities Working Group.