How to securely manage the future of OT

Ashraf Yehia, Managing Director, Eaton Middle East, shares his tips to securely manage the future of Operational Technology (OT).

It’s likely that digitalisation is starting to feel, for many people, like an old story. For over a decade, businesses have been seeking to improve how they run through the concept of digital transformation: applying the flexibility, responsiveness, and efficiency of software to optimize and modernize processes, and displace older ways of working. It’s a conversation that has to keep going, however, because the horizons of digitalisation continue expanding – and we’re now seeing the start of the significant wave of change it will bring to Operational Technology (OT), in the form of Industry 4.0.

As it does, there will be a convergence of traditional IT and OT and we might expect to see something of a culture clash emerge between IT and OT professionals. With the move towards digitalisation, IT has developed a mindset which prioritises achieving agility by finding new ways to protect and use data. In OT, meanwhile, availability, continuity, and reliability are paramount: for critical physical processes, even brief periods of downtime can have costly (and potentially dangerous) consequences. To find solutions which speak simultaneously to agility and reliability will be a significant challenge.

While it can certainly be done, the question of achieving that combination puts me in mind of airplane design. While stability and reliability would seem on the surface to be the clear priority for aviation, engineers have long looked to exploit situations where the opposite can be a positive trait. More stable flight might be safer flight, but it also means that the plane has to work against that stability in order to turn – a real problem, especially, for combat aircraft.

Cyber threats in physical space
As Industry 4.0 creates an increasing convergence between IT and OT, professionals on both sides will likewise need to develop new ways of understanding one another together with new understandings of the system as a whole if they want to achieve a similar best-of-both-worlds approach to agility and stability. IT and OT have one thing in common, and that’s data.

One of the biggest challenges on the way to that future will be the question of security. The interlinking of IT and OT systems is driven by a desire to interact with OT in a data-led way, just as we interact with many other systems. Doing so brings the benefits of software to OT – speed, agility, remote management – and entails bringing new networking and processing capabilities to the edge of businesses’ operations.
It also, however, means that the risks associated with software will be introduced to OT contexts. Here, the key lesson of the X-29 might be that benefits come with consequences, and everyone in the industry needs to be aware from day one that this digitalisation will create new and larger risks. Without careful consideration and management, cyberattacks on production lines, building infrastructure, power and transport networks, and water treatment facilities are inevitable.

There are several powerful real-world examples of OT being used in cyberattacks. As long ago as 2013, a high-profile breach in the US retailer Target was performed via a compromised remote access to a HVAC system, and raised concerns of supply chain cybersecurity of OT (in this case HVAC) vendors. Just this year, we saw major attacks involving compromised remote access to several OT systems in manufacturing and water utilities (e.g. Oldsmar, Florida in the U.S.). There have also been additional IT facing attacks (e.g. ransomware) that, led to the shutdown of gasoline pipelines and subsequent fuel shortages in the eastern U.S. Since the Stuxnet attack, the first major attack to target on Industrial Control System (ICS) equipment, attacks on non IT systems have evolved.

As these examples show, IT and OT are already deeply dependent on one another, regardless of the extent to which professionals working in those areas recognise it. As the two infrastructures converge further, the scope for such attacks will grow. A new vision for cyber resiliency is needed, then: one which works across the physical and the virtual, and across the needs for stability and agility.

People, process, technology
For a technological problem like this, we often reach first of all for a technological solution. Indeed, tools and systems are now available which offer the types of cybersecurity we are familiar with, such as firewalls and monitoring solutions, for OT systems. The technology alone is not adequate. The technology effectively provides a set of tools that need to be correctly applied and utilized by trained people and used within cybersecurity aware processes.

This is why OT cybersecurity should not, rely on the technology alone. Applying technology to solve OT problems will be a learning process as teams which historically see themselves as quite distinct develop a way of working much more closely with one another. Step one in this new cyber resiliency, therefore, will be about people. Specific training will be needed which operates across staff groups in order to put a common language and best practice methodology in place for discussing these new threats and solutions.

Step two will require carefully examining what changes to process may be required. Systems of management, monitoring, and oversight will likely be quite distinct between OT and IT – gathering different data, observing different metrics, and following different response and recovery plans. Experience shows that organisational action on cyberattacks needs to be cohesive in order to be effective, and that demands collective planning. This also needs to extend to partners and subcontractors: unified log-in procedures, access management standards, and other organisational practices are essential.

It’s on these foundations that technology constitutes an effective step three. Throughout an industrial digitalisation initiative, it is important to audit the connected device architecture, understanding in detail what will be joining the organisation’s network and re-checking that the reality of the situation matches expectations. With a clear picture of the new infrastructure, appropriate authorisation and boundary defences can be implemented. This equipment should also be sourced from vendors which integrate security standards specific to your area of operation, such as IEC 62443 for industrial control systems.

Ultimately, agility and stability will be integrated in different ways in different organisations – but the connections formed by this integration will always require a holistic view of the attack surface. With careful management, Industry 4.0 will be an era of greater security, as well as greater flexibility.