The increased connectivity of IT and Operational Technology (OT) networks has made organisations more vulnerable to cyber threats, which could cripple operations and supply chains. With such attacks likely to increase in frequency and severity, the need to secure critical infrastructure such as factories, power stations and transportation networks has magnified.
Why should organisations be concerned about OT cyber security and how can they overcome the challenges of securing their networks? iTnews Asia speaks to Richard Farrell, Asia Pacific Director of Digitalization, Cloud and Data Centres segment, Eaton, to find out how companies can best develop a resilient OT cyber security strategy.
iTnews Asia: Why should we be concerned about OT cyber security?
Statistics on the rise of OT cyber security attacks are simply staggering. Data collected by IBM found that malicious activity targeting OT networks surged 2,000% between 2019 and 2018, while ICS-related vulnerabilities discovered in 2020 saw a year-on-year increase of 49%.
OT cyber attacks can have far reaching implications on people, businesses and the environment. While IT network breaches focus mainly on data theft, OT attacks target IT networks through an unsecured OT “back-door”, or disrupt critical services to cause operational disruptions, financial loss and even physical harm.
Examples include the 2015 Ukraine power grid attacks where the electricity was literally shut off due to a malicious attack during winter, and the recent Colonial Pipeline attacks in the US where the actual flow of gas was slowed down enough to affect the entire country’s supply and distribution to gas stations. These are heinous acts which can become life and death situations.
At the same time, IDC predicts that by 2025, there will be 55.7 billion connected devices in the world and the vast majority of these devices (75%) will be connected to an IoT platform. With the continued adoption of sensors, machine learning and analytics in industrial environments, the OT and industrial control system (ICS) networks will only become increasingly exposed to cyber security threats.
When you put these trends together, there is a very real concern around the state of OT networks and how secure they really are.
iTnews Asia: What do you see as common OT cyber security misconceptions in this region?
Many business leaders tend to have the assumption that cyber security breaches remain largely in the realm of information technology. At the fundamental level, this has resulted in the misconception that bad actors only go after data and OT networks are safe from cyber attacks. But with the rise of industrial IoT, this is no longer the case.
As tech entrepreneur, author and Blockchain expert Andreas Antonopoulos says: “There are two types of people and organisations in the world – those who have been hacked, and those who will be hacked.” With the rapid expansion of digital transformation, the more we put into the digital world, then the more chance this information can be unethically and illegally accessed by unauthorised individuals and groups.
Organisations may also think that the implications of an OT cyber security breach are negligible because they only monitor devices and processes on their networks. But what matters is how attackers can exploit your networks to access, damage and disrupt other more valuable parts of your facility.
iTnews Asia: What are the challenges faced by organisations in securing their infrastructure and how to develop a resilient OT cyber security strategy?
Awareness is the biggest challenge for organisations securing and developing a resilient OT cyber security strategy right now. Business and facilities leaders have long been lulled into a false sense of confidence by solutions such as firewalls, VPNs and IT server patches. However, such defences only cover IT networks and leave increasingly connected OT networks exposed.
Businesses’ cyber security defences are only as strong as their weakest link. OT networks – consisting of ICS devices, heating, ventilation, air conditioning (HVAC) systems for buildings, generators and uninterruptible power supplies – need to be included in any cyber security strategy and organisation risk-mitigation plans.
Changing organisational culture towards cyber security is another challenge for many businesses. Too often, businesses relegate cyber security responsibilities to the IT department and facilities teams are either not involved or operating in isolation. However, managing high voltage OT and ICS effectively and safely requires electrical and mechanical engineering expertise that do not typically lie in IT staff’s domain.
The fact of the matter is that OT cyber security is the responsibility of everyone at the facility. A robust cyber security program requires coordination between the operations and IT departments to stand against evolving cyber threats. Businesses need to shift from a “us versus them” mentality to a collaborative approach. Otherwise, they will be inviting hackers in, not due to the lack of technical due diligence, but due to operational silos.
Cyber security needs to be taken as seriously as reporting dividends back to shareholders and even the changes we’re seeing in the inclusion and diversity initiatives most organisations are trying to implement. It needs to be on the agenda of every board meeting, right down to the agenda of every team meeting. This enables it to be woven into the very being of the organisation, where everyone is responsible.
From an ownership perspective, organisations definitely need someone at the C-level to be accountable and ensure that their cyber security strategy encompasses every aspect of the business.
Organisations may also think that the implications of an OT cyber security breach are negligible because they only monitor devices and processes on their networks. But what matters is how attackers can exploit your networks to access, damage and disrupt other more valuable parts of your facility.
-Richard Farrell, Asia Pacific Director of Digitalization, Cloud and Data Centres segment, Eaton
iTnews Asia: What industries are particularly vulnerable to lapses in OT cyber security and what measures can these industries take to circumvent potential attacks?
Every single industry is at risk of lapses in OT cyber security. Hackers don’t discriminate. If there is an opportunity, it will be exploited.
Having said that, industries with large building and facilities infrastructure would have greater exposure to OT cyber attacks. OT, by definition, involves the monitoring and control of industrial equipment, assets, processes and events; so, sectors like manufacturing, utilities and large commercial premises like data centres are very much at risk.
Mitigating potential attacks on OT networks begins with two key starting points - one technical and the other cultural.
On the technical front, organisations should start with a professional assessment and audit of their OT infrastructure to gain a complete understanding of their strengths, weaknesses and areas for improvement. This is when you engage a qualified cyber security from a reputable organisation who understands not just IT but facilities infrastructure to provide a comprehensive report on any OT cyber security threats and a corrective remediation strategy.
Businesses should also establish a collaborative culture around cyber security. From an organisational standpoint, it may mean appointing a cyber security leader who leads a team that looks at cyber security holistically across IT and OT.
Finally, organisations shouldn’t wait for a cyber security incident to occur before they act. Taking the advice of ancient Chinese general Sun Tzu, businesses can only “be sure of defence, by defending the unattacked”.
