Back in 2011, GE coined the phrase “the Industrial Internet”. They were referring to how the gap between the operational technology (OT) that controls our critical infrastructure facilities and traditional enterprise information technology (IT) is closing. In the quest for smarter enterprise data, we are connecting our OT to our IT. Smart as that may seem, there can be unintended consequences – rather than a controlled ‘coming together’, it can be more of a fatal collision if the associated risks are ignored.
Seven years on, OT and IT are becoming more and more connected every day. Yet, there seems to be a level of denial that such connectivity exists. This can mean that critical cyber security controls are being ignored – a dangerous place to be.
This blog discusses the risk implications of OT’s potential exposure to cyber threats and the need for OT and IT experts to come together with security to understand and tackle such risks. It looks at the cyber security challenges in established industrial sites and suggests a security approach for new builds.
But first, let’s just examine the difference between OT and IT, if indeed there is one.
OT and IT – a little context
Traditionally, just as it has been reasonably straightforward to keep OT and IT physically and logically separate, it has been equally straightforward to define OT and IT separately.
Generally, there is a common theme that definitions of OT are specific and direct, whereas definitions of IT are abstract and all-encompassing.
Using Gartner’s well-established definitions, OT is specifically about “hardware and software that monitors/controls physical devices, processes and events”. Like most OT definitions, the words ‘information’ or ‘data’ do not feature.
Gartner then states that IT is: “The common term for the entire spectrum of technologies for information processing, including software, hardware, communications technologies and related services…” but caveats this with “…In general, IT does not include embedded technologies that do not generate data for enterprise use”.
Even if the difference between IT and OT is clear (we are not sure it is, or that it really matters!), once OT and IT are interconnected, the risk boundaries are blurred – IT vulnerabilities can quickly become OT ones and vice versa. Acknowledging the convergence and managing the risks to avoid an uncontrolled collision is what really matters.
The cyber threat to our critical infrastructure
Managing the risks to OT systems has traditionally been readily achievable using layers of physical security controls. But there is little point in physical fences, gates, guards, alarm systems and CCTV when IT-enabled connectivity – promising enterprise-enriching rewards – could make systems accessible from well outside the physical perimeter and potentially via the internet.
When threats can operate outside of the physical controls of a closed OT system, the implications for our critical infrastructure are potentially significant. Hacking into an industrial plant and/or machines could result in impacts such as shutdown and loss of supply, not to mention the risk to employees’ physical safety. Imagine the havoc of losing control of a power station or electricity grid if a malicious attacker gains access via the Internet.
Sensitive OT system data could also be vulnerable to cyber threats. If such data is exposed by power stations, utilities and manufacturing plants, it would certainly provide valuable intelligence to competitors and hostile adversaries.
In April 2018, Power Engineering International reported that the National Cyber Security Centre’s (NCSC) has advised British critical infrastructure operators on how to respond to the threat. Their advice was to look carefully at devices with legacy unencrypted protocols or unauthenticated services, devices that had not been sufficiently ‘hardened’ before installation, and devices no longer supported with security patches by manufacturers or vendors.
So, let’s acknowledge the existence of GE’s Industrial Internet and work together to define and manage the new era risks. If we don’t do this, the impacts to businesses and the national interests could be catastrophic.
The cyber threat in numbers
In 2017, GE published an infographic showing the impact of cyber-attacks on critical infrastructure. Although some of the data came from 2014 research, the situation is unlikely to have improved, as supported by very recent news stories about ongoing cyber-attacks against critical infrastructure targets.
- 67% of companies with critical infrastructure suffered at least one attack in the past 12 months.
- 91% of power generation organisations have experienced a cyber-attack.
- 38% of reported attacks were against power and water suppliers.
- 66% of organisations were not ready to address security issues for OT.
- 61% of oil and gas suppliers believed it unlikely they would be able to detect a sophisticated attack.
- Only 40% of oil and gas respondents had a disaster incident response plan in place.
In addition, a recent Honeywell-sponsored survey by LNS Research of 130 decision makers from industrial companies revealed that only 37% are monitoring their plant systems for suspicious behaviour and 20% are not conducting regular risk assessments. The survey also found that 53% said they had already experienced a cyber security breach.
In the face of an indiscriminate enemy – and let’s face it, threat actors are not generally concerned about the definition or difference between OT and IT – we need to work together to minimize the risk of a security compromise; this is not without its challenges though.
Facing the technical challenges
Unlike security hardened IT systems that have up-to-date operating systems and well established security controls, many OT systems, often by necessity, run on dated, often unsupported operating systems which could be extremely vulnerable in this Industrial Internet era. Legacy OT systems often have limited computing capabilities and would struggle to run even basic anti-virus software. They may also use hard-coded passwords that are easy to crack and, as they were not designed with the security risks of connectivity in mind, they typically have no means of authenticating commands received.
Additionally, OT systems that support requirements for 100% availability of a service could be hugely impacted. Requirements to implement and manage improved security controls (system patches and updates for example) could need planned or even lead to unexpected downtime. Perhaps worse, cyber-threats in an IT/OT connected environment could bring services down deliberately. The reputational, financial and perhaps even safety-to-life impacts of downtime in critical infrastructure services alone would likely be catastrophic.
OT and IT experts need to work together
It’s not just acknowledging and managing the security risks of the convergence and connectivity between OT and IT, it is also about OT and IT expertise coming together. Cyber security risks are often better understood and more intuitively managed by IT professionals, but this hasn’t happened overnight, and IT security is a specialist discipline in its own right. OT professionals have traditionally been able to rely on physical security layers alone to protect their technologies and are often understandably more focused on safety controls. Connectivity between OT and IT requires overlap between both disciplines to ensure that security risks are identified and managed appropriately.
The problem with organisational change is that what looks logical on paper is often far more complex to implement. Change requires investment, compromise, cultural adjustment, collaboration, and not the least, agreement. It’s easy to see why it’s so often put off – again, just what the threat actors want.
In an interview with Defence IQ magazine in December 2015, David Willacy, strategy and planning manager at National Grid described the need for a “CIA mentality”. The OT and IT departments he said, need to have an overlap of Cooperation, Integration and Alignment: “We need IT skills within the operational field, and we need the operational skills and knowledge within IT security – and that relationship needs to be created now.”
One of the biggest challenges is structural. OT tends to be based within a network of physical assets – utilities, manufacturing sites and so on – while IT is typically a more central function within a corporate HQ. Accordingly, responsibility for security whether as a distinct function or as an initiative, needs to bridge this gap.
A starting point for addressing both the technical and IT/OT expertise challenges is a security risk assessment of all (OT and IT) interconnected critical information systems. This will lead you to know what the threats are, to manage security vulnerabilities and to understand the impact to your organisation if a cyber-attack is successful. Engaging both OT and IT expertise in the security risk assessment process will help to both educate and build bridges between what have traditionally been two very separate disciplines. Working collaboratively will also enable the benefits of safety processes to be realised as part of security approaches.
New builds present a good security opportunity…..
It’s always a challenge and inevitably costlier to implement security controls and requirements retrospectively. However, it is often the reality for security professionals as security requirements were often not properly identified as part of the design of legacy systems. To be at its most effective, security needs to be designed and built in to systems using a ‘cradle to grave’ approach.
Cyber Security (CS) and Information Assurance (IA) still faces challenges, but is now a well-established, well-understood requirement generally.
Designed around the principles of Total Quality Management and structured software engineering, IA Inside from Ascentor works on the premise that defects found early in the process are easier and quicker to fix, and therefore cheaper to fix, than those found later.
So how might this work for a new build?
Through security risk assessments, security requirements are identified early and embedded in the specification which lays the foundation for a ‘cradle to grave’ approach to CS and IA. Once CS and IA requirements have been identified, they can be given focus and weight during the procurement phase and suppliers will be accountable for delivering on a more formal contractual basis.
In our new build dealings so far, Ascentor has found that the cyber threat is not being considered early enough. If this does not change, the OT-IT issues identified in this blog will only be replicated and not dealt with. This could leave new build initiatives, such as the UK’s brand new nuclear facilities, perhaps more vulnerable to cyber threats than ever before.
Different OT and IT definitions do not really matter when both are converged by connectivity. They are both ‘technologies’ that also rely on people and processes.
Executive boards, senior OT and IT management and CS and IA professionals need to understand the security risks of convergence and make realistic investments in technology, people and processes where security controls and requirements are needed to minimize risk. A robust security risk management approach supported at the Board level will result in a more secure and safer industrial Internet. OT and IT expertise must engage with cyber security expertise to ensure a smooth convergence of connectivity rather than a potentially catastrophic collision.
How Ascentor can help…
Ascentor has significant practical CS and IA expertise and experience across a range of sectors, including critical national infrastructure organisations (civil nuclear, energy (smart meters), banking, defence, government). This enables us to conduct sector specific technical security risk assessments that are pragmatic, appropriate and cost effective or to provide more general security consultancy services to help support strategic or tactical initiatives with the right level of context.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss any aspect of IA and cyber security, please contact Dave James, MD at Ascentor.