Networks are becoming more complex by the day, as they integrate new, emerging connection technologies with capabilities that reach far beyond those of personal computers and servers. These rapidly advancing technological underpinnings power industrial organizations the world over and represent what is commonly known as Operational Technology (OT).
What is Operational Technology?
OT is any hardware or software that monitors and controls devices, processes or infrastructure. These tools can take the form of physical access control mechanisms, fire control systems, building management systems and more. Some examples of everyday OT include smart traffic management to reduce travel time, building automation that can perform primary functions without human intervention, and commercial configurations with the ability to connect multiple systems and seamlessly share data between them.
What makes Operational Technology unique?
The sheer scale in variety of equipment used to comprise OT is massive, not to mention exceptionally diverse. For example, wind turbines, generators and fuel pumps are quite different from a computer numerical control machine. Similarly, 3D printers are quite dissimilar from clinical-grade medical equipment, security cameras and access control systems. And still, each one of these items belongs to the OT ecosystem. Unfortunately, uniqueness in the field of OT is a double-edged sword, in that it does not easily accommodate a one-size-fits-all IT security approach. Moreover, due to the intricate nature of OT equipment, security solutions often require near-device deployment, multiplied by the number of units. Such solutions are traditionally extremely cost-prohibitive. These and other challenges are especially true when considering legacy equipment, which often cannot comply with modern cybersecurity standards and requirements.
Risks Associated with Attacks on Operational Technology
While OT’s increasing connectivity and diversity pose a great many benefits, such growth also brings forth a whole host of cybersecurity risks. Now more than ever, organizations are vulnerable to attacks on their equipment, products and people, thanks to the numerous threat vectors widespread interconnectivity creates.
Those industrial organizations that find themselves in a cybercriminal’s crosshairs are typically targeted because of their status as critical infrastructure, which implies they hold national security value in light of the services they provide. Given their political value, organizations on the receiving end of an OT-based cyberattack could find themselves the subjects of greater scrutiny, tighter regulatory controls, or even hefty fines.
Cybercriminals are not out to solely cause trouble between industry and regulators. Usually, these bad actors are seeking monetary gain and will exploit vulnerabilities within a company’s OT to implant nefarious content like ransomware, which can financially cripple even the largest organizations.
Diminished Public Trust
Perhaps the greatest bane an organization can experience in the wake of an OT-based cyberattack is a significant loss in public trust. Once customers learn that company systems were breached, they are less likely to continue using that organization’s services, if given the choice.
Examples of Attacks on Operational Technology
Unfortunately, assaults on OT are more commonplace than one might think. In fact, experts predict that attempts to breach operational systems could soon number in the thousands, year-over-year…and that number is projected to worsen with time. In just the last few years alone, several OT attacks have made national headlines, causing grave concern among regulators, politicians, and the public. In 2021, the Colonial Pipeline was compromised, leading President Biden to issue a formal State of Emergency. In 2023, OT attack victims included Dole Food at four of its north American sites, SAF-Holland, Baden Steel Works, and 22 companies associated with critical energy infrastructure in Denmark. Even noncritical industry sectors have had their run-ins with cyberattacks, like MGM casinos and resorts in Las Vegas, which lost control of its room keys, ATMs, phones, and slot machines for 10 days.
U.S. Government Efforts to Enhance Security for Operational Technology
The Biden Administration has demonstrated a firm commitment to securing OT, recently directing the Federal Bureau of Investigation, Cybersecurity Infrastructure Security Agency (CISA), and Department of Treasury to publish new guidelines for OT and industrial control systems. These guidelines focus on the responsible use of open-source software, although many of the contents serve as general best practices for security in OT on the whole and are important operational considerations for both senior decision-maker (C-suite) and line-level personnel, vendors, equipment owners, and facilities.
Looking Ahead to Improving Operational Technology Security
The U.S. Government’s guidelines also make clear that both organizations and their vendors must work together to shore up OT security against all types of attacks, including private and state sponsored. Yet even despite this expectation, regulators remain out of touch with the tactical challenges IT and security personnel will face to erect the type of safeguards federal guidance demands. The greatest resource companies eager to get ahead on their OT security can take is to partner with experts who understand the ins and outs of the modern cyber landscape. It is advantageous for companies to partner with businesses that can help them stay on top of their security needs.
Rubycomm is an Israeli technology company specializing in OT security. Its CEO Shlomi Marco is quoted as saying, “Without a doubt, the most important factor for organizations that rely on OT to consider is their security.” He goes on to say that in this modern, connected world, it is critical to ensure systems remain uninterrupted by cyber criminals seeking to disrupt industrial operations.
Marco also believes the market will reward equipment vendors and users that embrace OT security in the near-term, and many IT experts agree with him. Organizations that bring together their in-house experts and vendors with dedicated security professionals to mitigate threats before they become exploitable will maintain an advantage in the unfolding tug-of-war between those who strive to provide essential services to the public, and those who seek to upend them.