Everyone in business is familiar with information technology (IT) and understands what it means, but what about operational technology, often abbreviated “OT”?
At first glance, IT and OT appear similar because they share similar technologies like IP networks and Windows operating systems – but they have very different objectives. While IT systems generally support office workers and back-office systems, OT environments (sometimes called process environments) are comprised of machines and devices that support manufacturing and production processes, like lathes in steel mills or planers in sawmills. OT systems have different characteristics, lifecycles, and priorities compared to traditional IT systems.
Historically, traditional OT systems were “closed”, meaning they leveraged proprietary protocols, hardware and software that were typically controlled manually with limited connections outside of the process. This isolation limited the opportunity for cyber threats to exploit vulnerabilities in process environments; it also meant that enterprise IT staff had limited involvement with the management of OT systems.
As OT evolved, more IT-related features were integrated into process environments by vendors, such as Converged Plantwide Ethernet (CPwE) and edge computing systems. While these technologies were commonplace within IT, OT personnel weren’t typically skilled in managing these IT systems. This has resulted in the OT environment being vulnerable to the same threats that affect IT systems, but without mature cybersecurity controls to mitigate risks.
The typical mindset of security conscious organizations is that cyber threats are aimed at data that could be leveraged for financial gain by cyber criminals. A cyber incident that disrupts a physical process in an OT environment (loss of view/control) can result in personal injury/loss of life, loss of property (physical or data), and damage to the environment. The disruption of operations has the potential to inflict greater economic loss, on the facility, organization far beyond the systems directly impacted.
Modern OT environments can be a combination of legacy equipment and IT components commonly found in IT enterprise systems. Cybersecurity professionals must have an appreciation of the unique challenges in OT environments. Some of the challenges to OT environments are:
OT professionals are intimately familiar with their environment’s operations in a way that always maintains safety; they are often not focused on the global cybersecurity landscape or how to protect against those threats. In comparison, enterprise IT often isn’t familiar with the sensitivities to system performance and changes in the process environment. For an organization to be successful, IT and OT must learn from each other and partner on implementing security in such a way that safety and cybersecurity is respected and addressed simultaneously.
OT vendors have greater control on how systems are implemented and managed, as they are typically sold as an all-encompassing system, leveraging IT-related components such as Windows or Cisco networking equipment. Common activities usually performed in enterprise IT environments, such as applying patches or installing security software, typically requires approval and assistance from the vendor. Because OT systems typically stay in operation for 20+ years, lack of support for aged components may leave these systems more vulnerable to well-known attacks.
A cyber incident that disrupts a physical process in an OT environment (loss of view/control) has the potential to inflict greater economic loss on the facility and organization far beyond the systems directly impacted. The disruption of operations can result in personal injury/loss of life, loss of property (physical or data), and damage to the environment.
OT systems typically run 24/7 for 5 or even 7 days per week, which prioritizes availability over confidentiality and data integrity, as system downtime typically has financial impacts due to reduced process output or potential safety concerns. (The Cyber Resilience Mandate: Preventing Business Disruption in an Age of Cyberattacks)
OT systems are designed to support specific industrial processes, and some even require low-latency real-time communications. Devices often implemented in process environments, like PLCs (Process Logic Controllers), are designed with only enough resources to perform specific processes. Additional resources necessary to support security tools, such as antimalware, may degrade performance and impact operations. There is no “silver bullet” to protecting OT systems from cyber threats. A cross-functional team comprised of OT professionals (operations, process engineers, etc.) and IT cybersecurity professionals is essential to protecting these environments. An effective cybersecurity OT strategy should account for OT’s nuanced differences from IT and in turn, drive appropriate decision-making when it comes to applying cybersecurity principles. Impacts to the processes that control the machine are more significant in the OT realm: manufacturing equipment could result at the least in a production stoppage with minor financial impacts or at worst, loss of property or loss of life. How does your organization address these OT-related challenges?
Contact us and let’s discuss your OT cybersecurity risks.