OT/IT Convergence: Cybersecurity or Cybersafety?

Operational Technology (OT) cybersecurity is a hot topic. Millions of dollars have been poured into a proliferation of OT cybersecurity startups. Information Technology (IT) cybersecurity vendors are also flaunting their capabilities in the OT space. The market is frothy, and for good reason.

Notable cyber attacks over the past several years--including Wannacry, Stuxnet, Botnet and Crashoveride--have played on risks associated with the convergence of OT and IT. On top of this, security researchers have identified vulnerabilities in our nation’s critical infrastructure as a result of OT/IT convergence.

For example, just last year, the University of Tulsa released a report revealing critical weaknesses in wind farms. These types of incidents lead to the same following (ir)rational conclusion: The world is ending.

On the contrary, the world is likely not ending. These incidents have exposed weaknesses and vulnerabilities within certain aspects of industrial environments.

More Than Meets the Eye

While these incidents facilitate easy marketing campaigns that prey on human paranoia, I challenge the notion that all of them are external and intentional. Why? Because these situations often have a cybersafety component (unintentional incidents that result from technology misuse or error) associated with them. Here is what the data tells us:

Source: The State of Industrial Cybersecurity 2017 - Business Advantage
Source: The State of Industrial Cybersecurity 2017 - Business Advantage

According to the research, 29% of industrial organizations stated that employee errors contributed to cyber incidents. Meanwhile, 36% cited targeted attacks and 13% cited sabotage or other intentional damage. What do these findings mean for you?

  1. Cybersafety matters: Accidental industrial cyber incidents need to be included in your risk model.
  2. Bad actors exist: Malicious cyber incidents happen within industrial environments.
  3. Threat (un)known: The source may be sitting next to you, rather than halfway around the world.

Consider a 2005 accidental cybersafety incident in which the Taum Sauk Hydroelectric Power Station dam overflowed when water continued to pump, despite the reservoir being full. Why did it overflow? A sensor at the base of the dam, responsible for measuring the water level, became dislodged, providing inaccurate readings. Enhanced operational and cyber-situational awareness could have provided data necessary to understand the root cause of the problem before it became catastrophic.

Cybersecurity incidents can be just as destructive. Consider the paper manufacturer Georgia-Pacific, which suffered more than $1 million in losses due to insider sabotage. A disgruntled former employee used VPN access to log into the company’s Industrial Control Systems (ICS) network, installing software and making unauthorized changes that resulted in product loss. This is an example of traditional IT pitfalls causing physical repercussions.

Know Where You Stand at All Times

Despite the source, these incidents –whether malicious or unintentional – can be prevented. A sound starting point is performing an assessment to diagnose your physical environment (critical for industrial processes) and policies and procedures. This enables your organization to identify data that could be leveraged to help detect and respond to ongoing threats. The exercise will yield a host of recommendations that harden your environment, including simple tactics such as password and account management and more advanced methods like intrusion-detection systems and remote security management.

No matter the approach or solution, it is imperative that operational and security personnel work together. There must be consensus that the first concern is safety, followed by availability, productivity and reliability. Security is a function that supports all of these metrics. It is important that these groups leverage each other's respective genius while keeping an open dialogue of what else is possible. For example, certain IT techniques like active monitoring will topple OT environments. On the other hand, password sharing (albeit convenient) muddies the ability to secure industrial spaces, increasing downtime and safety risks.

The world is not ending. Security incidents can be prevented with the proper infrastructure in place. It is vital to understand how safety and availability are impacted as your environment becomes increasingly connected to the internet. Performing an assessment exercise will help align your operations and security personnel, setting the tone for an organization that is focused on (cyber)safety, availability, productivity and reliability.