Addressing Cybersecurity Concerns in Operational Technologies
In February, threat actors remotely raised sodium hydroxide levels in a US city’s water treatment facility to dangerously high levels. Fortunately, facility staff noticed the change and corrected the issue quickly before the city’s water supply was affected. The US Cybersecurity & Infrastructure Security Agency identified the vulnerabilities exploited in the attack – threat actors gained access through known vulnerabilities in legacy operating systems (Windows 7) and used the facility's desktop-sharing software. This case, a haunting example of a cyber attack targeting operational technologies, illustrates why threat actors target them – for high-impact, disruptive cyber attacks.
Why Should You Care About OT Cybersecurity?
Operational technology (OT) refers to the collection of hardware and software that helps to monitor, manage, and control physical devices. OTs are used widely in critical infrastructures, industries, enterprises, and homes – examples of OTs are lifts, safety automation systems, industrial control systems, flight management systems, traffic monitoring systems.
Cybersecurity is everyone’s responsibility. Likewise, whether you are a policymaker, a technical expert, a manager in the private sector, or simply a user, you have a part to play in keeping OTs secure. To better protect operational technologies and supply chains from cyberattacks, each group's responsibilities are mapped out below, outlining how you may help secure OTs for your organization.
Responsibilities of Users:
-
Practice Cyber Hygiene
In cybersecurity, humans are often said to be the weakest link in the cybersecurity chain. The reason for such attribution is that bad cyber hygiene practices and low cybersecurity awareness by employees are detrimental to an organisation’s cybersecurity, with about 90% of businesses at risk due to poor cyber hygiene practices. Bad cyber hygiene practices may include the use of weak passwords, holding off crucial updates in work computers, falling prey to phishing emails and social engineering, etc. Furthermore, this risk has increased with more employees working from home due to COVID-19. Users need to understand the risks of poor cyber hygiene and practice good cyber hygiene, often addressed through company-wide awareness training.
-
Be Vigilant
Users can however be an opportunity for cybersecurity. In the cyberattack on the US water treatment facility, the cyberattack was met with a relatively quick response before any damage occurred. An employee noticed that someone was controlling his computer remotely. Though he dismissed it for five-and-a-half hours, thinking that it was his supervisor, he became concerned when he saw different programs opening and that sodium hydroxide levels were changed. This case illustrates that users can help to raise the alarm on cyberattacks when they notice something strange occurring in their systems, and a key part of this is by remaining vigilant and alert for such occurrences. Quick response and escalation of cyber incidents is key to limiting the damage of cyberattacks, and responses can be accelerated if users know the warning signs, what to do, and who to contact in case of cyber incidents.
Responsibilities of Private Sector Managers:
-
Replace Old, Legacy Systems
OTs may represent large capital costs – they may be expensive, and last very long. This contrasts with information technologies and software, which are constantly being replaced with new versions or new software altogether. Eventually, companies that provide software and patching support for OTs may cease providing support to focus resources on new iterations of their products. This means that known vulnerabilities may not be patched in these legacy OT systems, and these systems continue operating with vulnerabilities that may lead to cyber incidents. For example, some legacy OT systems run on Windows 95 without a supportable option to upgrade, replace, or can only do so at a high cost. Furthermore, old OT systems may not have been designed with cybersecurity in mind. Organizations need an enterprise lifecycle plan or procedure in place to mitigate this risk to OTs.
-
Investments in Cybersecurity are a Must
Investing in cybersecurity is not optional. Cybersecurity considerations may be overlooked by less mature organizations which approach digitization to reap the benefits but fail to manage the risks. The reasoning that some organizations may have is that cybersecurity is a cost, not an investment, and fail to allocate sufficient resources to cybersecurity. This reasoning is not true – cybersecurity is an asset, both to protect your business from the costs of cyberattacks, and to build customer confidence in your products and services and boost sales.
Responsibilities of Technical Experts:
-
Adapting to New OT Systems
Increasingly, OT systems are incorporating aspects of Information Technologies (ITs) to leverage new emerging technologies such as Big Data and AI and boost efficiency. However, traditionally, teams that take care of OT systems do so from an operational perspective, whereas cybersecurity may be the responsibility of IT teams. In organisations that are incorporating new, converged OT systems, the OT and IT teams should conduct cross-training to understand how each other’s systems work to better manage and protect these systems.
Responsibilities of Policymakers:
-
Policy is Key to Ensure a Robust Cybersecurity Regime
A heavy responsibility lies on both policymakers in governments and within private organisations for OT cybersecurity. Governments should work to raise awareness of the importance of OT cybersecurity among enterprises and facilitate the implementation of OT cybersecurity policies that draw from international and regional best practices and guidelines. These policies should also be crafted in consultation with private, public and technical stakeholders for clarity over the needs and concerns of stakeholders. Such policies should not be overly prescriptive to allow enterprises to adopt the cybersecurity measures that they require – cybersecurity is not a “one-size-fits-all” and has to be tailored to organisational needs.
On the other hand, policymakers in organisations should comply with the standards set by their governments, not simply for compliance’s sake, but with a clear understanding of what their organisation’s risks are and what tools are required. Also, policymakers should prepare for the eventuality of cyber incidents with the proper response, mitigation, and reporting procedures.
A Shared Responsibility
In a nutshell, everyone has a responsibility to protect OT cybersecurity, and this chain of responsibility is crucial for all stakeholders in OT to understand for a more robust OT cybersecurity regime. As the US water treatment plant case shows, securing OT does not only lead to a more secure cyberspace, but also helps bolster real-world safety amidst an increasingly digitized world.
In a nutshell, everyone has a responsibility to protect OT cybersecurity, and this chain of responsibility is crucial for all stakeholders in OT to understand for a more robust OT cybersecurity regime. As the US water treatment plant case shows, securing OT does not only lead to a more secure cyberspace, but also helps bolster real-world safety amidst an increasingly digitized world.