Author: Susan Bond, Sr. Program Manager, Solution Architect and Technical Leader
Recently, I presented at the SecureWorld conference, an annual conference that brings together experts in security. I partnered with another security expert to give a presentation to an audience ranging from technical to non-technical, from corporate executives to people who are peripheral to the security space. This was a great mix of security professionals as well as those interested in learning more about cyber security. As an ice breaker to our presentation, we divided the room into three groups – Information Technology (IT), Consumer Technology (CT), and Operational Technology (OT) – and asked folks to identify products and logos, such as cameras, the Apple logo, Cisco logo, etc., and what space they belonged in – IT, CT and/or OT. What we found from this small experiment is that people understand IT and Consumer Technology, but few people understand what Operational Technology means. My conclusion after this presentation was that we need awareness and understanding of the fusion of these three technologies to create holistic solutions in the security space.
Why is this Important?
Here is a real-world example: In a plant such as a refinery, you have sensors and other devices that may not have been updated with security patches since the plant was brought online, probably years ago. The control network supporting these sensors and systems used to be physically disconnected from any other network; however, with advances in technology, this control network is now connected peripherally or directly to the refinery’s corporate network, probably separated by a firewall. Hackers across the globe are highly motivated to deliver malware and other cyber threats through attack vectors such as email – now a common threat companies must be concerned with – in fact, many are now putting defenses in place from within IT. Except now the concern needs to turn to that malware passing through the corporate network and on to the control network causing a breach to the plant’s control system with the outdated security patches. Instead of a confidential and proprietary data breach, the risk is to the refinery equipment. Even more concerning is the risk to human life if the refinery equipment operates abnormally and endangers plant operators, or even the surrounding location, of the refinery.
What is Operational Technology?
Let’s start with defining Operational Technology (OT). I’ll use my experience at one of the national labs to help explain. As in many organizations that exist in the OT space, there is a formal IT department handling all the usual IT activities such as business systems development; network, systems, and security support; and other corporate information systems-related activities. Along with the formal IT department, there are IT functions being performed as part of lab operations which exist outside of the IT department. My responsibility was supporting the implementation and operation of the network, cyber security, communications and Supervisory Control and Data Acquisition (SCADA) infrastructure for the newly constructed energy systems research facility. These technology activities were the Operational Technology side of the enterprise and existed somewhat separately from the formal IT department.
It is tempting to think the difference between IT and OT is that because IT is directly connected to the Internet, the flow of data is much faster. But IT operates in human minutes and seconds. The SCADA system on the OT side must operate at a much higher frequency in milliseconds and microseconds. The reason why? If you think of a breaker that shuts off electricity when it senses an abnormal situation, it should turn that system off instantly, within a microsecond. The operational side has a higher data frequency and a higher flow rate.
These systems handle the processing of real-time and near real-time events for mission critical systems that typically exceed standard IT solutions. We had to architect solutions to isolate networks from the enterprise yet support communications of real-time digital simulators between geographically dispersed lab locations as part of research operations. We had to figure out how to keep the Windows desktops controlling the SCADA system running and secure without the benefit of being connected to the enterprise network where regular patches could be applied. We had to create risk mitigation strategies to support the requirement for the hydrogen systems equipment to occasionally connect to the Internet while adhering to the safe work permits and safe operating procedures.
The challenge was to support the hardware and software systems running the labs and keep everything safe, secure and highly available without the benefit of the formal IT processes and infrastructure that keep IT shops humming along.
Security Can No Longer Be Done by Obscurity
Not so long ago, the Operational Technology arena functioned with a closed network architecture – and security through obscurity was the standard mode of operation. You would have proprietary networks that were closed off and physically didn’t connect to anything else (often referred to as “air gap” networks). But technology and product innovations have launched industrial control systems (ICS) like SCADA into an era where turning on a device typically requires a connection to the Internet. Embedded systems supporting various forms of automation want to connect wirelessly to other devices that they control or obtain information from. The days of security through obscurity are gone as a simple scan from a smartphone can often show available networks, some of which support Operational Technology systems not adequately secured and protected.
Why does anyone care about that? Gartner forecasts that 275M wearable devices were sold in 2016. Imagine all those wearables walking around oil and gas plants, factories and chemical manufacturing plants where OT systems are supposed to be protected and secured but probably aren’t. What kind of effort would it take for those wearables to jump on an open guest network connected to a poorly protected OT system network supporting a water treatment system or an electrical grid? Here’s where it gets scary – what would it take for someone to hack that wearable, knowing that it will connect with that OT system network, and ultimately connect to other devices on that OT system network? How do we fix this security problem? First, we must better understand the security threat. Like I mentioned above, I believe it will take a fusion of the three disciplines – IT, CT, and OT – to create a security solution that comprehensively and effectively protects enterprises with critical assets in the OT space. What are your thoughts? Please share them in the comment section, and stay tuned for the next post on the topic.