5 OT security takeaways CISOs need to communicate to stakeholders

Operational technology (OT) is Gartner’s wide-ranging word for internet-connected industrial stuff, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) largely found in manufacturing and public utilities such as water treatment facilities and the energy grid. 

Cyber attacks on OT can be devastating. When the NotPetya faux-ransomware was done with shipping giant Maersk, the company had suffered $300 million in losses — and it could have been a lot worse. Maersk was nothing more than collateral damage in the hacking war between Russia and Ukraine. Similar incidents seem almost certain to occur again in the future to other enterprises.

Protecting your enterprise from data breaches is a hard problem, but protecting your manufacturing equipment from cybersecurity threats is even harder. Negative consequences can range from extended downtime and lost productivity to machinery exploding on the factory floor.

How does a CSO break down these risks for other executives, not to mention the board of directors? Here are the top five OT security takeaways.

OT security is way behind IT security

OT operators are industrial engineers first and tend to come to the field from an electrical engineering or heavy equipment background, not a server farm and data center background. Growing alarm over OT security weaknesses has drawn attention to how far OT security is behind traditional IT security. It’s not an exaggeration to say that OT security is a decade behind.

Worse, OT engineers tend to earn a lot less than their IT security colleagues in the shadow of the Valley of Silicon, and under-resourced public utilities or smaller manufacturing concerns struggle to recruit, train and retain quality OT security staff. Prioritizing your OT security staff is key to mitigating enterprise OT security concerns.

OT security is upside-down IT security

IT security folks worry about data breaches; OT security folks worry about things blowing up. Safety is job number one when it comes to heavy equipment, followed by uptime. This stands in stark contrast to traditional IT security, where data is king. Making sure that an attacker doesn’t steal your sensitive data is the most important task for IT, but not OT.

In OT, the C-I-A triad gets turned upside down. Safety and availability are first priority, followed by integrity, then confidentiality. Numerous OT security sources tell CSO they would rather run ICS equipment infected with malware for months than take unscheduled downtime to clean up and patch the machine.

A data breach that exposes production numbers on an OT system might be bad, but downtime or a sabotage attack on the integrity of the operator commands would be far worse. Staffing for this opposite world view often requires stretching experienced IT security folks and skilling them up in the OT context.

OT security involves more risk than IT security

“People are lulled into a feeling that computer security is doing OK,” security expert Bruce Schneier told CSO last year about his new book Click Here to Kill Everybody. “What’s changing is where the computers are. There’s a profound difference between your spreadsheet crashing and you lose your data, and your car crashes and you lose your life.”

The same goes for OT security. The failure modes are different and far more extreme. That means your worst-case scenario is way worse in OT than in IT. When your multi-million-dollar widget maker gets bricked because of malware, it’s gonna be really expensive to replace, not to mention the downtime. And that’s not even the worst case scenario.

Fearmongering about OT security risk would also be counterproductive, but these risks are real. If your enterprise relies on core ICS/OT systems, then not defending them exposes your organization to catastrophic risk. Giving other executives and members of the board copies of Schneier’s latest book would not be the worst way of communicating these ideas, either.

OT and IT security are converging

IT and OT are converging, for better or for worse. Weaknesses in IT systems can affect the real-world performance–and safety–of ICS equipment. That means the end of IT/OT silo from an enterprise security architecture, and staffing, point of view.

IT and OT have historically been two different worlds, with a cultural and technical gulf between them. Cross-train IT and OT staff so they better understand each other and can be more effective. When that OT security alert pops up in the enterprise SIEM, the IT security geek who gets the alert better know what it means and what to do about it.

“As facilities become more interconnected, IT and ICS infrastructures cannot be considered separately,” a recent Forescout report on OT security concluded. “Critical OT assets must be secured against IT focused malware that can be launched from point-and-click applications by adversaries across the globe.”

Likewise, OT security staff can learn a lot from IT security staff, who have been thinking about security and working on these issues for a lot longer. Cross-training means cross-fertilization of ideas and security staff with a more complete picture of what they are tasked with protecting. (It also means you need to pay them more if you want to keep them: hint, hint.)

OT systems must be continuously monitored

Because OT networks often use protocols that are insecure by design (they were never created with the internet in mind), it is critical to keep a constant watchful eye on them. This will catch glitches, raise a red flag if an adversary is poking around, and give OT security staff greater visibility into shadow IT.

Stuff gets plugged into OT networks all the time without permission. Sometimes it’s additional industrial equipment that’s meant to be there; sometimes it’s a consultant’s laptop or cell phone. Keeping those devices off OT networks is critical, as well as ensuring that work laptops deployed in an OT environment run the bare minimum software necessary.

“Laptops in production plants grow software like sea-going ships grow barnacles,” Hank Sierk, a retired principal controls engineer at Dominion Energy, told a webinar audience in September.

Remove wireless cards from work laptops and segment all wireless traffic on an untrusted, non-OT network.

OT security initiatives need executive support

Even the best CSO in the world can’t address OT security issues without the backing of the CEO and the board of directors. The buck stops with the boss, and if the boss doesn’t make clear that they expect enterprise-wide support for security initiatives, then those initiatives will die on the vine.

It’s critical to explain the potentially catastrophic risk OT security issues pose to the profitability — and in some cases, continued existence — of any given organization. It means hiring smart IT and OT security staff, cross-training them, and paying them what they are worth. Good OT security engineers remain scarce.

There is a time and place for putting short-term profit ahead of long-term risk. Playing that game with the security of ICS equipment is like playing chicken on the edge of a cliff. Security-savvy members of the board won’t put up with it, and increasingly frustrated security staff will just go work elsewhere.

Make security of OT/ICS equipment a priority of your organization or be prepared for something worse than a data breach — exploding equipment, injured or killed workers, and loss of downtime. The market won’t reward smart security decisions today, but it will surely punish bad security decisions tomorrow.