Operational Technology – Déjà Vu
By Colin Fraser, Director at i-confidential
“We don’t need to invest in security – we’ve never had an incident here.”
Up until five years ago you would still meet a COO, CIO, or non-executive director who would say that.
With major cyber breaches around the world and then personal experiences spreading, in the last five years the quote has instead become, “If we gave you more money, could you make us secure more quickly?”
And the déjà vu…
Recently I met with a CIO and CISO at a significant utility company. They explained that the security of Operational Technology (OT), such as plant and machinery control systems, was not their responsibility. The individual business units looked after running and securing OT. Furthermore, they hadn’t had any incidents.
Over the last two years the world has changed. CIOs and CISOs are being told to take over Operational Technology asset discovery and security control assurance.
Cyber incidents such as those at Colonial Pipeline and the Oldsmar Water Treatment Plant
have raised awareness of the challenge amongst business leaders.
That challenge is further compounded by the increasing convergence of OT, the Internet of Things (IoT), and Information Technology (IT). The target of the attack could be a piece of plant or machinery on its own like the information screens at Iran Rail. However, ever more often OT is connected to an organisation’s internal network, providing a new attack vector to the heart of the organisation.
Widespread installation of wireless diagnostic, maintenance, and remote management capabilities into OT is one example of our expanding attack surface.
The moral of the tale?
Every organisation should factor coverage of non-IT technology into their risk assessments and security frameworks. Better to consider the risk and get it wrong, than to exhibit negligence by not applying objective, considered risk management principles to your OT and IoT estates.
Let’s not wait for an incident, but rather apply our standard approach to asset discovery, implement our cyber security controls and good practices, and defend against a harmful breach. Treat it as the application of our security umbrella to some additional platforms.
And if you feel like you need some additional support, please reach out and ask for help.