Why operational technology may risk your cybersecurity efforts

Everyone in business is familiar with information technology (IT) and understands what it means. 

But what about operational technology, often abbreviated as OT? 

At first glance, IT and OT appear similar because they share similar technologies such as IP networks and Windows operating systems. But their objectives are very different. While IT systems generally support office workers and back-office systems, OT environments (sometimes called process environments) are comprised of machines and devices that support manufacturing and production processes—think lathes in steel mills or planers in sawmills. OT systems have different characteristics, lifecycles, and priorities compared to traditional IT systems. 

Historically, traditional OT systems were “closed,” meaning they leveraged proprietary protocols, hardware, and software that were typically controlled manually with limited connections outside of the process. This isolation limited the opportunity for cyber threats to exploit vulnerabilities in process environments; it also meant that enterprise IT staff had limited involvement with the management of OT systems. 
 
But as OT evolved, more IT-related features were integrated into process environments by vendors such as Converged Plantwide Ethernet (CPwE) and edge computing systems. While these technologies were commonplace within IT, OT personnel weren’t typically skilled in managing these systems. This resulted in the OT environment being vulnerable to the same threats that affect IT systems—but without mature cybersecurity controls to mitigate risks.
 
The typical mindset of security-conscious organizations is that cyber threats are aimed at data that could be leveraged for financial gain by cyber criminals. A cyber incident that disrupts a physical process in an OT environment (loss of view/control) can result in personal injury/loss of life, loss of property (physical or data), and damage to the environment. The disruption of operations has the potential to inflict greater economic loss on the organization far beyond the systems directly impacted. 

A different operating model means different challenges 

Modern OT environments can be a combination of legacy equipment and IT components commonly found in IT enterprise systems. Cybersecurity professionals must have an appreciation of the unique challenges in OT environments.  

IT/OT culture differences 

OT professionals are intimately familiar with their environment’s operations in a way that always maintains safety; they’re often not focused on the global cybersecurity landscape or how to protect against those threats. In comparison, enterprise IT often isn’t familiar with the sensitivities to system performance and changes in the process environment. For an organization to be successful, IT and OT must learn from each other and partner on implementing security in such a way that safety and cybersecurity is respected and addressed simultaneously. 

Reliance on vendors 

OT vendors have greater control on how systems are implemented and managed because they’re typically sold as an all-encompassing system, leveraging IT-related components such as Windows or Cisco networking equipment. Common activities usually performed in enterprise IT environments such as applying patches or installing security software typically require approval and assistance from the vendor. Because OT systems typically stay in operation for 20 years or more, lack of support for aged components may leave these systems more vulnerable to well-known attacks. 

The impact of OT disruption 

A cyber incident that disrupts a physical process in an OT environment (loss of view/control) has the potential to inflict greater economic loss on the facility and organization far beyond the systems directly impacted. The disruption of operations can result in personal injury/loss of life, loss of property (physical or data), and damage to the environment. 

Availability requirements 

OT systems typically run 24/7 for five or even seven days per week, which prioritizes availability over confidentiality and data integrity—system downtime typically has financial impacts due to reduced process output or potential safety concerns.

Resource constraints 

OT systems are designed to support specific industrial processes, and some even require low-latency real-time communications. Devices often implemented in process environments such as PLCs (Process Logic Controllers) are designed with only enough resources to perform specific processes. Additional resources necessary to support security tools—such as antimalware—may degrade performance and impact operations. 

There is no silver bullet to protecting OT systems from cyber threats. A cross-functional team comprised of OT professionals (operations, process engineers, etc.) and IT cybersecurity professionals is essential to protecting these environments. An effective cybersecurity OT strategy should account for OT’s nuanced differences from IT and, in turn, drive appropriate decision-making when it comes to applying cybersecurity principles. 

Impacts to the processes that control the machine are more significant in the OT realm: Manufacturing equipment could result at the least in a production stoppage with minor financial impacts or, at worst, loss of property or loss of life. 

How does your organization address these OT-related challenges? 

Contact us and let’s discuss your OT cybersecurity risks.