And why bridging this gap is crucial for the cybersecurity of critical infrastructure
On April 29, 2021, Colonial Pipeline, a pipeline system that is responsible for transporting gas and jet fuel to the entire southeastern United States suffered a severe ransomware cyberattack. As a result of this attack, the company suspended all operations, impacting customers and airlines all along the east coast of the US. President Biden declared a state of emergency because of the pipeline’s oil transport routes from refineries to industrial markets.
In this case, the hackers gained access to the company’s OT network using a simple VPN system that did not have the additional layer of security provided by multi factor authentication. As a result of not having the right protections in place, the company was forced to cope with a massive shutdown, pay an exorbitant ransom amount, and the CEO had to testify in the US Senate to justify his decision to pay the ransom. All of this cost and hassle that could have been prevented by one small safeguard.
This is just one example of many attempted and successful cyberattacks that go beyond just infiltrating a company’s IT network and have a significant impact on their operating technology. Such attacks cause complete shutdowns and lead to business disruptions, loss of information and data, equipment damage, decreased revenue, and even danger to human lives.
Cyberattacks on OT Systems are on the Rise
According to Gartner, cyberattacks on OT systems will come at a cost of $50 billion by 2023, and by 2025, cyber attackers will be sophisticated enough to use OT environments to harm or kill people.
There is no question that hackers have become bolder and smarter over the last few years. But, even with the increasing number of attacks the whole concept of cybersecurity has been very much within the IT domain of most companies, including critical infrastructure. IT staff have always concerned themselves with issues of data security, integrity and accessibility and are used to keeping up with the latest trends in cyberattacks and the current threats.
OT engineers and those responsible for the operational systems, on the other hand, have not historically paid much attention to cyberthreats. They have always been much more focused on making sure that the systems that run critical services such as oil refineries, chemical plants, and electric and water utilities are stable and working properly. These systems tend to run on legacy platforms, some of which have not been upgraded or changed in decades. The standard motto of an OT professional has for a long time been “if it ain’t broke, don’t fix it,” but it seems that the time has come to make a change. OT systems are no longer safe from attack, and in order to ensure the protection of these critical systems, OT and IT professionals must be able to collaborate.
To do this, they first need to understand each other’s mindsets and be able to overcome their fundamental differences, stemming from their different goals and roles within the company:
Operational Continuity vs. Security
The OT team is tasked with ensuring that the company is operational and that all systems are go, whether it is the assembly line in a factory or the power supply to customers at an electric company. The emphasis is on preventing any operational interference, and thus security takes second place in priority.
While the OT team’s focus is on operations equipment, the IT team’s goal is to protect all physical and digital infrastructure and tools in order to sustain operations and avoid any type of damage. They have the flexibility and tools to handle security issues in real time, and they look for potential holes in the network and ways that hackers might get in and work to patch those holes and mitigate any risks.
The IT team is acutely aware of the need to balance security and business enablement and are well-equipped with the tools needed to do so. The OT team, on the other hand, is so singularly focused on keeping the systems up and running that they lack the security awareness that is becoming so much more necessary.
Simple Access vs. Enhanced Protection
OT engineers aim to keep systems simple, easy and accessible for any workers or technicians who need access to operate machinery or create changes for maintenance purposes. They do not want layers upon layers of passwords and authentication that can take up valuable time and impact the efficiency of operations.
By contrast, IT staff need to add passwords and firewalls and other protections to make it difficult for hackers to access the system. If the network is too simple, it will be way too easy for would-be criminals to gain access.
Status Quo vs. Proactivity
As long as everything is running smoothly, the OT department will see no reason to make any changes. This comes from the fear of disturbing the status quo - why take chances and interfere with a process that is working fine?
The IT team, however, sees the vulnerabilities that exist in the legacy systems. They are painfully aware of the consequences if systems are left unprotected and open for hackers to make their move.
This disconnect can play out in a number of different ways on a regular basis. For example, if a security patch is needed on a specific computer within the OT environment (a situation which is probably a fairly regular occurrence), the OT team may be hesitant to deploy the fix for fear of it causing unplanned downtime. This “operations first” mindset can lead to the neglect of security risks.
Bridging the Gaps Today is Crucial
Without putting protections in place to keep OT systems secure, the results can be catastrophic. As proven by the Colonial Pipeline attack, hackers are not satisfied with just stealing financial information or other data, they want to shut down critical systems.
The longer that OT and IT teams continue to work in silos, the more time hackers have to up their game and find new and more insipid ways to penetrate the operating systems of critical infrastructure. With their current level of awareness, OT staff are likely to assume that most problems they encounter within the system is a technical glitch. They create a work-around and move on with their day, just as long as the system remains operational. While they may be correct and it is just a glitch, it could also be a sign of an attack. There must be a change in the process that will ensure that IT is notified whenever something out of the ordinary occurs in order to confirm that it is, in fact, harmless and not a nefarious attack. Without teamwork and collaboration, such risks can go unnoticed until it is too late.
There are three main directions that companies can and should take to address this challenge and bridge the gap between IT and OT professionals:
When it comes to cybersecurity, the safety of the entire company is at risk, and all relevant personnel must be appropriately trained so that they can be attuned to the potential attack vectors and take action to mitigate risks.
Both IT and OT teams should be trained together so that each can be aware of the other’s roles in keeping critical infrastructure safe. Training on live OT equipment used in power plants, water facilities, and more would allow members of both teams to fully understand the other’s perspective and needs and what needs to be done to protect the operational systems without compromising on stability, availability and efficiency.
Awareness and Mindset Shift
It is time for management teams and HR departments to bring together their OT and IT staff and get them on the same page. There is a need to raise awareness among OT engineers to the critical nature of protecting their systems. It is not just about the IT team adding a new firewall - there is also the risk of a maintenance worker or other malice-seeking individual gaining physical access to the system and sabotaging from within.
The onus is not entirely on the OT team to change their mindset and their ways. The IT team also must understand where the OT professionals are coming from, what their goals are and why they are hesitant to risk system operations to upgrade and make changes for the sake of potential security breaches.
Better Security-Operations Balance in OT
In addition to the mindset shift, companies must also consider technological solutions that will enable a better balance between operational requirements and security needs in the OT environment. Currently, when operations require communication via a Google SaaS platform (for example), IT is conducting security monitoring in the background to detect any suspicious behavior while business goes on as usual. As critical infrastructure organizations become more digital and use more IoT devices connected to the cloud, the security monitoring will need to become part and parcel of the devices themselves and part of the general operating procedure.
Once OT and IT teams are able to better understand each other, they will be able to collaborate and work together to ensure that critical infrastructure can operate smoothly and efficiently while also being protected from the ever-growing threats.