Could That Really Happen? Operational Technology (OT) Cyber Risks
To defend against OT threats, continual improvement is required
There's an established tenant in OT cybersecurity called “defense in depth” which is the strategy of using multiple, layered measures to protect an organization’s assets. However, this can’t be a one and done process. The measures put in place must be continuously improved because the OT threat landscape changes constantly – and what isn’t a concern today, could be one tomorrow.
Physical Damage Through Digital Methods
About 15 years ago, industrial cybersecurity was nascently being discussed; however, it wasn’t called “OT cybersecurity” because operational technology wasn’t a term yet in existence. The phrase operational technology came about from a need to differentiate OT and IT environments – particularly as it related to cybersecurity.
IT cybersecurity deals with information security such as intellectual property or financial data, and a breach in that area can cause a terrible impact. But when it comes to consequence, OT cybersecurity has more at stake because it can cause changes in our physical world. Imagine if a critical infrastructure was taken down and brought offline – water, electricity or other energy sources – major disruption would occur.
An example from recent history is the Colonial Pipeline, which runs 5,500 miles from Texas to New York, transporting about 45% of the east coast’s fuel supplies and servicing multiple airports. A 2021 cyberattack caused the industrial control system to be taken offline for a week and caused a painful impact to the U.S. East Coast, resulting in fuel shortages, inflated prices, panic buying, and long lines at the pump.
In more general terms, with OT disruption there can be a real business impact as well as the potential to cause harm. It could be an error that decreases yields if production is halted or it could impact quality if something is altered. The biggest risk would be some sort of longer lasting consequence – something that could cause physical damage to the environment, or even people.
“In the early days back before we even called OT, OT, before the days of Stuxnet and other high profile cyber-attacks against critical infrastructure, I was actually laughed at on stage trying to promote the concept of OT cybersecurity to industrial process control operators. I had someone raise their hand during the Q&A and ask me if this was really what I did for a living. It has changed an amazing amount since then. There's pretty much a blanket acceptance of the need now.” – Eric Knapp, Director of Cybersecurity Research, Honeywell Connected Enterprise
The Constantly Changing Landscape of OT Cyberthreats
One of the reasons a continuous journey is stressed in OT cybersecurity is because there is never a time where an enterprise’s “defense in depth” will end, and the process considered complete. In your OT cybersecurity journey, you need to know where you currently are, what your next steps are, where you ultimately need to be – and then repeat the cycle.
If you’re just getting started with OT cybersecurity for your industrial organization, you would probably focus on where the vulnerabilities are, what systems need to be changed, and when that change can happen in terms of things being on process or off process. It may sound like there's a lot of complexity involved around this, but that’s why the Honeywell Forge team is here – to take the complexity off your shoulders.
When you’re a little further on in the journey, with an already improved security posture, that's when you need to think, “How can I make it even more difficult for an attacker to succeed?” That’s where more layers would come in, and the cybersecurity research team from Honeywell Connected Enterprise could help you innovate new ways to detect and protect against cyber threats.
Or, if you think you're protected and everything's good, schedule a penetration (pen) test or a red team/blue team exercise to see if you’re as secure as you think you are – and then find ways to make yourself a little bit more secure. There’s never going to be an OT cybersecurity box to check that says, “we’re done.”
Also remember that cybersecurity isn’t just about implementing new technologies. Awareness and training play a huge part and cybersecurity should be an extension of “safety” education. Site safety is incredibly important in the industrial industry, but cybersecurity – which is a form of safety – hasn't reached the same awareness level. The act of inserting a USB thumb drive into a computing platform in an industrial control environment should provoke the same response as walking into a hard hat area without a hard hat on: Don’t do it!
Take the Next Step
Whatever stage of the journey you're on, Honeywell Connected Enterprise is here to help. We have hundreds of dedicated cybersecurity professionals around the globe that do nothing but industrial cybersecurity – highly trained, skilled people who are ready to help with your OT cybersecurity journey.
“The most important thing to remember is that security is a journey. It's a life cycle. You know, it sounds kind of cliche, but it's true.” – Eric Knapp, Director of Cybersecurity Research, Honeywell Connected Enterprise
Visit BeCyberSecure.com to learn more about Honeywell Forge OT Cybersecurity Solutions