It would be fair to say that cyber security is at the top of most businesses’ list of concerns. The increased emphasis on IT and technology – every company is a technology company today, after all – has made it this way.
Technology and data have become so deeply entrenched in many organisations that if it is compromised the damage to their operations, brand reputation and bottom line can be catastrophic. You merely need to flick through any daily newspaper to read about the latest data breach to see how much of an issue cyber security is.
Those same newspapers also arguably perpetuate some myths around cyber security, namely that not every hack, attack or breach is the same. It could be ransomware like the recent WannaCry attack, a DDoS attack like that faced by the BBC in 2016, or a phishing scam in the shape of those suspect emails we’ve all received from suspiciously generous foreign diplomats and royalty. Cyber security is a catch-all term to categorise a diverse ecosystem of threats.
So it follows that protecting different infrastructures and systems too would require different approaches and skillsets – protecting the automated systems of an oil refinery, for instance, would be quite different from the CMS of a retailer. The stakes are much higher too.
For those working in industrial settings, understanding the nuances of protecting operational technologies is the first step to mitigating risk.
OT v IT
It is an open secret that Operational Technology (OT) cyber security is not the same as IT cyber security.
It’s true that these systems are often based on the same technologies and as such many of the threats they face are exactly the same. However, there are some important differences that mean your operational assets should not be managed as an extension of your IT infrastructure:
- Age: OT computer systems are usually procured for a specific function and represent a significant investment. These platforms are not easily replaced and it is not unusual to find computer hardware that has been in operation with little or no modification for over 10 years. Consequently, they are vulnerable to a wide range of cyber-threats that have already been mitigated for your business systems.
- Availability: These systems are at the centre of every industrial company; excessive downtime goes directly to the bottom line. There is, therefore, an understandable reluctance to take these systems out of service for maintenance, including patching and anti-virus updates. If these systems cannot be updated frequently (consider how often requests to update appear on your own Windows PC) or they cannot be updated at all then alternative measures are required to manage the risk.
- Process hazards: Many OT assets are responsible either for direct control, supervisory control or the safe operation of manufacturing processes. Business systems are also critical but their failure is unlikely to result in the uncontrolled release of hazardous materials or energy. If a control system is not sufficiently secure from cyber threats then it cannot be regarded as adequately safe, and there is a clear implication here that the security lifecycle should be managed appropriately.