How Do We Improve Our Operational Technology Safety?

Article by Scott Keenon, Director – Operational Technology Security, IACS Consulting

When approached to write an Editorial piece on the subject of “Operational Technology – have we improved?”, it allowed me the opportunity to reminisce on my decade plus of working in and around Operational Technology (OT), assisting clients understand and increase their OT cyber security postures.

Remembering what this environment was like then, and where we are today, certainly brought back some amazing (both good and bad!) experiences. Now, it wouldn’t make much of an editorial if I were to simply state ‘Yes’, given I believe as a whole there has been significant improvements with OT cyber security. However, that wouldn’t be telling the full story.

When I was first introduced to OT by my colleague Andrew Wadsworth, I was immediately hooked by this fascinating environment, something that has remained so ever since. Here was an environment (some argue the most important) within an organisation whose inner workings, functions and systems were largely unknown to those outside it. But yet it plays a vital role in an organisations safe operations while underpinning commercial revenue. Add in the essential role OT has in critical national infrastructure and it really should have Senior Leadership focus and a cyber security posture that is front and centre for the organisation. Right? Well, sadly not.

We all know the focus and importance organisations place on safety. Unfortunately, the same could not be said for the cyber security of its OT environment. To some, OT cyber security may be a relatively new phenomenon, however, the reality is that the cyber security vulnerabilities within this environment have been known about and discussed for decades. Don’t get me wrong, we have come a long way from when a handful of dedicated OT engineers expressed concerns about the growing OT cyber risk and leading the initial efforts to understand and manage the risks involved, often with next to no support from either Information Technology or the Senior Leadership team.

As a result, these pioneering OT engineers, often working in isolation and relying on their own initiative, and not to mention budgets, started to investigate and introduce their own controls and secure ways of working. Quite often this included liaising with OT system vendors in an attempt to persuade them to introduce security measurers only to find that very few could see there was a problem in the first place.

With the growth of commercial off the shelf technology and the lust for data from corporate functions proliferated within OT systems, so did the risks. Senior Leadership teams only started to (slowly) sit up and take notice of the headlines being made around the world as cyber incident after cyber incident was reported. However, it was the potential reputational impact of such an incident, and not the existing vulnerabilities, that facilitated the incident that caught their attention. IT Teams increasingly became more vocal about where their responsibilities ended and what was ‘in’ and ‘out’ of their scope. Or even worse, attempted to introduce IT controls or standards into the OT environment.

Despite being in existence from as far back as 2007 and initially slow to catch on, the increased awareness and risk brought about the proliferation of OT security monitoring and configuration management tools to the market. While these new tools often proclaiming to be the “silver bullet” to solve all of the Senior Leadership concerns, the reality proved to be far more complicated than first thought. Senior Leadership teams quickly realised that once purchased, more still had to be done including ongoing budgets being established, resources requiring training and new working practises and procedures needing to be introduced. All these factors led to OT cyber security being seen as a distress purchase, like insurance, and simply an overhead that could be done without.

Then came the game changer that would help significantly shift the dial with regards to attitudes and awareness to OT cyber security with the emergence of Global Industry regulations (i.e., IEC-62443) and Country specific guidance and standards (e.g., OG86 & NIS). While these now provided an organisation referenceable material to work from, it also introduced problems as companies become unsure as to which one(s) they need to adhere or align to. Add in the very real prospect of 3rd party regulatory audits to assess how a company was progressing with its cyber security journey and no longer could OT cyber security be ignored to the extent that it previously had been.

To further complicate matters, other problems existed ranging from a globally limited knowledge pool of experienced, and available, OT cyber security experts, a squeeze on internal budgets, issues with maintaining aging OT environments, cessation of production and the realisation that OT cyber security requires ongoing sustainment activities and is not a one-off investment.

Despite these problems and challenges, positive change has occurred within the OT industry with awareness of this environment, the cyber security challenges and risks associated with it as high as it ever has been. We now have OT system vendors building in security controls into their products, better OT management tools openly collaborating with one another, training and awareness courses aimed at staff to further their cyber security knowledge and practices, and growing collaboration between IT and OT teams to understand the connections, boundaries and technology that spans both environments. Is it perfect and across the board, no, but it’s at least a positive start but budgets and resourcing still appear to be common battle grounds.

But back to the original question of “Operational Technology – have we improved?”, based on my own thoughts above, the answer is most definitely yes. But hold on a minute, are we asking the right question? Perhaps, as my aforementioned colleague Andrew often asks, the question really ought to be “OT: are we improving enough?”. That I believe would take another editorial piece to answer.