The security of operational technology, known as OT, has become a widely discussed and important topic in recent years. Generally, OT security is the security of digital devices and networks that interact with the physical world. Think energy grids, manufacturing plants, pipelines, and industrial operations. Increasingly, OT networks and traditional IT networks intersect, and it’s essential for organizations to understand the impact.
These OT editions of Ready, Set, Secure, Securing the Gooey Center of Operational Security Networks and Operational Technology Part Deux spawned from a very active discussion on our Slack channel. These episodes tackle the critical and rapidly evolving world of OT security.
In these discussions with VP of engineering Jonathan Townsend and senior solutions architect Jarrod Cunningham, we described the differences between OT and IT security, real-world examples of OT attacks, and finally, how organizations approach securing the two environments.
What makes OT security different
First up: the significant differences between OT and IT security. Broadly, the primary difference is the greater focus on availability and physical safety in OT security. Because OT technology is where humans and technology intersect closely, the impact of attacks is often kinetic. For instance, when things go poorly digitally at a chemical plant, at best chemicals stop flowing. At worst, it could cause an actual explosion. The security of OT systems directly involves life and safety.
We’ve witnessed the impact of availability on utilities most recently with the ongoing physical attacks on power stations and several years ago when an unusual cold snap nearly brought the Texas electric grid down. While these are not cybersecurity events, they highlight the availability challenges associated with OT.
The digital attacks on the power grid in Ukraine are a real-world cyber event that targeted utilities— the attacks shut down their grid and caused massive blackouts. And as we discussed, another recent example is the cyber activity along the border of India and China. That activity led to several Indian power-generating stations being attacked. We are increasingly seeing critical infrastructures becoming part of the tools in statecraft as nations flex socioeconomic or geopolitical muscle.
Increasingly, there are malware families specifically built to attack power generation.
There can also be significant, long-term repercussions from attacks on OT systems. When main transformers fall, an entire grid can come down. Restarting a grid is not a simple event; as we review, it can take a year to replace if one needs to be rebuilt.
How OT Cybersecurity is different
In addition to the physical impact potential from attacks on OT critical infrastructure, the way OT security is managed is different. We all agreed during the show that OT security in practice, in how we see organizations approach OT security, looks a lot like IT security did a decade ago. That’s because the security for IT controls have evolved to become very granular. That’s not yet so for OT systems. Regarding OT systems, security and OT teams are still very much focused on hardening their external perimeters while having that gooey internal center.
There’s another big difference that security teams have to consider when approaching OT security. That’s how delicate system latency is because the system functions must be highly predictable with many interdependent systems. Getting the timing right is crucial, and it’s something security needs to consider.
When it comes to OT security, the years ahead are going to be fascinating. It’s an area where we call can expect rapid evolution. Be sure to listen to the conversations with Johnathan, Jarrod, Justin Hutchens, and me.
This blog was written by Michael Farnum, CTO at Set Solutions