February 7, 2023
Informational Technology (IT) and enterprise systems are those devices that support business functions, email, billing and so forth. Operational Technology (OT) systems, by contrast, are those devices and systems such as Supervisory Control and Data Acquisition (SCADA) and other industrial control systems (ICS) that enable operational processes such as closing valves, pumping product and sensing. Unlike IT systems, OT systems can vary in structure significantly. For example, an OT device may be a simple temperature sensor or, on the other end of the spectrum, a full Distributed Control System. Perhaps the largest difference between OT and IT systems, however, exists in criticality. While an unavailable enterprise system can cause significant inconvenience to a business, a cyber incident that halts the operation of an OT system can cause a far wider range of potentially severe consequences. Aside from the fact that a company’s operations may come to a standstill – leading to potentially millions of dollars in lost income over a very short period – a compromised OT system can result in safety, regulatory, and shareholder impacts. As a result, federal guidelines and industry standards place particular emphasis on defining and prioritizing the criticality of OT systems.
For decades, OT systems in critical infrastructure were afforded security through obscurity. These systems were both non-standard computing devices and non-networked. They accordingly were “safe” from most cyberattacks. With evolving and available technology, however, vendors and companies alike began to recognize the cost savings that could be had by moving data outside these localized devices and enabling their remote access and control. Vendors soon began shifting their offerings to more standard operating systems and applications – such as real-time data movement, mobility and cloud – that today provide significant IT connectivity into core operational environments. Unfortunately, this combination of well-known technology and increased interconnection has resulted in an increased attack surface that cyber threat actors now target with regularity.
A compromised OT system can result in safety, regulatory, and shareholder impacts.
The cyber threat landscape, and by extension cyber risk, constantly evolves. It can be difficult to predict the capabilities and vectors of the next big threat. What is certain is that the increased use of standard operating systems and applications in the OT space creates more opportunities for the bad guys. Well-publicized IT threats can be leveraged against the OT environment. If networks are not correctly segregated, or if systems are left unpatched and unmaintained, OT systems are vulnerable to disruption, exploitation, and damage. The best defense is a well-developed perimeter protection, a secure network design, and protections against insider threats. Preparedness is key, both in technical controls and operations. Cyber insurance has an important role in that preparedness, especially when threats are unpredictable and potential consequences unknown.
Kevin Edwards, 703-653-0596, email@example.com