By Facility Executive Staff
From the August 2021 Issue
C yber security threats are of significant concern to organizations, across all industries virtually. Historically, IT infrastructure was the mark of hackers wanting to breach digital assets. Today, with the evolution of creating systems and industrial control systems in to the digital realm, these operational technology (OT) systems are actually ripe targets as entry points for hackers. NIST (National Institute of Standards and Technology), area of the U.S. Department of Commerce, defines OT the following: Operational technology (OT) has a wide range of programmable systems or devices that connect to the physical environment (or manage devices that connect to the physical environment). These systems/devices detect or result in a direct change through the monitoring and/or control of devices, processes, and events. For example industrial control systems, building management systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.¹
Edwards can be an OT and Industrial Control System (ICS) cyber security expert who collaborates with industry, academia and government to improve knowing of the security risks impacting critical infrastructure. At Tenable, Edwards works together with industry and government leaders to lessen their overall cyber risk. To joining Tenable prior, Edwards served because the Global Director of Education at the International Society of Automation (ISA), along with the longest serving Director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Facility Executive (FE) : What’s OT (operational technology) since it pertains to buildings and related infrastructure?
Edwards: Industrial control systems (ICS) and operational technology (OT) are, put simply, the fabric of the critical infrastructures that surround us. From the perspective of buildings and property, this may be systems associated with HVAC, energy usage, lighting controls, as well as elevators-almost which have migrated to computerized systems and so are now at an increased risk from cyber-based incidents.
FE: Increasingly, cyber security breaches come in the news. For all those linked to OT, what observations are you experiencing on the vulnerabilities that could have allowed these breaches?
Edwards: We have been seeing an uptick of rogue actors accessing OT environments in many ways. Not surprisingly & most typically they’re performing reconnaissance and locating the “weak link” in the machine. Oftentimes, OT environments are outdated, and were built for safety and reliability than security rather. We have been seeing more attacks that start the IT move and side to the OT side. This is often observed in converged IT/OT systems where in fact the level of security isn’t where it requires to be. Increasingly, however, these same attacks are occurring in “air-gapped” systems. Historically, OT systems were air-gapped, meaning critical systems were physically isolated from other networks with the intention to help keep them more secure. The truth is that probably the most secure air-gapped environments may experience “accidental convergence even, ” where systems are connected.
FE : Whether talking with the prior question or OT cyber security generally, what “weak links” can you see when it comes to buildings? So what can facility executives do to strengthen their defenses?
Edwards: With the increase of sophistication in OT environments comes additional risk, when IT and OT environments converge particularly.
Each vendor or provider of a particular service usually will give their very own technology and network. A lot of the right time, these networks are interconnected into some form of building maintenance network. Unfortunately, it is the case that “nobody” is given the duty to secure this environment; security falls between your cracks.
The truth is that OT security is hard-these systems were often not made with security in mind. The chance for cyber attackers to probe and test them for vulnerabilities might have unintended consequences on the physical infrastructure they support. That’s why it’s crucial for OT operators to obtain the fundamentals right-everything from asset and identity management to prioritized mitigation of overall risk-to keep bad actors out.
Organizations must recognize that securing OT systems also requires securing the IT side of the home. Most automated building environments are longer air-gapped no, which means they’re subjected to the exterior world. This creates an expanded attack surface and cybercriminals with an possibility to move laterally as a result to OT, or vice versa. Control and visibility over converged environments are key any security program.
FE : Organizations over the U.S. (and the planet) are in different places of the spectrum, with regards to OT cyber security. Still, considering another 12 months roughly, what should OT-focused professionals forward consider moving?
Edwards: Threat actors have already been targeting OT environments around the world for years. Go through the Ukraine power grid attack in 2015 just. Or Triton [malware] in 2017. Year over the next, I’m confident that threat actors will continue this trend, prodding and poking at OT networks for a number of reasons-instilling fear, monetary gain, etc. This includes the true building and estate automation sectors. Imagine having the heat of a building in Chicago out of service through the winter due to ransomware.
Whatever the adversary’s motivation, OT security professionals should never get distracted. They have to remain centered on the security basics. Just a little vigilance goes quite a distance. They ought to obtain visibility to their networks to understand the entire threat landscape, work alongside IT teams to break the original IT/OT divide, and consider risk mitigation plans-even considering an carefully, “if, not when” mindset to make sure true preparedness for several potential threats.
¹ Source: https://csrc.nist.gov/
For more information about Tenable, visit www.Tenable.com , a cyber security firm located in Columbia, MD. Through its Tenable.ot, the company’s customers work with a single solution for visibility and control to secure IT assets alongside OT systems.
Share your ideas in the Comments section below, or send an e-mail to the Editor at [email protected]