How to Mitigate Risk Against Operational Technology (OT)

Cyber Risk

Operational technology, or OT, is hardware and software technologies that monitor and control a variety of physical operations including, but not limited to processes, devices, and even various infrastructures like public rail transportation. As OT becomes increasingly digitized, most of these technologies are being connected to corporate networks and the internet to improve productivity and streamline operations. But with that functionality, they adopt more risk (digital attacks, malware, social engineering techniques), as the once siloed technology now has the potential to be attacked by external threat actors and hackers.

This continuous technological evolution has caused OT to lose its insulation from internet-derived risks. In 2019, IBM reported a staggering 2000% increase in cybersecurity incidents against OT, further increasing by 30% year-over-year. Furthermore, a 2020 study reported that 43% of security firms downgraded their incident reporting—which often leads to fewer new vulnerabilities being detected and addressed. In recent years, cybercriminals have increasingly demonstrated their willingness to cause potential harm to large populations by shutting down critical infrastructure. In a worst-case scenario, this could cause loss of life. In addition, the organizations who suffer a disruption face detrimental damage to their reputation and great financial loss as the result of an attack.

Challenges

The challenges associated with bringing operational technology security up to snuff, though, are expansive. Technologies that use OT are continually connected to the internet and cannot be disconnected to install or apply updates, as pausing operations would mean millions in lost dollars. Additionally, OT often runs on outdated operating systems; is not scanned frequently enough, creating blind spots that can leave new threats unnoticed for long periods of time; and is very difficult to patch. While the challenges of securing operational technology are significant, not prioritizing security is short-sighted, costly, and dangerous for the organization and its customers.

While many critical infrastructure organizations carry on their operations, hoping they will not be the next subject of a headline, regulatory bodies do not have adequate regulations in place to ensure that organizations keep their OT security up-to-date and effective against continuously evolving cyber threats. Updating and enforcing OT cybersecurity regulations is crucial to ensure the safety of the organization and its customers, users, employees, or the public; and to ensure that risks will not affect them so far as to inhibit their ability to deliver critical services. An example of this type of attack, while not directly involving operational technology itself, was the recent incident in the United States against the Colonial Pipeline. This incident saw the seizure of operations of the pipeline after a group of cybercriminals hacked into its software and rendered it non-operational, instilling panic in millions of American citizens. This is a scary thought when you consider that that specific pipeline is responsible for delivering nearly half of the east coast’s fuel supply in the country. Many citizens panic-bought gasoline as they feared a spike in price after the attack.

Some examples of past attacks against OT infrastructure include:

  • A 2013 hack carried out by Iranian cybercriminals who gained access to the Bowman Avenue Dam floodgates in New York (The New York Times).
  • In 2014, hackers gained access to a German steel mill via social engineering techniques and forced a shutdown of a large furnace, causing massive damage (BBC).

Moving forward

Keeping these points in mind, organizations should prioritize and invest in maturing their security operations and operational resilience programs. Mature risk and security programs take a risk-based approach, where they assess all potential threats to the business, then determine which threats will likely materialize and have the potential to be the most damaging. Building a risk-based approach into to your programs allows risk and security teams to prioritize their efforts to focus on mitigation and management strategies that have the largest impact on the business.

Organizations can harness the power of technology from organizations such as ServiceNow to automate tasks so risk and security teams can focus on high value efforts. Reporting and dashboard features provide context on the impact of threats, ensuring that risk and security teams can make informed decisions that protect customers and the business.

If your organization wants to ensure that it is safe, talk to Iceberg today about how to mature your security operations and operational resilience programs.

Related Discussion: A Risk-Based Approach to Bridging the Energy Sector Security Gap (30 minutes)

Start your GRC journey.
We’ll be your trusted partner.

Start your journey