Organizations' use of technology is never-ending and has played a pivotal role in our fast development over the last century or so. Today, we see digitalization, Artificial Intelligence (AI) and machine learning transforming the way we operate. New types of jobs are created, while old ones disappear.
Around thirty years ago, physical threats were the biggest concern – now, as I'll explain in this blog, it’s more likely to be a cyber attack that poses the greatest threat to society as a whole, or individual organizations.
The technology used to monitor and/or control our industrial systems often referred to as Operational Technology (OT) are increasingly connecting to the internet. These systems are often built without basic IT Security features and often full of vulnerabilities. There is an array of use cases of OT covering several sectors, such as manufacturing industry, energy/utilities, water/waste and shipping/transportation.
Several uses of OT can be found in Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), Remote Terminal Unit (RTU), Programmable Logic Controllers (PLC) and Embedded Systems. An OT device can be controlling the navigation of a ship, the engine of a car (ECU) or a nation's power grid, for example.
Building IT into OT means organizations can streamline their business, improve communication in the supply chain and find new intelligence from the latest technology trends such as the Internet of Things (IoT), Industrial Internet of Things (IIoT) and Fog Computing. But, as IT and OT grow together, the risks grow significantly too.
Today, many organizations lack visibility of their OT networks, what assets are connected and the vulnerabilities that are associated with them. Combined with a lack of resources, a complex compliance environment to adhere to, and pressure to know your risk posture, creates challenging environments for many organizations.
Security, however, is not at all thought about for traditional OT systems, which have long lifecycles, making them a prime target for a cyber attack. Activist groups, individual troublemakers, criminal organizations and rogue states are targeting OT and national critical infrastructure daily, in an attempt to disrupt services and cause havoc.
It becomes a critical piece of a nation's defense strategy to new attacks. A nation's critical national infrastructure are assets deemed critical for a functioning society. This can include water supply, waste management, transportation services, electricity, finance services, security services (military and police), telecommunications, healthcare and so forth. When these assets are targeted, it is possible to take control over a nation without firing a gun.
There are several hypothetical scenarios that could be considered. What if the navigation system of a passenger ship was tampered within an oil field area at sea, or a vessel with oil taken hostage? What if the railway control system would be altered to change tracks with two meeting trains? What if the power grid of a large city or state would stop to function? What if the financial system would be modified to erase loan data or steal vast amount of money? What if the water supply systems would fail to supply fresh water? What if traffic lights, airport controls, bridge or tunnel controls set out of order? Or the mobile network shut down in a nation?
All are potential worst case scenarios that makes it easier for an attacker to take control without using traditional weapons. Taking these matters seriously, increasing visibility, understanding your risk and building your architecture with security in mind will be critical for securing critical assets.