Understanding Operational Technology (OT)
Operational Technology (OT) refers to hardware and software that detects or causes changes through direct monitoring and control of physical devices, processes, and events. Examples include building management systems like lifts, HVAC (Heating, Ventilation, and Air-Conditioning), and door access controls. These systems may seem mundane but are integral to the functioning of many modern environments.
IT/OT Convergence and Associated Risks
With the convergence of IT (Information Technology) and OT, the risk of cyber threats is increasing. Smart buildings equipped with IoT (Internet of Things) devices and remote access capabilities are especially vulnerable. For instance, hackers once exploited a smart thermometer in a fish tank to infiltrate a casino’s network, showcasing the unexpected entry points in OT.
Noteworthy Incidents
Consider the 2013 incident where researchers breached Google Australia’s network via its HVAC system. Similarly, in 2022, vulnerabilities in UPS (Uninterruptible Power Supply) products allowed hackers to potentially cause physical damage remotely. These incidents underscore the critical importance of securing OT.
The Role of CISOs
Chief Information Security Officers (CISOs) often overlook OT cybersecurity, considering it peripheral. However, this can lead to significant vulnerabilities. Just as enterprises protect their digital assets, they must extend security protocols to OT systems. This includes adequate threat modeling and risk assessment to understand potential impacts on operations, safety, and reputation.
Balancing Priorities
Enterprises must strike a balance between protecting ‘core’ business functions and peripheral OT systems. This begins with identifying all OT assets and conducting comprehensive risk assessments. The idea is not to overburden resources on low-risk elements but to maintain optimal risk governance.
Securing the Ecosystem
OT security isn't just about protecting individual enterprises; it’s about securing the broader ecosystem. Incidents like the 2016 Mirai Botnet attack, which leveraged insecure IoT devices for DDoS attacks, highlight the potential widespread impact of compromised OT.
Conclusion
CISOs must broaden their cybersecurity focus to include OT systems. By doing so, they not only protect their enterprises but also contribute to a more secure digital ecosystem. Next time a CISO claims no OT usage, delve deeper into building systems like HVAC and access controls—they could be the weak link.
For further reading, refer to industry reports and tech publications for updated insights on OT cybersecurity.
