Skip to main content

Why collaboration and shared responsibility will combat cyberthreats in operational technology

(Image credit: Image Credit: Andrea Danti / Shutterstock)

Few months back, a cyber-criminal gang called Darkside brought Colonial Pipeline’s systems offline for nearly a week, causing panic buying and fuel shortages. This was shortly followed by The Health Service Executive (HSE) in Ireland being hit by a ransomware group called Conti which scrambled IT systems and caused major disruptions to many hospitals. 

The importance of combatting attacks against critical infrastructure was further highlighted by the recent one-day summit with US and Russia, where President Biden handed Vladimir Putin, his Russian counterpart, a list of 16 critical infrastructure sectors that must be "off-limits" from cyber attacks. 

Why should you care about OT cybersecurity?

Such attacks highlight the importance of protecting operational technologies. Operational technology (OT) refers to the collection of hardware and software that helps to monitor, manage, and control physical devices. OTs are used widely in critical infrastructures, industries, enterprises, and homes – examples of OTs are lifts, safety automation systems, industrial control systems, flight management systems, traffic monitoring systems. 

Operational technology systems are deployed across a large range of asset-intensive sectors, performing a wide variety of tasks ranging from monitoring critical infrastructure (CI) to controlling robots on a manufacturing floor.  OT is used in a variety of industries including manufacturing, oil and gas, electrical generation and distribution, aviation, maritime, rail, and utilities. As OTs interact and affect the physical world, cyberattacks on OTs are threats to real-world safety.

Combating threats through robust cybersecurity planning requires a collaborative approach. Whether you are a policymaker, a technical expert, a manager in the private sector, or simply a user, you have a part to play in keeping OTs secure. To better protect operational technologies and supply chains from cyberattacks, responsibilities must be shared and mapped out to ensure that OTs are secure.

Responsibilities of users:

  • Practice cyber hygiene
    In cybersecurity, humans are often said to be the weakest link in the cybersecurity chain. The reason for such attribution is that bad cyber hygiene practices and low cybersecurity awareness by employees are detrimental to an organization’s cybersecurity, with about 90 percent of businesses at risk due to poor cyber hygiene practices. Bad cyber hygiene practices may include the use of weak passwords, holding off crucial updates in work computers, falling prey to phishing emails and social engineering, etc. Furthermore, this risk has increased with more employees working from home due to Covid-19. Users need to understand the risks of poor cyber hygiene and practice good cyber hygiene, often addressed through company-wide awareness training.  
  • Be vigilant 
  • Users can however be an opportunity for cybersecurity. In the cyberattack on the US water treatment facility, the cyberattack was met with a relatively quick response before any damage occurred. An employee noticed that someone was controlling his computer remotely. Though he dismissed it for five-and-a-half hours, thinking that it was his supervisor, he became concerned when he saw different programs opening and that sodium hydroxide levels were changed. This case illustrates that users can help to raise the alarm on cyberattacks when they notice something strange occurring in their systems, and a key part of this is by remaining vigilant and alert for such occurrences. Quick response and escalation of cyber incidents is key to limiting the damage of cyberattacks, and responses can be accelerated if users know the warning signs, what to do, and who to contact in case of cyber incidents. 

Responsibilities of private sector managers:

  • Replace old, legacy systems
    OTs may represent large capital costs – they may be expensive, and last very long. This contrasts with information technologies and software, which are constantly being replaced with new versions or new software altogether. Eventually, companies that provide software and patching support for OTs may cease providing support to focus resources on new iterations of their products. This means that known vulnerabilities may not be patched in these legacy OT systems, and these systems continue operating with vulnerabilities that may lead to cyber incidents. For example, some legacy OT systems run on Windows 95 without a supportable option to upgrade, replace, or can only do so at a high cost. Furthermore, old OT systems may not have been designed with cybersecurity in mind. Organizations need an enterprise lifecycle plan or procedure in place to mitigate this risk to OTs. 
  • Investments in cybersecurity are a must
    Investing in cybersecurity is not optional. Cybersecurity considerations may be overlooked by less mature organizations which approach digitization to reap the benefits but fail to manage the risks. The reasoning that some organizations may have is that cybersecurity is a cost, not an investment, and fail to allocate sufficient resources to cybersecurity. This reasoning is not true – cybersecurity is an asset, both to protect your business from the costs of cyberattacks, and to build customer confidence in your products and services and boost sales. 

Responsibilities of technical experts:

  • Adapting to new OT systems
    Increasingly, OT systems are incorporating aspects of Information Technologies (ITs) to leverage new emerging technologies such as Big Data and AI and boost efficiency. However, traditionally, teams that take care of OT systems do so from an operational perspective, whereas cybersecurity may be the responsibility of IT teams. In organizations that are incorporating new, converged OT systems, the OT and IT teams should conduct cross-training to understand how each other’s systems work to better manage and protect these systems.

Responsibilities of policymakers:

  • Policy is key to ensure a robust cybersecurity regime
  • A heavy responsibility lies on both policymakers in governments and within private organizations for OT cybersecurity. Governments should work to raise awareness of the importance of OT cybersecurity among enterprises and facilitate the implementation of OT cybersecurity policies that draw from international and regional best practices and guidelines. These policies should also be crafted in consultation with private, public and technical stakeholders for clarity over the needs and concerns of stakeholders. Such policies should not be overly prescriptive to allow enterprises to adopt the cybersecurity measures that they require – cybersecurity is not a “one-size-fits-all” and has to be tailored to organizational needs.
  • On the other hand, policymakers in organizations should comply with the standards set by their governments, not simply for compliance’s sake, but with a clear understanding of what their organization’s risks are and what tools are required. Also, policymakers should prepare for the eventuality of cyber incidents with the proper response, mitigation, and reporting procedures.

A shared responsibility

In a nutshell, everyone has a responsibility to protect OT cybersecurity, and this chain of responsibility is crucial for all stakeholders in OT to understand for a more robust OT cybersecurity regime. As the recent colonial pipeline and health service attacks have shown, securing OT does not only lead to a more secure cyberspace, but also helps bolster real-world safety amidst an increasingly digitized world.

Kenn Yee, Access Partnership

Kenn specialises in the APAC region, focusing on 5G, digital policy, cybersecurity, Internet governance, networking, and cross-border data flows. He also understands the technical aspects of technologies, which he uses to augment his understanding of digital policies.