Nigel Stanley, Director of Cybersecurity at Jacobs, has a warning for CISOs: treating operational technology like information technology is more likely to break a system than secure it
The risk of cyber attacks on factories, hospitals and vital infrastructure is increasing thanks to the push for IP-connected operational technology. CISOs play a vital role in mitigating this risk but the challenges are unlike anything else in the IT world.
We invited Nigel Stanley, Director of Cybersecurity for Jacobs and 30-year cyber veteran, to share his experience and his strategies for securing operational technology in a world that becomes more connected every day.
Stanley is exceptionally qualified on this topic thanks to his work at Jacobs, a company that builds complex infrastructure such as railway networks, water treatment plants and entire smart cities – all of which would not function without operational technology.
What is Operational Technology?
For a formal definition of operational technology (OT), Stanley defers to Gartner, who describe it as:
“The practices and technologies used to protect people, assets and information involved in the monitoring and/or control of physical devices, processes and events.”
Stanley has a more simple explanation of his own, that OT is any computer used to control, monitor or act on a physical entity.
For example, the control systems for infrastructure sites such as electrical substations or water treatment facilities would fall under the umbrella of OT. It is also found in factories, hospitals or anywhere else where a computer is in control of physical equipment or devices.
Such a computer typically comes in the form of a programmable logic controller (PLC), a simple computer engineered and/or programmed to operate the physical entity in question. PLCs are often bundled together in racks and form the backbone of OT.
These PLCs are almost always operated via an animated user interface (known as a mimic diagram) which allows the operator to, for example, power up air conditioning, activate a belt in a production plant or monitor the progress of a delivery robot.
OT is everywhere, designed deep into the systems that keep vital infrastructure running. Should OT in such sites fail either due to malfunction, neglect or a deliberate attack, the consequences could be dire not only for the operator but for social cohesion.
Stanley uses a recent case in Florida as a warning. A hacker had managed to gain control of the OT in a water treatment facility in an attempt to increase the levels of sodium hydroxide being added to the water. Luckily, they were detected and stopped but the consequences of their success would have been compromised drinking water for an entire town.
“Within the world of OT,” Stanley says, “you could absolutely have a [compromised] system that makes something go BANG.”
How Does Operational Technology Become Compromised?
Stanley uses the Purdue Model to demonstrate the ideal separation of IT systems and OT systems. In this model, OT systems are kept entirely separate and are not network linked to IT systems, reducing the risk of one providing an infiltration route to the other.
In his experience, Stanley has found that few organizations perfect the Purdue Model in their OT systems or falsely assume there are no connections between their IT and OT systems where there are in fact links that create dangerous vulnerabilities.
This risk is increasing as demand grows for the equipment and PLCs that make up OT systems to be TCP-IP enabled. In such scenarios, networked PLCs may be used so that the enterprise level of an organization can monitor the operational side – a factory boss keeping an eye on production, for example.
Embracing the Internet of Things approach without first considering the security risks of unifying OT and IT systems, and whether such risks are worth it, has left open doors for cyber criminals to gain direct access to PLCs and the equipment that they control.
“They could be hacktivists, they could be bedroom hackers, they could be organized criminal groups, they could be nation state threat actors,” says Stanley. “They are cottoning on to the fact that critical national infrastructure is increasingly IP-enabled.”
Another area of vulnerability are the PLCs themselves. Whereas IT cybersecurity runs on the expectation that equipment and software will be on a four year refresh cycle, in OT, it is not unusual to encounter equipment on a 30 year refresh cycle.
Following the Purdue Model can stop PLCs being accessed via IT systems but will not help if they are accessed physically, which Stanley warns is a dangerously common occurrence.
Stanley uses an example of a new build hospital that was designed to have a building management system (BMS) that controlled heating, ventilation, air conditioning, CCTV and so on. After everything was up and running, it was never touched again.
“15 years on, that Windows XP computer is still running the BMS network, sitting in a little back room without a lock on it. Anyone can just walk up and immediately start to play with the mimic diagram to mess around with the BMS.
“And all of this was sitting on a flat network. It was absolutely trivial for someone to go up to the Windows XP box and then start to mess around with various controllers across the hospital.”
What are the Differences Between OT Cybersecurity and IT Cybersecurity?
Patching – which is cybersecurity 101 in IT systems – is difficult and often impossible in OT systems, many of which use PLCs intended to never be taken offline or altered once integrated into the system. Attempting to patch an OT system is more likely to break it than fix it.
Cultural barriers can make working on OTs difficult for CISOs, in Stanley’s experience. OTs are the realm of engineers who often have a poor opinion of those who work in IT, seeing them as interferers who get in the way of them doing what they want to do. Expect pushback against any work that risks shutting down operations unless there are significant safety concerns.
Another difference is simply the age of the equipment in OT systems. Trying to implement firewalls across systems that feature decades-old technology is entirely unlike the comparatively simple or at least well-supported process of securing up-to-date computers.
This aging tech and lack of processing power also poses challenges for asset discovery during risk assessments, as a typical network scan that is used in IT systems would turn into a denial of service attack when used on OT computers.
Because OT systems operate physical equipment and devices, there is inevitably a more physical component to the work. CISOs working on OT systems must collaborate closely with engineers and operators to find solutions that mitigate risk while causing minimal disruption.
What Can CISOs Do To Improve the State of OT Security?
Stanley urges all CISOs to perform a risk assessment of any OT systems on sites that they work on, even if they have been reassured that they are air-gapped from the rest of the network. Vulnerabilities often hide in plain site for years from the simple assumption that OT and IT are separated when they are not.
“If you do a very quick risk review and find it doesn’t apply to you: fine. At least you can say to the board that you’ve looked at the issue,” Stanley says. “So when the directors come in on Monday morning, having read an article in the Sunday Times about ‘Industry 4.0’, you can say that you’ve taken initiative and identified that there is little risk.”
There is also a significant hearts and minds component to the job, Stanley finds. As mentioned above, the engineers and operators who work with OT systems can take some convincing that their PLCs and how they are set up needs a change. Emphasize safety, use real-world examples of OT cyber attacks and take a collaborative, team-building approach.
Generally, the world of OT security needs to be dragged up to the level of security sophistication seen in IT. A converged approach to OT, IT and physical security is gaining traction and both local and international regulators are starting to put pressure on OT systems to be more secure.
But don’t wait for an attack to take place or for regulators to force you into action, Stanley warns:
“I hate it when organizations are driven by incidents or regulatory mechanisms, because that’s not the point. The point is it’s all about risk and there should be a mature outlook in the business to say, what is the risk of our OT systems? And how can we manage that within the context of the business?”