- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Operational Technology (OT) Is Not Vulnerable
Most of us have a good sense of information technology (IT) because it’s the hardware and software we see and use day to day: our phones, our tablets, our email, etc. This is not the only category of technology, however. Operational technology (OT) is hardware and software that controls industrial equipment, and it’s more ubiquitous and essential than most people realize. For example, OT can open and close valves in a factory or control the elevators in a building. You might have heard references to subsegments of OT—namely Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems.
There are notable differences between IT and OT that impact cybersecurity. A big one is that IT is user-centric and OT is machine-centric. Humans interact directly with their IT devices, such as by sending emails and writing books. OT systems are generally less interactive and more automated because they control things in the physical world, even though they are still programmed and monitored by human operators.
It might seem as if IT and OT are enough alike that the same kinds of vendors would build both, and the same types of skills and teams would operate both. This is increasingly true, but that is a recent change. IT and OT primarily evolved independently. Companies such as GE, Honeywell, and Siemens—which might not be familiar names to many IT users—produce OT platforms for power utilities and other needs using proprietary systems. These systems use communications and protocols that are “standard” for OT but different from IT. For instance, a smart meter might measure how much electricity your home uses and communicate that information to your electric company using the Open Smart Grid Protocol (OSGP). Similarly, the water show with more than a thousand fountains at the Bellagio Hotel in Las Vegas is controlled with the Modbus protocol.67 Special protocols worked fine until people wanted to access and control their systems over the Internet. . . with all its many malicious users.
Security for OT systems was not originally a priority because threat models did not include it as necessary. OT networks were isolated initially. This “air gap” meant that data could not automatically move from the IT network to the OT network and was considered strong security. The reality is that there are business reasons for needing to transfer files between the IT and OT networks, such as to install software patches or move configuration files. When the networks are not connected, one solution is to copy data with USB drives. For many years, attackers (and security researchers) have found ways to jump the air gap. They might infect a machine on the IT network and the USB drive. They might even use sound or heat to communicate between disconnected networks.68
IT and OT are converging, which means both are vulnerable and require cybersecurity. It is a myth that OT systems are isolated or unknown to attackers, and that myth is receding every day.