By Martin Schlatter, CIO and Regional CEO, APAC, NTT Security
Digital transformation isn’t new in Information Technology (IT) but its gaining momentum in Operational Technology (OT) – and fast. Thanks to the internet, devices that are not traditionally classified as IT are now being connected. Factory production lines, critical infrastructure utilities like power plants, medical equipment, vehicles, cameras and physical doors are all being Internet Protocol (IP) enabled and connected.
IP connectivity enables real-time monitoring, facilitates automation and provides centralized control.
A connected OT network enables advanced data analytics which encourages organizations to extract actionable intelligence from these devices. Digital transformation however comes with inherent risks.
What do we mean by OT?
OT is mainly associated with the critical infrastructure sector which includes electricity, water, gas and other infrastructure providers. It combines real-time applications, IT infrastructure and supervisory control and data acquisition (SCADA) devices that enable the control and monitoring of a large scale industrial network. In practice, OT also includes more than just the utility sector – it can be found in buildings, hospitals, shopping malls , ships, trains, ports, airports, manufacturing plants, and mines to name a few.
Each of the above industries has various levels of OT systems installed, ranging in asset value from hundreds of thousands to hundreds of millions of dollars. These OT systems also contain large numbers of OT equipment ranging from hundreds to thousands of individual devices. OT devices are used to control and monitor automated environments such as beverage bottling plants, electricity grids, shipping container terminals or Heating, Ventilation and Air Conditioning (HVAC) systems that provide finite temperature control for pharmaceutical production. OT systems generally have a lifespan of 15 to 30 years, these systems have typically been insecure by design, are costly to replace and take a long time to upgrade.
Cybersecurity is a major issue affecting OT systems. According to NTT Security’s 2018 Global Threat Intelligence Report (GTIR) the manufacturing industry is now the fourth most targeted sector by cyber-attacks. There are a range of threats too. A portable 4G modem, for example, can easily be installed into a manufacturing network by any number of people working in the environment; this can introduce unrestricted access into the OT network. In addition, connecting a laptop or USB stick into the OT network, which is not uncommon, can introduce malware specifically designed to infect OT systems.
A connected OT network enables advanced data analytics which encourages organizations to extract actionable intelligence from these devices
OT threats are real and are happening now
In August 2018, one of the world’s largest chipmakers was shutdown for three days after the WannaCry outbreak. This resulted in revenue loss estimated to be about $170 million. This shutdown was made more significant because the factory used advanced manufacturing systems that required connectivity to external networks. Given WannaCry struck in mid-2017, this also indicates there is still a lot to be done to ensure OT networks are resilient to cyber-attacks. There are numerous accounts of successful breaches through cyber-attacks on state based power plants, shipping companies, logistics systems and pharmaceutical production facilities that have caused significant downtime and damages exceeding USD $100 million.
Other industries are vulnerable too. For the healthcare sector, connected medical devices (known as Internet of Medical Things or IoMT) offer the potential to improve patient care, while driving down operating costs. But, as healthcare increasingly relies on remote monitoring, the availability of IoMT devices is critical and can be life threatening in some cases. A number of IoMT devices still use legacy operating systems which contain vulnerabilities that can easily be exploited. These vulnerabilities often cannot be patched as these changes may invalidate the device safety certification. Even something as trivial as posting a picture of a birthday celebration in hospital may expose sensitive patient data, while WiFi used by medical equipment can be hacked if not properly secured. Patients and clinicians will therefore need support from information security advisors to give them confidence that appropriate data protection and governance controls are in place, while avoiding protocols that unnecessarily limit the beneficial use of new information.
Ransomware’s effect on the UK’s National Health Service, and multiple US-based healthcare organizations is well documented. The effect of these cyber-attacks resulted in loss of patient data to temporary facility shutdown causing patients in some cases to be turned away from medical facilities. Globally, healthcare is the third most affected industry sector by ransomware attacks according to the NTT Security 2018 Global Threat Intelligence Report.
In October 2016, the Mirai malware created botnets on IoT devices which were then used to launch distributed denial of service (DDoS) attacks that disrupted all global internet traffic. This was the start of the first major attack against IoT devices. IoT devices are pervasive across the internet and are often inherently insecure due to their use of default and/or weak usernames and passwords. In a number of cases these username and password combinations are not even configurable. IoT devices are designed to connect easily to existing IT networks, but this has allowed IoT to bypass existing IT security controls, such as change control and traditional firewalls. As a result, IT administrators face numerous security challenges maintaining their security posture.
Across the globe, we are seeing a few remediation trends. Organizations have started to follow guidelines from ENISA and NIST when implementing connected devices. These guidelines were developed in consultation with industry experts, vendors and government bodies. Many have also started to engage with OT teams, biomedical technicians, and facilities teams to understand devices connected to the network. They are finding a common ground, discovering connected devices, and formulating a strategy to address basic but critical cybersecurity needs.
It’s evident that IT and OT functions within organizations need to work together to ensure security controls are applied against all connected infrastructure elements and that governance of cyber security extends to OT and IOT environments where these are used.