Any company that wants to maintain a competitive edge in today’s global economy needs to work faster, cheaper, longer, and more precisely than ever before.
In the wake of a pandemic that ran employees out of the office for over a year, the workforce has evolved dramatically. From one which previously relied primarily on remote access to information (emails, file servers, collaboration tools) to one which now expects remote access to everything.
To find a solution, leaders are turning to the same thing they have turned to in order to solve almost all of their problems for the past 20 years: the internet.
Networks have long been the tool of those interested in sharing information.
The profession that grew around that concept, Information Technology (IT), has come to focus on maintaining control over information based on three overarching concepts: Confidentiality, Integrity, and Availability.
This “CIA triad” forms the foundation for any decision made in the IT space, with every decision having an impact on the relationship or trade-offs between its constituent parts.
An increase in availability tends to come with a sacrifice in confidentiality; a focus on integrity may slow down the flow of information, leading to less immediate availability.
At the end of the day, though, the evaluation of the right balance for IT has always come down to a single goal: leverage information to increase business.
Today, advances in Internet of Things (IoT) technologies, such as miniaturization of computing power, the reliability of mobile networks, and the growth of distributed network architecture, have made it possible to expand the utility of networks from one focused on the distribution of information to one also capable of controlling physical systems in a variety of environments.
While this has always been possible to a lesser degree, it has only been a recent development that these Operational Technologies (OT) impact people’s lives every day.
Power infrastructure that was connected only to internal systems is now accessible to remote engineers. Manufacturing lines are connected to the company VPN. Even the cars and trucks on the road are now driven using networked sensors that collaborate internally and with remote servers riding the same network as your favorite streaming service.
The conversation about OT security to this point has been very similar to those about IT security.
Topics such as limiting the attack surface, using strong passwords and multiple authentication factors, and segmenting essential parts of the network into their own enclave are as important now as they have ever been.
Functionally, the concepts that protect an information network from an operations network are exactly the same. Limit the access to a network to the people who need it and keep everyone else out.
That said, anyone who has kept up with data breach news over the past decade knows that perfect network security is a dream – not a reality.
What makes the defense of an OT network different from that of an IT network if the steps to secure and maintain it are mostly the same?
The answer: Consequence of failure. Put another way, IT and OT network security looks very similar before a breach but vastly different in the aftermath.
The characteristics of these consequences can be broken down by scale, scope, longevity, and cost.
In terms of scale, the physical manifestation of an attack on OT might be smaller than the perceived scale of an attack on IT.
That is to say, a data breach for a company the size of Microsoft or Facebook will impact users across the entire world and number in the millions or even billions of users. On the operational side, an attack on a manufacturing plant or water treatment facility is likely to only directly affect the people of that specific town or region.
This makes the risk lower in terms of people impacted and more manageable by those responsible. When your risk is localized, the steps to reduce that risk can be tailored to more specific actions. This reduction in scale is, however, the only advantage that OT has.
An attack on OT is limited in scope only by the systems that are connected to the network, as opposed to IT, which generally caps negative effects to the compromised data itself.
Additionally, the very real and physical nature of OT also means that second and third-order systems are potentially vulnerable to cascading impacts and failures from the initial compromise. When an IT network is breached, recovery rests on the shoulders of the network engineers, and when their job is done, the organization moves on.
When an OT network breach results in damage to processes or machines, fixing the problem may require a diverse range of professionals in industries such as healthcare, environmental science, public safety, and others.
The lasting effects of an attack are another significant difference in the response for OT managers.
Because the scope is broader, the recovery will also take longer. An extended interruption to the water supply may impact hospitals, grocery stores, manufacturing, and tourism for weeks or months. When the OT network comes back online, is the job of those responsible for the initial compromise done?
For IT, when data is leaked, there is no expectation that network engineers find it and put it back, mainly because there isn’t a way to do that anyway. But when an OT system fails, the restoration of the status quo existing in the physical world is non-negotiable.
Finally, the cost of an attack is bound to be a major consideration in the risk assessment of OT networks.
When a system goes offline in the physical world, the financial ramifications of downtime can be described in both measurable and abstract terms. Measurable factors may be loss in production or damage to infrastructure, while more abstract costs usually involve reputation or, most importantly, loss of life.
IT engineers typically deal with losses to reputation and, in some cases, equipment, but rarely are the stakes of a data breach as high as an attack on OT infrastructure.
A Shift In Thought
To manage these differences, network defenders need a shift in mindset. One from solely keeping attackers out to also kicking attackers out and recovering quickly.
Those in charge of managing risk must decide what risks can be accepted and what attacks must be rendered impossible based on more than the CIA triad of traditional IT networks. Confidentiality, Integrity, and Availability may need to be augmented by a fourth corner of Safety, and guidelines need to be put in place to define and enforce minimum safety standards.
When failures occur, responsible parties must understand their role from the first detection of a breach through the final reconstruction efforts.
When IT fails to defend information, the response usually takes the form of a fine, maybe a class-action lawsuit, and a hat-in-hand email about how seriously the data steward considers their responsibility for protecting information.
What happens when OT fails to defend its infrastructure? No template can cover the full spectrum of outcomes, no email that can express the regret of a regional disaster, and no plan that will reduce the threat of attack to zero.
Only planning, practice, and a realistic look at the consequences of failure can prepare OT to survive the risks that accompany the convenience of networked systems.