Securing IT vs OT networks: Prioritising Digital Safety
When considering cyber security risk, it is important to consider the motivations of different attackers and the associated risk with the system. Historically, media attention would make it appear that most cyber security incidents involve data breaches with IT. But, we have now begun to see a shift in focus towards OT (operational technology) systems that lack appropriate security measures. OT systems are characterised by their ability to influence the physical world and are therefore targeted by attackers that aim to cause disruption.
The world of IT cyber security has steadily adapted to the technological challenges of securing an IT network, maturing their security practises to tackle their risk exposure. Managing security and risk in the OT environment isn’t as easy as transferring over those IT security practices onto the OT system. They require very robust levels of cyber security and resilience. Knowing the differences in requirements, performance values and challenges, is the first step in preparing a cyber security strategy for the industries that rely on OT.
Understanding OT, and their value in our society
Operational technology (OT) encompasses many aspects of our world. The OT environment houses the systems to manage, monitor and control industrial operations, their physical devices and processes they use. Where would life be without facilities and sectors such as power stations, manufacturing plants, emergency services, and our favourite; the rail industry. OT technology makes all of these happen, and is part of our lives in both obvious and hidden ways.
Unlike within IT, the systems within OT operations had not previously been networked. The OT environment consisted of mechanical physical devices, and those with digital controls used closed, proprietary protocols. Therefore OT cyber security was not necessary because the OT systems were not connected, but digital innovation has required these OT network components such as Industrial Control Systems (ICS); and Supervisory Control and Data Acquisition (SCADA), to be connected to an IT network.
With a OT-IT integration, the data collected by the historically air gapped physical/mechanical system is now communicating not just via an IT network, but also to the internet as well, which has exposed the systems to new outside threats. This has created a new challenge, as those OT systems were designed with the assumption that they were a closed network, and thus not exposed to cyber-attacks.
Creating a new security model, built around digital safety.
When we think of cyber security within IT, we focus on the key, data-centric, requirements of confidentiality, integrity, and availability (also known as the CIA Triad). As an example, if we consider the handling of digital payments, or in rail’s case; a ticketing system. The security requirements within that process must ensure payment details, along with personal data transmitted are held with confidence. A cyber incident in this case would be a breach of the data within that transaction, that could be used by the attackers to make fraudulent payments, commit identity theft etc. This is entirely a digital exercise and centres around maintaining confidential data.
The mistake is to look at OT cyber security the same way, with a misunderstanding that standard IT security measures can be trivially adapted and applied to OT systems. While both IT and OT cyber security are concerned with integrity, reliability, or availability; the key differentiation within OT security is the essential requirement for safety.
So, in the same way that we previously considered the IT security requirements a digital payment transaction, now let’s consider the security requirement of the transport sector, in particular the OT systems within the nation’s rail fleets that keep the country’s economy moving. Confidentiality of data on OT systems is rarely a priority at all. Knowing the speed that a train is travelling, is not information that needs to be confidential. But, ensuring that the systems which control the train’s speed cannot be accessed; is of vital concern.
When preparing a cyber security programme within the rail industry, it is essential to first consider the risks. Is the system safety critical? And what are the worst-case scenarios for a cyber incident that affects that system; not just in terms of financial cost or disruption to operations, but also its impact on safety. A safe system also does not necessarily mean a secure system; in the railway, a stopped train is generally considered to be safe, but from a cyber security perspective, forcing a train to stop could be a denial of service attack.
For this reason a cyber security strategy for the OT systems within rail should be given special consideration, with any security solution therefore being flexible enough to adapt to each unique system; treating them as an individual.
OT is less concerned with data and more concerned with physical processes. In OT systems, any disruption can have significant revenue impact, so they are specifically designed to run continuously for years. A malfunction, or deviation from normal behaviour, can be costly not only in lost services or damaged physical systems, but also in terms of the safety of their staff and customers.
Setting a strategy for the challenges of OT and the rail industry
There are four key factors when considering a solution for OT security:
OT technology has a longer lifespan than IT.
Legacy systems exist that have been in place on a train for 20-25 years, and many new systems are designed for the same life span. Compare that to the IT environment where equipment may not last more than five years.
It is important to ask the question: “Will the cyber security strategy will remain effective for the life of the system?”
OT systems are in operation 24/7 and 365 days of the year
In IT security, maintenance windows can be frequent, and systems can be updated regularly with very little downtime. However, the 24/7 operating hours across OT leaves almost no window for maintenance and patching. Any changes to a system that is critical to operations can also be seen as a potential risk, so typically patches are never completed, even when security risks remain unpatched.
OT risk management must include cyber security risk, and digital safety.
Safety and integrity are important risk considerations within the rail industry, but cyber security risk, and its effect on digital safety, are often overlooked. Within the modern digital fleets, an OT cyber security strategy must align itself with new regulations and standards for OT technology operating with critical infrastructure.
OT cyber security incidents have a large impact
Cyber incidents, whether intentional or accidental, that affect OT can be considered to be high-impact but low-frequency. They do not happen as often as cyber security incidents (primarily breaches) within IT, but when they do the consequences can be considerable.
By exploring the difference between the requirements and priorities of IT and OT systems, we can better understand why IT security testing methodologies, strategies and solutions cannot simply be adapted and applied when securing OT systems. This misunderstanding, of placing all systems and networks under one cyber security umbrella is simply due to a lack of understanding of OT throughout the cyber security industry, despite a regulatory drive to increase the security of such systems within our critical infrastructure. The cyber security industry, in cooperation with sectors utilising OT technology, including rail, must move past the view that OT is just an extension of IT, and begin building cyber security programmes that cover the unique challenges of OT cyber security.
