More Emphasis Needed on OT Security to Quash Cyberattacks

Daniel Megias/istockphoto.com

 

Connecting state and local government leaders

COMMENTARY | Utilities should take the same track as data centers because not much is going to stop the attacks from scaling.

Way back in 2015, I interviewed several officials working at utility companies for a column I was working on for Nextgov about why we had not at the time experienced a major attack against our critical infrastructure. There were several reasons why our nation was so protected from an attack against the power grid, the water system, natural gas pipelines, transportation control networks or any other system that is considered a part of the country’s critical infrastructure. The biggest reason was because operational technology, which among other things can help to control objects like valves and pipes in the physical world, were largely both proprietary and unnetworked.

Back in 2015, attackers needed to breach a facility like a power plant through their IT network and then try and find some connection into the OT network if they hoped to influence the physical world. And even if they were able to locate one of those rare places where IT and OT meet, they would also need to be skilled in whatever proprietary system they were targeting in the OT network.

A lot has changed since then. With many of the older workers who knew how to turn wrenches and manipulate much of the aging physical infrastructure now retiring, utilities had little choice but to increasingly network their OT functions. The advantage of doing that for critical infrastructure providers is twofold. First, it lets them easily monitor and manipulate the OT network remotely. And secondly, it allows the IT staff to take over many of the functions formerly performed by all those retiring workers. And while all that was taking place, OT manufacturers were busy streamlining their products to the point where the interface of many OT technologies gradually became little different than IT devices.

All of that is an inevitable shift in moving critical infrastructure forward, but it comes with risks. Opening up the OT network to the IT staff and remote management also potentially exposes it up to attackers.

Just last week, the Cybersecurity and Infrastructure Security Agency issued a warning about ongoing attacks being made against water treatment plants. The alert pointed out several previously undisclosed attacks made against treatment plants around the country. While most of the attacks cited in the alert involved ransomware, there have also been more serious threats launched against critical infrastructure that probably would not have been possible back in 2015.

But today, it’s a different world. Department of Homeland Security Secretary Alejandro Mayorkas reiterated that point during an interview with the USA Today newspaper last week, citing an incident where hackers tried to release poison into the water supply of Oldsmar, Florida. 

Attackers infiltrated the OT network of a water treatment plant and attempted to change the levels of sodium hydroxide being added into processed drinking water. At low levels, sodium hydroxide can remove heavy metals from the water supply. At high levels, it can be fatal, causing severe chemical burns to anyone who drinks it or even comes in contact with contaminated water. Thankfully, in the Florida case, the extra chemicals were detected and no poisoned water reached the public.

The Gartner cybersecurity firm wrote in their blog that incidents like the Florida water treatment plant attack should be a wakeup call for better OT security. Sadly, the firm also predicts that without serious change, we are likely to see injuries or even fatalities stemming from this kind of an attack by 2025.

“The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” the Gartner blog states. “The world has seen real incidents where events originating in the digital world had an impact on the physical world.”

And it’s not just utilities that should be worried. Many of the world’s largest data centers are packed with both IT and OT devices. They could not run without air conditioning, electricity and other physical infrastructure, much of which runs as part of an OT network.

Honeywell studied this issue as part of a report entitled “Rethinking Data Centers as Resilient, Sustainable Facilities.” To gather data for the report, researchers surveyed facility managers across the data center sector in the United States, China, Germany and Saudi Arabia. When asked about their biggest fears, those managers cited OT cybersecurity as their third most pressing concern, with 72% saying it was a serious issue at their data centers.

“It is crucial to reduce unscheduled downtime in data centers as much as possible,” said Manish Sharma, vice president and chief technology product officer of Honeywell Building Technologies. “Giving data center operators better insight and control of their building and OT systems—and treating them with the same importance as the critical IT systems can help to better identify efficiencies, reduce potential outages and optimize security, fire and safety procedures.”

Utility operators should take the same track that data center managers have been following and will begin to put more emphasis on OT cybersecurity. Back in 2015, the threat to critical infrastructure was minimal, almost nonexistent. Today, successful OT attacks are already happening. And without rapid changes in the way OT cybersecurity is prioritized and handled, there is little stopping those attacks from escalating. It’s a race against time at this point, and the attackers seem to be at least a couple of steps ahead of the OT security meant to constrain them. 

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.