<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

An Introduction to Operational Technology and it's Security: 5 Key Facts

Posted: 31 January 2018

Introduction to Operational Technology Security: 5 Key Facts

The industrial revolution of the 18th century was famously invoked by a step up in technology. Industries which had traditionally relied on work by hand started to embrace a new future of machine use to dramatically enhance output levels, efficiency and financial return.

Comparatively, the twenty-first century has seen a similar revolution, particularly in critical national infrastructure industries, where IT has been and is increasingly being used to control, maintain and modify their output. With our reliance on critical infrastructure increasing and their levels of IT connectivity growing, the security of those services is imperative to maintain availability.

In this blog, we will introduce Operational Technology (OT) and the security of it, through five key facts:

1) What is operational technology?

Technology described as operational technology refers to a computing system which is used to manage industrial operations such as production line manufacturing, mining operations control, oil and gas monitoring to name but a few. As an example, think of your local or national electricity distribution authority. They will have computerised systems which can monitor the demand for electricity and respond to that demand by re-distributing or using contingent supplies.

2) Critical national infrastructure

In the UK, critical national infrastructure is divided into thirteen sectors by the CPNI (Center for the Protection of National Infrastructure). These sectors are:

  • Chemicals
  • Civil nuclear communications
  • Defense
  • Emergency services
  • Energy
  • Finance
  • Food
  • Government
  • Health
  • Space
  • Transport
  • Water

3) Operational technology security is difficult to maintain

Operational technology solutions can be highly vulnerable to exploits for a number of reasons. For example, they often are proprietary systems which receive no updates or continued development. In cases where they are built on a commercially available platform or operating system, the software itself usually requires older versions of those platforms due to dependencies, which themselves are also vulnerable. Some operational systems are noted as being as old as ten years with little to no modification or update.

4) Ransomware attacks have targeted operational technology systems

Ransomware and other availability threatening attacks have huge implications for operational technology systems, which could render entire solutions unavailable. There have already been notable cases of attacks, such as the ransomware attack on a large-scale Brazilian electricity provider, whereby four terminals were locked out by the CryptoLocker variant.

5) The problem of OT cyber attacks is widely acknowledged

Operational technology system owners and operators have been aware of this problem since the early 1990s. However, with cyber attacks growing in frequency and impact; and with their systems operational value becoming increasingly important, the risk is starting to outweigh the ability to ignore.

Conclusion: The Challenging Road Ahead

For operational technology system owners and operators, the desire to update, upgrade and secure is met with significant challenges. The downtime of critical functions and systems in order to upgrade and secure is undesirable and in some cases impossible due to third-party reliance. Take for example the national water supply, cutting off a communities water supply to replace or upgrade an operational technology system may be considered unacceptable.

Whatever the solution, the white elephant in the room is becoming harder and harder to ignore. The WannaCry ransomware variant, which wreaked havoc globally in the summer of 2017 was indiscriminate in its targets, including both personal PC's and those used by businesses to control processes and systems. Both Maersk and the UK's NHS are perfect examples of organisations whom were interrupted as a result.

More of a shot through the hull, rather than across the bow; yet never the less a warning of the shape of things to come.

Ransomware Survival Guide Whitepaper

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by Chris Payne
Senior Technical Consultant, Infinigate UK
View LinkedIn profile

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts