The blurring of the line between Information Technology (IT) and Operational Technology (OT) has improved capability and efficiencies in transportation, food manufacturing, healthcare, utilities, and logistics industries. The convergence of IT and OT helps businesses understand operations and optimize processes, but it also creates a unique opportunity for bad actors and cyberattacks.
There is no question that OT vulnerabilities are being targeted, and a successful attack would create real-world consequences for humans. Gartner Senior Research Director Wam Voster was recently quoted as saying, “In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft.”
Traditionally, OT represented physical devices, such as industrial control systems, fire control systems and physical access control systems. These OT devices were isolated from the IT interconnected systems used for applications, storage, or data transmission. To compromise OT systems, a bad actor would have to compromise an employee or gain physical access, a nearly impossible task for a foreign actor and a risky proposition for anyone else.
As industries rely more on connected OT devices to incorporate efficiencies and visibility into operations, there is an increased risk of cyberattacks. Unfortunately, there is little standardization of security controls in the OT environment.
The complex converged IT/OT environments are often implemented and then neglected. Stringent uptime requirements create a situation where vulnerabilities are rarely patched, creating ample opportunities for compromise.
A scenario where bad actors launch attacks targeting medical devices, industrial control systems, and Internet of Things (IoT) devices in industrial environments is a real possibility. Their objective goes beyond exfiltrating data; they want to disrupt daily lives and incite panic. The weaponization of OT via cyberattacks will allow real-world attacks that would cause food supply disruption, fuel shortages, water supply infiltration, transportation confusion, and power grid failure.
The result would be disastrous and potentially fatal. The costs of such attacks, beyond the human toll, would reach well into the billions of dollars. Litigation, employee compensation, insurance and a negative reputation will create significant challenges for various industries.
Organizations need to develop security frameworks that clearly define roles and responsibilities, asset identification/management, access, risk management, and incident response. It is imperative that organizations address these security deficiencies sooner rather than later. Mitigating risks by implementing proper security controls and preparing to recover from the inevitable attack is critical. The time to act is now before it is too late.
