Why using IT cybersecurity to protect OT puts industrial organizations at risk

The C-suite and boards of industrial organizations are increasingly cyber aware, asking for assurance their companies can withstand an era of rising cyber threats by state actors, hacktivists and criminal groups.

Recent incidents include a slew of cyber attacks against programmable logic controllers used by water facilities, chemical plants and manufacturers that deal with fluids. The espionage threat of Volt Typhoon continues to threaten energy, water, transportation and communications infrastructure.

The recently discovered FrostyGoop malware not only disrupted heating for more than 600 residential buildings in Ukraine but it targets technology used by more than 46,000 internet-enabled industrial control system (ICS) devices worldwide. Organizations are also on alert for PIPEDREAM, the first ICS malware with the ability to scale attacks across systems and sectors.

Industrial CEOs and board members are often presented with metrics generated by information technology (IT) security tools and cybersecurity budget allocations to demonstrate their company’s commitment.

Unfortunately, this approach gives a false sense of security. The operational technology (OT) that runs the revenue-producing side of the business remains exposed because IT cybersecurity cannot adequately protect it.

By understanding the difference between IT and OT and the effective cybersecurity controls in these environments, CEOs and board members can make more informed decisions and better hold their teams accountable.

Here is a primer that demystifies the concepts and helps strengthen the organizational approach to cybersecurity and resilience.

OT powers modern industrial systems and critical infrastructure, significantly impacting many aspects of our lives. As of 2022, critical infrastructure provided electricity to 91% of the world’s population (7.2 billion people) and clean drinking water to 74% (5.9 billion people).

Oil and gas are essential for transportation, manufacturing and power generation globally. According to the World Bank's World Development Indicators for 2023, manufacturing contributes more than 15% to the global gross domestic product, employs 15-20% of the global workforce and affects virtually every person on the planet through the goods and services produced.

When OT systems are disrupted, we have outages, shortages, safety hazards, halted production and financial loss. A cyberattack on a water system can make drinking water unsafe or unavailable.

Attacks on energy infrastructure can cause power outages and economic disruption. Cyber threats to food processing plants, chip manufacturers and pharmaceutical companies result in shortages, quality lapses, threats to health and life, breaks in global supply chains and damage to corporate reputation and business viability.

Executives are right to ask their chief information security officers whether their enterprise is protected, but they need to dig deeper. Here’s why: enterprise cybersecurity investments are typically allocated to protecting data and information systems but not the industrial processes that operate on a massive scale and have unique systems with exacting requirements for availability.

These OT systems are increasingly connected through digital transformation initiatives but often include vulnerable technologies that weren’t designed with cybersecurity in mind.

IT cybersecurity aims to protect information and prevent unauthorized access. IT focuses on managing and processing data to ensure information availability, confidentiality, and integrity. IT devices are typically off-the-shelf, have shorter lifespans and are easier to replace and maintain.

OT cybersecurity, however, protects the systems that ensure the safe and efficient operation of industrial environments. OT monitors and controls physical processes and equipment, interacting with machinery and physical infrastructure.

Devices used in OT are often purpose-built, have long lifespans and require specialized maintenance. Security priorities for OT have traditionally emphasized safety, reliability and real-time performance, focusing on protecting physical processes and equipment.

Businesses must use cybersecurity specific to industrial environments to protect OT systems. Because navigating the vast range of guidance can be challenging, the SANS Institute formulated the “five critical controls” for OT Cybersecurity to help organizations prioritize the controls that matter most and build an effective cybersecurity journey.

The controls include:

According to the World Economic Forum’s recently published white paper, Unpacking Cyber Resilience, “organizations must prioritize cyber resilience as a strategic leadership issue, enabling them to protect core business objectives and promote long-term growth.”

That leads to positive news for industrial business leaders who set organizations on the right path toward OT cybersecurity. Their cyber resilience immediately increases.

While a newer discipline than IT cybersecurity in terms of established practices and widespread adoption, OT cybersecurity has inherently evolved with an emphasis on continuity and recovery of operations.

It has always had to account for the unique challenges and high stakes associated with keeping critical infrastructure safe and functioning. Thus, OT cybersecurity incorporates strategies that protect against cyber threats and ensure that systems can withstand and quickly recover from incidents.