The Top Five Reasons You Should Take Operational Technology Cybersecurity Seriously

How to Protect Critical Infrastructure During This Unprecedented Time

By Matthew Morris, Global Managing Director, 1898 & Co.

The newest trends in political warfare include cyberattacks on infrastructure security with hackers looking to generate massive setbacks in 2022 and beyond. With conflict escalating overseas, there’s been much conversation about what precautions should be taken to protect U.S. businesses from losing everything in an attack perpetrated by bad actors looking to exact chaos, sabotage, extort money, or all of the above.

What’s the answer to such a daunting problem? It’s simple: the proactive inclusion of operational technology security measures for every critical infrastructure related business – refineries, utilities, plants, pipelines, and municipalities. Here are the top five reasons you should take OT cybersecurity seriously.

1. New Trends in Political Warfare

Advanced cyber weaponry has redefined the current political landscape, making it easier for cybercriminals operating within countries like Russia, to cripple entire organizations from overseas. The Russia-Ukraine crisis is already impacting the daily lives of Americans in various ways, including the spiking of gas prices.

But it could get so much worse. Hackers are no longer focused on size or scope, and every organization is at risk. Cyber related sabotage may or may not be reserved for individual businesses. Instead, poorly designed and executed malware or ransomware could affect all aspects of the U.S. including all aspect of our critical infrastructure, e.g. banks, power plants, water treatment facilities and communications. We are entering an entirely new era of war, where weapons leave the physical domain and enter the digital, unseen, and behind-the-scenes attacks that will go unnoticed without the proper protections.

2. The Cybersecurity Labor Shortage is Real

The global cybersecurity talent shortage reached an estimated 3.5 million workers in 2021. Industry experts warned of this dynamic for the past several years; however, the demand for skilled workers continues to outstrip supply. Coupled with a growing threat landscape, asset owners are at risk.

For OT environments, the talent shortage is further impacted by managed services providers that have focused on the IT side of the house. They offer IT cybersecurity services, but they lack an understanding of and the right capabilities for protecting OT. Firms often don’t understand OT environments, how they work, and how to restore them after an attack. They have limited knowledge of industrial control systems and other similar technologies. Many of these managed services vendors also “don’t know what they don’t know,” and tell companies they can help them with IT and OT, despite their knowledge gaps.

These firms need to stop stating they have these capabilities. People will realize it’s a serious industry problem that requires OT specialization and expertise. However, in the current environment, OT cybersecurity experts are hard to find, can be prohibitively expensive, and are difficult to retain. With OT-focused managed security services, critical infrastructure companies can manage their risk better while remaining focused on their core missions.

3. Security Loopholes Are Common

Inherent software vulnerabilities allow for more data flow and connections, which correlates to attacks. This makes the stakes for identifying OT security headaches and diminishing risks extraordinarily high. OT security isn’t just an internal concern, relegated to the halls of individual organizations. It’s a national consideration. In April 2021, the White House unveiled a 100-day cybersecurity effort to protect the nation’s power grid amidst increasing concerns regarding the state of the nation’s cybersecurity vulnerabilities. The effort was followed by an attack on a major oil resource, the Colonial Pipeline, further emphasizing the need for increased provisions. Repercussions of the hack were widespread, as The Colonial Pipeline is one of the largest oil suppliers in the country. The attack forced the corporation to shut down operations, generating supply shortages and higher fuel prices.

4. Limit Long Term Damage with OT

An OT incident could do more than cause an immediate headache and require damage control. The effects could last long-term. An ounce of prevention today will protect against the catastrophic possibilities of being hacked tomorrow.

OT systems are comprised of highly complex technologies, making it even easier for complications to occur and go unnoticed. These attacks could cost organizations millions – even billions – in loss and recovery. Cybersecurity Ventures predicted that cybercrime would cost companies $6 trillion in 2021 and cybercrime costs are expected to grow 15 percent per year reaching $10.5 trillion by 2025. The financial incentive to protect cyber assets is a large one, not to mention the impact an attack could have on the surrounding communities, company employees, and overall revenue.

5. Threats to Human Life Set OT In a Class of Its Own

Approximately 9.2 trillion gallons of water cover 247 square miles leading to the iconic Hoover Dam, enough water to fill the Great Salt Lake in Salt Lake City, Utah – twice. Now, imagine the entirety of the Great Salt Lake flooded over the states of Nevada and Arizona. A cybersecurity attack on the Hoover Dam could do just that and there are similar concerns for many major utility companies that house thousands of gallons of oil and water.

One well-planned attack on a water, oil, or gas company could spell trouble for an entire region of the country, impacting communities, businesses and schools, costing millions—even billions—of dollars in loss and recovery. In a recent study by Gartner, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans by 2025.

There are, however, ways to avoid the consequences of an attack. Recently, 1898 & Co. made a drastic push to keep OT environments safe, partnering with the Idaho National Laboratory, a U.S. Department of Energy national laboratory, to apply the patent-pending consequence-driven, cyber-informed engineering (CCE) discipline to protect the most critical aspects of utilities; oil, gas and chemicals; pipelines; defense industrial base; transportation; ports and maritime; and manufacturing companies. It’s a strategy we recommend to everyone. The key to handling attacks is prevention. With OT integration, we can keep our homeland organizations safe and secure.

About the Author

Matt Morris is a digitalization and cybersecurity executive and author, currently serving as the managing director for 1898 & Co., where he leads a diverse team of ICS cybersecurity practitioners.   His mission is to serve humanity by improving safety, security, and reliability of the world’s critical infrastructure through resiliency, improved situational awareness and preparedness.

An industry luminary, Matt previously spearheaded ICS cybersecurity programs at Cisco, Siemens, and NexDefense.  At Cisco, Matt architected and led the world’s first managed industrial cyber security service, among other major achievements.  Matt has 26 years of strategy and technology leadership.

Matt is a highly sought-after speaker on ICS cybersecurity and an accomplished author.  He has been published in SecurityWeek, USA Today, FoxNews.com, International Business Times, CIO Insights, CIO Review, and many other notable publications.  Matt is a Certified CISO (C|CISO), holds 12 DHS ICS-CERT certifications and a MBA degree from Emory Goizueta Business School. For more information, visit https://1898andco.burnsmcd.com/