The need for operational technology (OT) security is set to surge, with analyst firm Gartner predicting that by 2025 cyber attackers will have weaponised OT environments to successfully harm or kill humans.
On the face of it, Gartner’s prediction seems somewhat unnecessarily alarmist, but there have been plenty of examples over the past few years that have demonstrated the control cyber criminals can wield over internet-connected industrial equipment, in particular critical infrastructure.
As recently as May 7, a pipeline system carrying almost half the fuel used on the east coast of the United States was crippled by a major cyber attack.
The five-day shutdown of the Colonial Pipeline resulted in widespread fuel shortages and panic-buying as Virginia, North Carolina and Florida declared a state of emergency.
As noted by sister publication CSO US, a lack of visibility into the security status of its operational technology systems is likely what caused Colonial to shut down its operations.
Not shying away from Gartner’s seemingly dramatic claim, Rob McMillan, managing vice president at the analyst firm, suggests that the OT landscape is something akin to what might be found in the fictional wasteland of the Mad Max film franchise.
“This realm, which can have (and has had) real life or death implications, is the very definition of the Badlands,” said McMillan. “There’s no standardisation or tradition of consistent security controls in OT environments, melded with an archaic design discipline and naïve views of connected technology.”
According to Gartner, security incidents in OT and other cyber-physical systems (CPS) have three main motivations: actual harm; commercial vandalism, such as reduced output; and reputational vandalism – making a manufacturer untrusted or unreliable.
In what some may view as a bold claim, Gartner predicts that the financial impact of cyber-physical systems attacks resulting in fatal casualties will reach over US$50 billion by 2023.
Even without taking the value of human life into account, the analyst firm noted, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.
Gartner also predicts that most CEOs will be personally liable for such incidents.
“In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner. “Inquiries with Gartner clients reveal that organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”
Fortunately, there are a number of ways enterprises can minimise the risks, according to Gartner, and technology vendors and partners are likely to play no small role in how companies can achieve their goals in this area.
Broadly, Gartner recommends that organisations adopt a framework of 10 security controls to improve security posture across their facilities and prevent incidents in the digital world from having an adverse effect in the physical world:
- Define roles and responsibilities
- Ensure appropriate training and awareness
- Implement and test incident response
- Backup, restore and disaster recovery
- Manage portable media
- Have an up-to-date asset inventory
- Establish proper network segregation
- Collect logs and implement real-time detection
- Implement a secure configuration process
- Adopt a formal patching process
Unsurprisingly, demand for OT security offerings appears to be growing in the local region. Just this month, for example, OT security equipment vendor Waterfall Security Solutions said it had put boots on the ground in Singapore in a bid to launch its expansion into the broader Asia Pacific market.
The company claimed the move reflected growing interest for its suite of unidirectional OT security products in the local market.
"Waterfall sees Singapore as a strategically important market and as an established gateway to APAC," said Lior Frenkel, CEO and co-founder of Waterfall Security.
"We look forward to working much more closely with new and existing customers, partners and service providers in the region," he added.