Oldsmar, a small city in the state of Florida, has a population of about 15,000. It was February 5th, 2021. At the Oldsmar Water Treatment facility, a vigilant employee noticed a spike in the levels of Sodium Hydroxide – or Lye. The levels of Lye were changed to 11,000 ppm from 100 ppm – a 10,000% jump. The hacker managed to infiltrate the critical infrastructure and release excess Lye into the water that serves the entire city. Public Utility systems without an upright security posture as far as Operational Technology is concerned, are vulnerable to such kinds of threats. The threats are real with attackers possessing advanced capabilities increasing at an alarming rate. Fears of security experts have come true, and they only compound with time. 2 in every 5 enterprises revealed that hackers targeted their OT device. Likewise, over 60% of respondents in a survey felt that the volume, complexity, and frequency of threats are likely to increase in the coming future. For an enterprise or an industrial unit, Operational Technology security is of paramount importance. In the case of infrastructure like power grids, it is a matter of national security. What is Operational Technology(OT)? The technology associated with the detection of a change or causes a change using hardware and software is defined as Operation Technology. This change can either be via direct control and/or monitoring of hardware like valves, sensors, I/O devices, switches, PLCs, actuators, switches, etc.), and software (customized and machine-specific). Along with the above-mentioned components, OT systems employ a wide range of control components that act together to achieve an objective. Unlike other information processing systems, any change in an OT network has its effect in the real world. Owing to this, safety and security are of paramount importance in OT systems conflicting with security design and operations frequently. Different types of OT systems: 1. Supervisory Control and Data Acquisition Systems (SCADA) The SCADA systems collect data from many Input-Output devices across a larger geography. Its architecture consists of computers, and networked data communications having a graphical user interface. Commands sent from the command control (using GUI) are executed by PID controllers and PLCs (Programmable Logic Controllers) at the endpoints. Electric Lines, Pipelines, railways, and power transmission often comprise SCADA systems. 2. Distributed Control Systems – DCS The DCS is seen in an environment having many control loops, offering both central supervisory equipment and local control level. It is seen in areas like refining, manufacturing, and power generation where high reliability and security are very important 3. Medical Systems On-site medical devices comprise in-hospital facilities like MRI scanners, infusion pumps, EKG/ECG Machines, defibrillators, and others. These run on age-old Operating Systems and proprietary protocols. Consumer medical devices comprise insulin pumps, artificial pacemakers, and prenatal monitors belonging to the class of IoT smart devices. 4. Physical Access Control and Building Automation Systems Every inch of an industrial complex – designing, fabrication, or manufacturing zone – needs to be protected. Right from HVAC systems, elevators, swipe cards, security cameras, biosecurity machines, and others, everything needs to be secured. OT Security without IoT integration: OT networks run off the grid – isolated from other networks – greatly limiting security vulnerabilities. Every process in an OT environment runs on proprietary control protocols. Critical infrastructure like transport, power distribution, healthcare, and others are an example of OT networks. In an event of an on-site security lapse, an intruder or a group of attackers may manage to get into the premises of an industrial workhouse. The threats arising from such events can be avoided by improving security and surveillance along with the deployment of multi-layered security. This is to ensure access to critical assets and control rooms is always restricted to unauthorized personnel even in an event of an on-site security lapse. Also read: Complete Guide to Cyber Threat Intelligence Feeds There have also been reports of identity card and swipe card thefts, giving unauthorized people access to OT infrastructure facilities. Did the adoption of IoT make OT systems more vulnerable? Smart transportation, smart power transmission, smart manufacturing – every ‘smart’ thing that is a part of our day-to-day lives is an upgrade of its cousin from the pre-internet days. Anyone associated – government, private contractor, or even an academician, wants to make an OT system more reliable, cost-effective, and efficient. To achieve this goal, the adoption of services like big data analytics and other enterprise software has been integrated with the OT networks. This means IT has been integrated with OT. This brought more misery than what OT systems have seen cumulated across the past 200 years. With the integration of Information Technology and the Internet of Things into Operational Technology, the security of the critical infrastructure that holds a nation has been put under scrutiny. To mitigate risks arising out of IT and IoT integration with OT, traditional security solutions along with strategies like defense-in-depth, layered security mechanisms, and other sophisticated modern security systems should be deployed. Also Read: How to get started with OT security The OT systems have moved from the state of Complete Isolation to a state where complete isolation is impossible. While the integration between IT, IoT, and OT was bound to happen sooner or later, the threats and security vulnerabilities were to follow. Just like IT Cybersecurity went through some rough patches during its infancy some 3 decades ago and is still fighting with a positive spirit, hybrid-modern OT systems to are expected to continue. How OT Security differs from IT Security Operation Technology is industry-oriented and focuses on the manufacturing, production, and transmission landscape. A single failure in an OT system can hurt industrial operations directly leading to long non-production hours. There have been instances of fatal accidents in some cases. Though such incidents are of low frequency, they have a destructive effect, threatening national security at times. OT security puts Safety at the forefront, despite being non-dynamic. On the other side of the fence, IT Security deals with data flowing across various IT systems. IT security primarily is a business-oriented vertical driven by an enterprise landscape. An IT
