Operational Technology (OT) has certainly been around for much longer in some form when compared to both Information Technology (IT) and the Internet of Things (IoT). Yet, when it comes to OT security we are still taking the first concrete steps toward securing the OT environment and plugging the security gaps that have emerged thanks to its integration with IT. The need to secure OT has arisen not from the need to evolve, but from the rising cyberattacks on converged environments that we have seen in the last 5 years.
IoT security also seems to be treading the same path. Let us find out how and why.
Security was never even an afterthought when it came to OT. Instead, these systems were built to last and work efficiently. This is why you see so many devices of vintage 90s still working hard in places like factories and power plants while everything around them in terms of infrastructure has undergone a drastic change in terms of digitization. Many of the OT devices were built to operational perfection and were in a manner of speaking more than aligned to the functional need of the times. Once your maintenance cycle is complete, these devices work will like a charm doing the same work repeatedly without any problem.
When IoT arrived on the scene in the late 2000s (I mean in terms of large-scale R&D and some bit of adoption as well), we had already had instances of OT being attacked by all kinds of actors. The attack on the Maroochy sewage plant in Maroochy Shire a small town in Queensland, Australia was well behind us. In fact, the lessons from that attack were embraced more by hackers than by cybersecurity teams. This is why cyberattacks on OT evolved significantly in the last two decades.
When the Ukrainian Power Plant was attacked in 2015, the hackers were found to have conducted reconnaissance missions as early as 8 months before the attack materialized. The level of sophistication involved and the fact that the hackers could have done much more damage to Ukraine’s power infrastructure didn’t lead to any major thrust globally on improving OT security. However, with the Colonial Pipeline and JBS attacks, governments were forced to act and bring in measures to make businesses report on such attacks as a first step towards eventually securing OT-based critical infrastructure.
Despite having the example of the dangers of not securing devices and infrastructure available to cybersecurity planners, analysts, developers, and the whole world, we saw IoT evolving fast while paying scant respect to security. Accumulated wisdom should have informed us that had we prioritized IoT security much earlier, we could have had much more secure systems and hardened infrastructure operating at much lower security costs. Not only would this have given us a security culture surrounding IoT as a tech, but it would have also led to businesses taking security more seriously without having to depend on the government to force them to act.
Instead what are seeing is a journey down the oft-beaten path wherein security is offered some ritualistic attention after a major incident. With Industry 4.0, the cost of a breach, even a sub-kinetic one can be unaffordable. One has to just read our latest IoT and OT Threat landscape and analysis report to understand how the threat environment has deteriorated significantly in the last year but our institutional detection, response, and security approaches are still stuck in the 90s.
So there you have it two different technologies separated by time following the same evolutionary trajectory when it comes to security. Maybe it is the path of least resistance or the “we need to improve features and functions while security takes care of itself” syndrome that is at play here.
No matter what the cause, one thing is clear, a wake-up could be around the corner.
Talk to us about the simplified approach to IoT security that minimizes your institutional risk exposure significantly.
Worried about not having the right threat intelligence for your IoT projects, talk to us to try our threat intelligence feeds for free for the next two weeks.
Participate in the CISO Peer Survey 2022 and make your opinion count now, fill up our uniquely designed survey here: CISO Peer Survey 2022
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.