Why cyber security deserves more attention in Operational Technology (OT)

Does the Stuxnet malware attack mean anything to you? This computer worm, discovered in 2010, is considered the first cyber-attack specifically targeted at OT. The Stuxnet worm was spread via USB and aimed to bring down industrial plants. It caused significant damage to Iran’s nuclear program (“a backlog of several years”) and destroyed numerous uranium enrichment centrifuges. 

By OT we mean the hardware and software that execute, monitor and control industrial processes. Think, for example, of the control of a conveyor belt with packages or a filling machine for milk cartons, but also of the control of water quality or the control of programs around bridges, locks and traffic flows. Disruption of this operational technology has major consequences for the organization and can potentially also have a major impact on society. 

Text continues after image

Ermerging risks

In IT, cyber security plays a leading role, in OT, unfortunately, this is not yet sufficiently the case. Although operational management has traditionally paid great attention to safety, but cyber security has been neglected in this area. When OT and IT were still clearly separate worlds, this was logical and not immediately problematic.

Now that OT and IT are increasingly connected, and OT systems are becoming smarter, new vulnerabilities and serious risks are emerging. There are plenty of examples:

• Dozens of British hospitals offline
  Remember the global WannaCry ransomware attacks in May 2017? More than 230,000 computers in 150 countries became infected and unusable via this attack by North Korea. Among others, the British National Health Service (NHS) was severely affected: around 70,000 devices, including computers, MRI scanners, blood storage cabinets and other medical equipment were infected and rendered unusable. Patient data and other medical data were also encrypted. Dozens of hospitals came to a squeak and a halt. NHS was susceptible to this attack because an earlier critical security patch in Microsoft XP had not yet been implemented. The damage to the NHS is estimated at £92 million in disruption to services and IT upgrades.

• Norwegian energy giant must switch to manual control
  In 2019, Norwegian energy and aluminum group Norsk Hydro fell victim to LockerGoga ransomware. It was believed to have been distributed via the company’s own Active Directory services and spread to locations in 50 countries. The ransomware blocked company systems, causing them to switch to manual control and workarounds – without modern IT. The productivity of departments responsible for manufacturing components for car manufacturing, construction and other industries fell below 50%. It took weeks for administrative systems such as reporting and invoicing to get back on track. The damage is estimated at $70 million in lost margins and low production volumes.

• Ransomware completely paralyses Maastricht University
  In December 2019, the Dutch University of Maastricht was hit by Clop ransomware. Almost all Windows systems went offline. File and email servers, printers and VPN services were unusable for weeks. Information systems surrounding timetables, study materials and the student portal were also down. In the end, it turned out that the cyber-attack had been started by a phishing e-mail only two months earlier: a link in the e-mail led to an Excel document containing a macro, which retrieved malware from an external server and installed it on the user’s workstation. The university paid a ransom of € 197.000 in exchange for a key to make the systems accessible again.

These are just three horror scenarios and they clearly show that cyber security is an important factor for business continuity in OT as well. It is important to realize that these types of attacks occur in all types of businesses:

• Not only in large of well-known companies: the large multinationals are logical targets given their scale, yet almost half of all cyber-attacks are directed at SMEs.
• Not just in certain sectors: by their very nature, companies in manufacturing, infrastructure and energy, among others, are clearly vulnerable to cyber-attacks on their operational systems. But make no mistake, companies and institutions of all shapes and sizes are affected.
• And it doesn’t stop at just one attack: the chance of being hit more than once may seem small, but that is not the case. About two out of three companies that experience a cyber attack are hit again within 12 months.

What can you do?

The solution is as simple as it is complicated. The simple variant consists of two steps, namely a) identify risks and b) avoid, transfer, control or accept the risks identified. No sooner said than done.

We like to opt for an extensive system health check, in which we thoroughly examine the operational technology in a short period of time: we analyse the current OT infrastructure and identify the vulnerabilities. In doing so, we base ourselves on ISO 27001 (think strong passwords, back-up strategy, recovery strategy, network security, firewalls, etc.).

This results in an advice with suggestions for removing the found vulnerabilities. This can be done internally or externally, depending on the wishes and possibilities. We work together with seasoned OT experts, who know exactly what the practice looks like. They have broad experience with the interface between OT and IT and know how to deal with it constructively.

The more complicated answer to the question ‘what can you do?’ revolves around a change of mindset. OT and IT are two different worlds that are getting closer to each other, but they also have a wall around them. The mutual switching often leaves much to be desired. That is why we think it is important to build a bridge, preferably from OT to IT. From our expertise as transition managers, we know better than anyone how to narrow the distance between these worlds and achieve successful cooperation. We also like to think along about migration of legacy systems and EOL hardware, virtualisation solutions and other OT/IT integration services.

Wondering what we can do for the operational systems of your organisation? Would you like to realise a better dynamic between OT and IT, or are you interested in the system health check? Please contact our colleague Gert Veldhuis on (+31) 085 – 487 29 00 or gert.veldhuis@transitionexperts.nl.