Operational Technology: New Target For Network Security Obligations
The past two decades have produced intense focus on information security to protect data. This priority remains important.
But the change in administrations and the Continental Pipeline incident have redirected attention to operational technology and functional resiliency. Protecting data is important, but making sure the company continues operating is vital.
What is operational technology? If information technology covers your email, relational databases, documents and other data applications, operational tech runs the non-data functions. Some companies don’t have many non-data functions. Banks and insurance companies, for example, are nearly entirely data driven – their products and services are all easily expressed in ones and zeros. But heavy industry is different. Manufacturing facilities, railroads, pipelines, oilfields, chemical processors are all operations that can be improved through application of technology. But this tech makes operating physical machines and tools more efficient and effective.
According to the NIST glossary operational technology describes “programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms.” Most businesses run these systems, but for some the systems are the core of their business.
The government is emphasizing protection of these systems with new sets of requirements and standards. In these discussions, data is not the central feature. The watchword for operational technology is resiliency. A company needs to be able to protect these systems from attack, to isolate them from the more-exposed information networks, and to be prepared to replace or revive them when trouble arises.
The watchword for operational technology is resiliency.
Recent government actions address protection of critical infrastructure, which could be data based, like the health care and financial industries, or operational tech based, like the energy, transportation and manufacturing industries. The Department of Homeland Security this summer issued new pipeline security requirements. The National Institute of Standards in Technology updated its extensive set of standards and recommendations for operational security, addressing manufacturing, energy and transportation protections. The President’s executive order on cybersecurity pushes federal agencies to require operational protection and resiliency, and to propose standards to help this cause.
One of the most obvious ways to protect operational systems is to “air-gap” them from the rest of the company systems. In other words, we know that hackers and ransomware actors can use the complexities and vulnerabilities of data networks to access company systems. When these information systems are connected directly to the operational systems, then an attack on the former can lead to infiltration of the later. Building firebreaks between the systems is important.
But, in today’s data-driven enterprises, firewalls can be porous because enterprise-wide management systems and newly-connected IoT devices spill an ever-increasing supply of operational data back to management for analytics and support. Every business harnessing the power of its own operational data is running the risk of allowing hackers into those very channels. If you can access the machine, then a bad guy may be able to access the machine just by impersonating you. For this reason, every connectivity and sharing decision concerning operational systems must also consider whether an intruder into the data systems can access the operational systems.
Every business harnessing the power of its own operational data is running the risk of allowing hackers into those very channels.
Even if the functional technology is correctly air-gapped, and hackers can’t reach in through the other company systems, simple security procedures need to be in place. There is no network security without physical security – physical access to any machine creates opportunities for hijacking. So while network security can keep out the hackers from half-way around the world, physical security can foil saboteurs and local hackers.
But your own operators need to access the data from these machines and the operational management technology that controls them, and your company should minimize the risks involved with this process. For example, most companies with strong security systems keep machines available onsite to run checks on thumb drives that operators use to interact with company systems. Insert the thumb drive, run diagnostics to confirm that it does not contain malware or open unwanted communications channels, and log the results before the drive may be inserted into the company’s operational systems. For minimal cost in time and money, a major risk is mitigated.
For risk management, nothing beats personal accountability. A single person within your organization should be assigned responsibility for protecting the operational systems and should report at least to senior management, and probably to the board of directors, no less than each year, on the progress of securing this critical company asset.
And nothing supports personal accountability like a budget. The assigned operational security owner should also propose a budget and receive company funds to meet the company’s security goals. Assigning a person to manage the problem without funding the priorities can be used by adversaries in litigation or by regulators to show a company is not taking the problem seriously. Additional security is always difficult to advocate for with the company CFO, but a company’s budget is a proxy for its priorities. Adequately funding resilient operations will always be important.
Many more operational protections are specific to the kinds of machines and risks they address. Protecting a factory will always be different from fire-control in an office complex or protection pipelines. The complexity cannot be an impediment to prioritizing protections. We have talked for two decades about the importance of data security. It is time to shine the spotlight on the equally important task of maintaining resilient technology-supported operations.