The importance of protecting OT against cyberthreats

2. What is Operational Technology (OT)?

Where Information Technology (IT) is all about the automation of information, Operational Technology (OT) is all about the automation of physical processes. A couple of years ago, it was strongly tied to the industrial sector and its modernization with Industry 4.0. Before OT, we therefore often referred to it as Industrial Control Systems (ICS) or Industrial Automation & Controls Systems (IACS). At the same time, in the oil and gas sector, it can be addressed as the Process Control Domain (PCD). Nowadays, we generally use OT to cover all automation of physical processes, as we find OT in a much broader field than only industry and oil & gas. OT is all around us and applied in more than 60% of all sectors.

Although our lives have come to depend on OT, most people still don’t know what the abbreviation stands for. Unlike IT, where we have been made very aware of its influence on our lives. Information Technology has automated information processing, and we are quite conscious of our interactions supported by IT. We use our computers, smartphones, and tablets to communicate and transact with banks and government agencies, order products, and book our travel. We are much less conscious about OT, which provides us with energy and drinking water, transports us by elevators, cars, ships, and planes, and plays a vital role in the production of food, medicines, and other products we use in our daily lives. OT even keeps us alive if we think about the ventilators used in hospitals and a variety of medical machines. The impact of a successful cyber-attack on OT can be much more significant than attacks on an IT environment and requires our awareness.

3. The current attention for securing OT

The resilience of OT against cyber-attacks is generally very low, while the impact of a successful cyber-attack on OT is, in most cases, very high. This is nothing new and has been the case since the automation of OT, but vulnerabilities were extremely difficult to exploit because the access to OT was well protected. Physical access to OT was required, and facilities were adequately protected by physical access control and social control, as small groups of operators all knew each other.

Further automation and business needs have resulted in the interconnection of IT and OT, which has opened logical doors to OT environments that haven’t been prepared for such access.

3.1 Compliance

A clear driver for organizations to take action is compliance and regulations. For Europe, the NIS2 should become active in the last quarter of 2024, although local implementations by member states might take some more time. On a high level, one might say that the NIS2 follows the same implementation process as the GDPR in 2016. Where GDPR focuses on data protection and privacy with the assurance of confidentiality and applying the need to know/need to have principles, the NIS2 will cover breaches to logical IT and OT networks in general on all security aspects, like safety, availability, integrity, and confidentiality (see 5.1).

The NIS2 forces organizations to take responsibility by applying fines when negligent. It not only stimulates organizations to improve their own security posture but also to pay proper attention to the area of vendor management from a security perspective, reducing the risk of supply chain attacks.