This article was originally published on InformationWeek
Whether you’re a policymaker, technical expert, manager, or end user, you have a part to play in keeping operational technology secure.
A few months ago, a cyber-criminal gang called Darkside brought Colonial Pipeline’s systems offline for nearly a week, causing panic buying and fuel shortages. Soon afterward, The Health Service Executive (HSE) in Ireland was hit by a ransomware attack that stole health records and scrambled telemetry data in IT hospital systems.
The Internet of Things (IoT) has changed the way we need to think about protecting operational technology. It’s no longer enough just to physically protect the machinery and digital devices used in healthcare, business, manufacturing, and transportation. Increasingly, today’s operational technology is smart and that makes it more vulnerable than ever to attack.
The importance of protecting critical digital infrastructure and the operational data it produces was highlighted by a recent one-day summit where President Biden handed Vladimir Putin, his Russian counterpart, a list of 16 critical infrastructure sectors that must be “off-limits” from cyberattacks. For many people, the summit reinforced the idea that protecting the operational technologies used in industry, businesses and homes needs to be a collaborative endeavor. The question then becomes, who is responsible for what? Here’s a breakdown:
Responsibilities of End Users
- Practice good cyber hygiene
End users can be the weakest link in security operations. You can help staff stay on top of the latest phishing email and social engineering exploits by offering them security-awareness training on a frequent basis. Be sure to enforce security policies that require strong passwords and multi-factor authentication.
- Be vigilant
End users can also be your first line of defense. Quick response and escalation of cyber incidents is key to limiting the damage a cyberattack can cause. Consider testing end users periodically to make sure they know what to do and who to contact if they suspect a cyber exploit.
Responsibilities of Private Sector Managers
- Replace old, legacy systems
Legacy operational technology can be expensive and difficult to replace. Some operational technology systems used in industry, for example, still run on Windows 95 and weren’t designed with cybersecurity in mind. Collaborate with stakeholders to create an enterprise lifecycle plan for operational technology that addresses how you plan to mitigate risk.
- Make sure investments in cybersecurity are a priority
Failure to allocate sufficient resources to protect operational technology assets will only increase the chance that an attack will be successful. When budget time rolls around, make sure your organization views security controls as an asset, not a cost.
Responsibilities of Technical Experts
- Work on blending operational technology and IT security controls
Operational technology systems are increasingly incorporating aspects of information technologies to automate the machinery used in manufacturing, utilities, and transportation and take advantage of the data that IoT devices produce. Consider adding cross-training opportunities that will allow operational technology and IT teams to understand how each other’s systems work. Your goal should be to ensure that no single weakness can lead to a critical compromise on a larger system.
Responsibilities of Policymakers
- Create policy that can be enforced
Policymakers in governments and within private organizations both have a responsibility to make operational technology cybersecurity a priority. Government agencies should work together to raise awareness about the importance of operational technology cybersecurity and facilitate the implementation of operational technology cybersecurity policies that draw from international and regional best practices and guidelines. Be sure to craft policy in consultation with private, public, and technical stakeholders to ensure that goals are clear and address the needs of all stakeholders. Make sure that policy is not drafted simply for compliance’s sake; have a clear understanding of risk and draft policy to address, mitigate and eliminate as many risks as possible.
A Shared Responsibility
In a nutshell, everyone has a responsibility to protect operational technology cybersecurity, and this chain of responsibility is crucial for all stakeholders to understand and participate in. The efforts you and your colleagues make to secure operational technology will not only help prevent ransomware and supply chain attacks from being successful, but they will also help bolster everyone’s physical safety in an increasingly digitized world.
