author photo
By Richard Staynings
Thu | Sep 19, 2024 | 4:35 AM PDT

No matter where you look, today, technology plays a central and ever-increasing role in our lives. Whether that's in education, government, business, or industry, technology is omnipresent. It automates and orchestrates and helps drive speed and efficiency. It is connected and highly communicative, and it needs increasingly less intervention on our part to fulfil its intended purpose.

But the steady growth in technology expands the threat surface, that is, the potential areas that could be used to attack information and automation systems. For that reason, the traditional thought has been to separate operational technology (OT)—things that control industrial valves and switches, mechanical systems, parts of machines, and their programable logic controllers (PLCs)—and to keep them isolated from both information technology (IT) business systems and the internet, the latter of which has become the main vector of attack for cybercriminal perpetrators often located thousands of miles away in lawless pariah states.

This division of function, however, and both logical and physical separation is blurring as IoT rises to connect more and more discrete systems, while IT and OT are increasingly forced to work together to modernize industry and critical infrastructure, to help mechanical systems to become "smart."

A great example of this may be our electrical systems, designed a hundred years ago. These systems generate and distribute electrical power to our homes, schools, offices, and remaining factories. They bring power and life to our trains, our traffic lights, and our air traffic control systems. Yet we are constantly exploring ways to improve our generation and use of power to drive efficiency and reduce CO2 emissions.

The advent of renewable wind and solar power generation, and self-contained small or tiny modular nuclear reactors (SMRs), is quickly making our coal-fired power stations obsolete. On September 30th, the very last British coal-fired power station will close after 57 years of power generation. This, from the country that forged the first industrial revolution on coal with its steam mills, steam trains, and steam-powered electrical turbines. Similarly, Australia, another huge producer of coal, recently hit 40% of its annual electrical generation entirely from renewable sources, while both China and India, the world's biggest polluters of CO2, have finally begun to cut back on the growth of new coal-fired power stations in favor of green energy.

In my home state of Colorado, the very last coal-fired power station is set to close in 2030, the result of a huge growth in renewables across the sunny and windy state. But none of this change could have been accomplished were it not for the development of OT-IoT-IT hybrid technologies like Smart Meters, Smart Sensors, and Smart Grids that communicate, report, and automate power flow between producers and consumers, managing peaks and troughs, and employing AI to mine the vast lakes of data acquired for time-of-day metering and pricing. Data is king, and our electrical usage patterns can be surprisingly beneficial to always ensure adequate supply, while avoiding wasted production. But connecting IT and OT to facilitate modern power, a hitherto verboten practice until recently, presents challenges not least of which is cybersecurity.

Serious risks occur when OT systems with very limited cybersecurity protections which control the grid are "connected" even to private isolated networks. This potentially threatens the reliable availability of electrical supply for all of us, or worse yet, the safety of equipment and workers if attacked by cybercriminals. In Ukraine, "Sandworm," a group within the Russian GRU, has become very adept at tripping breakers and blowing up electrical infrastructure by overloading transformers and other equipment via cyberattack, so these risks are not just theoretical—they are very real, especially to the Ukrainian people.

Improved security design of smart electrical equipment, along with updated regulations fit for the 21st century, all play their part. Like all industries, however, it will require an increased level of investment in cybersecurity to offset the risks that come with new highly-efficient smart systems. The U.S. Department of Energy's Electricity Subsector Cybersecurity Capability Maturing Model (ES-C2M2) is a positive regulatory step, but as we continue to connect more and more smart systems, so the attack surface increases. All it takes is one unidentified or unaddressed risk and the whole systems could be easily attacked and quickly turned into chaos.

Protecting critical infrastructure is vital for safety and security, but this is near impossible if we don't have a good understanding of what assets connect to our IoT connected networks and what vulnerabilities and risks each may present. With millions of smart OT-IoT devices already connected, this is a problem which only technology can solve. Human manual processes are simply out-gunned and out of their depth here.

Indeed, the exponential growth of connected IoT has taken security professionals largely by surprise. In healthcare, 75% of connected hospital assets are thought to be largely unmanaged IoT devices. Other industries are growing their IoT at a similarly frantic pace. Even the highly-regulated industry space of NERC CIP is changing at a rapid clip as IoT devices help to make these networks smart—whether a pipeline or a pylon supporting a distribution network. When something like an oil refinery or a fuel pipeline is attacked, a lot can quickly go wrong.

But building an accurate and real-time inventory of connected assets is becoming increasingly challenging given the thousands of manufacturers building and selling IoT devices today, most of which have basic, if any, security designed in. Understanding what risks each of these devices presents to the integrity of the network is thus enormous, while the need for an accurate communication profile of each system or device is absolutely necessary for the successful implementation of compensating security controls like network segmentation.

While the digital pace of change across most critical industry sectors continues to accelerate, it is important that our adoption of new technologies, especially those that connect critical mechanical or healthcare systems, not be allowed to outpace our understanding of cybersecurity risk or the adoption of adequate security controls.

Comments