Operational Technology in the Crosshairs

Way back in 2015, I interviewed several officials working at utility companies for a column I was working on for Nextgov about why we had not at the time experienced a major attack against our critical infrastructure. There were several reasons why our nation was so protected from an attack against the power grid, the water system, natural gas pipelines, transportation control networks or any other system that is considered a part of the country’s critical infrastructure. The biggest reason was because operational technology, which among other things can help to control objects like valves and pipes in the physical world, were largely both proprietary and unnetworked.

Back in 2015, attackers needed to breach a facility like a power plant through their IT network and then try and find some connection into the OT network if they hoped to influence the physical world. And even if they were able to locate one of those rare places where IT and OT meet, they would also need to be skilled in whatever proprietary system they were targeting in the OT network.

A lot has changed since then. With many of the older workers who knew how to turn wrenches and manipulate much of the aging physical infrastructure now retiring, utilities had little choice but to increasingly network their OT functions. The advantage of doing that for critical infrastructure providers is twofold. First, it lets them easily monitor and manipulate the OT network remotely. And secondly, it allows the IT staff to take over many of the functions formerly performed by all those retiring workers. And while all that was taking place, OT manufacturers were busy streamlining their products to the point where the interface of many OT technologies gradually became little different than IT devices.

All of that is an inevitable shift in moving critical infrastructure forward, but it comes with risks. Opening up the OT network to the IT staff and remote management also potentially exposes it up to attackers.

Just last week, the Cybersecurity and Infrastructure Security Agency issued a warning about ongoing attacks being made against water treatment plants. The alert pointed out several previously undisclosed attacks made against treatment plants around the country. While most of the attacks cited in the alert involved ransomware, there have also been more serious threats launched against critical infrastructure that probably would not have been possible back in 2015.

But today, it’s a different world. Department of Homeland Security Secretary Alejandro Mayorkas reiterated that point during an interview with the USA Today newspaper last week, citing an incident where hackers tried to release poison into the water supply of Oldsmar, Florida. 

Attackers infiltrated the OT network of a water treatment plant and attempted to change the levels of sodium hydroxide being added into processed drinking water. At low levels, sodium hydroxide can remove heavy metals from the water supply. At high levels, it can be fatal, causing severe chemical burns to anyone who drinks it or even comes in contact with contaminated water. Thankfully, in the Florida case, the extra chemicals were detected and no poisoned water reached the public.

The Gartner cybersecurity firm wrote in their blog that incidents like the Florida water treatment plant attack should be a wakeup call for better OT security. Sadly, the firm also predicts that without serious change, we are likely to see injuries or even fatalities stemming from this kind of an attack by 2025.

“The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” the Gartner blog states. “The world has seen real incidents where events originating in the digital world had an impact on the physical world.”

And it’s not just utilities that should be worried. Many of the world’s largest data centers are packed with both IT and OT devices. They could not run without air conditioning, electricity and other physical infrastructure, much of which runs as part of an OT network.

Honeywell studied this issue as part of a report entitled “Rethinking Data Centers as Resilient, Sustainable Facilities.” To gather data for the report, researchers surveyed facility managers across the data center sector in the United States, China, Germany and Saudi Arabia. When asked about their biggest fears, those managers cited OT cybersecurity as their third most pressing concern, with 72% saying it was a serious issue at their data centers.

“It is crucial to reduce unscheduled downtime in data centers as much as possible,” said Manish Sharma, vice president and chief technology product officer of Honeywell Building Technologies. “Giving data center operators better insight and control of their building and OT systems—and treating them with the same importance as the critical IT systems can help to better identify efficiencies, reduce potential outages and optimize security, fire and safety procedures.”

Utility operators should take the same track that data center managers have been following and will begin to put more emphasis on OT cybersecurity. Back in 2015, the threat to critical infrastructure was minimal, almost non-existent. Today, successful OT attacks are already happening. And without rapid changes in the way OT cybersecurity is prioritized and handled, there is little stopping those attacks from escalating. It’s a race against time at this point, and the attackers seem to be at least a couple of steps ahead of the OT security meant to constrain them. 

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys