Successful implementation of cyber security into an Operational Technology (OT) environment demands recognition of its unique physical, cultural and organisational challenges. Only by acknowledging these, can you craft a practical, effective approach that OT teams will buy into.

Overcoming these hurdles is especially crucial in the utilities and manufacturing sectors, where a cyber-attack induced operational halt can affect critical national infrastructure and global supply chains.    

Based on our worldwide experience introducing our cyber security expertise into OT environments, this article shares our recommendations for operations, IT and security professionals wanting a straightforward implementation process that meets OT defence requirements and makes sense to OT teams.  

OT is now as vulnerable to cyber-attacks as IT  

Organisations with OT functions have often, over many years, developed organisational structures where IT and OT operate separately, creating silos of accountability.

One of the main drivers for IT/OT convergence is the volume and richness of data within the OT environment that can form the basis of advanced analytics and insight-based decision making providing significant business advantage. Think Digital Twins and how organisations generate operational efficiencies and/or cost savings though predictive maintenance or other scenario-based strategies. 

Aside from missing out on valuable business intelligence, the traditional siloed approach can also lead to gaps in overall cyber security, leaving business critical OT infrastructure potentially vulnerable to cyber-attacks. It’s essential to recognise that such incidents are increasingly inevitable. A unified approach means consistent cyber security measures across both domains, protecting both OT critical infrastructure and IT business-critical infrastructure from cyber threats. 

Where to start? 

There’s widespread agreement that robust defences depend upon: 

  • first discovering assets,  

  • assessing their vulnerability to breach to understand where breach opportunities exist, and 

  • then prioritising remediation.  

Standards exist to guide the implementation of these security controls, such as NIST SP 800–82 R2 and IEC62443. These standards discuss the methods to secure an OT infrastructure environment; these include; restricting logical access to the network and network activity through ‘demilitarised zones’ (DMZ) and firewall environments, valid permissions, installing antivirus software and developing the capability to restore systems should an incident occur.  

So, where do you start your implementation journey?

Understanding your environment is critical to strengthening OT’s defences  

The journey to OT cyber security begins with a comprehensive understanding of your environment. Without this base knowledge, you can’t be entirely confident that any cyber security you apply will be sufficiently robust to protect your critical OT systems.  

This process of discovery can be broken down into five stages:  

1. Discover what’s on and connected to your networks

This can be as simple as adding a sensor to listen passively to your environment. Activating passive listening means spanning the switch port on the local network, allowing the sensor to detect the different types of addresses coming across your environment and correlating the Media Access Control (MAC) IDs.  

2. Do a physical walkthrough 

Passive network scanning can provide a starting point, but it's crucial to complement this with a physical walkthrough to capture all your physical assets. You can only be confident you understand your environment by reconciling your digital and physical asset inventories and comparing them to what the sensor has discovered.  

The challenging part of this process is learning how to compare what’s ‘on the wire’ versus ‘what’s on the floor’. Identifying network blind spots, this action will reveal:  

  • items on the floor that aren’t connected to any local network, 

  • the items on the floor that aren’t connected to a local network that you’re aware of,  

  • the networks and devices that existing sensors are monitoring, 

  • any networks that aren’t currently covered by sensors.

3. Identify and categorise devices 

This involves working through your discovered list to identify products that don’t necessarily have a reported MAC address. It also involves sorting all devices into categories, such as industrial devices, printers, access points, workstations and under-identified devices which need to be called out for further investigation. If you’re unlucky, you might find somebody has installed an unapproved device, such as a Raspberry Pi or a Wi-Fi extender/repeater. 

4. Assess internet connectivity

At this point, your monitoring device will start reporting potential security concerns, such as devices that can connect to the internet. It’s pretty standard to find that many devices are connected to the internet without anyone realising it. The next question is, do these devices need internet access, and if they do, how do you mitigate the risk without impacting production requirements?  

5. Help OT teams understand the importance of these findings 

With a history of isolated OT environments, OT teams may not see the value of new cyber security technology in their environment because, up until now, this new technology hasn’t been needed.  There can also be an inherent fear that introducing anything into the OT environment that’s not actually OT, bears a risk to the stability and integrity of the environment.  

History has shown that these OT systems are frequently not as isolated as expected. For example, USB drives are plugged into systems, laptops connected to the IT systems are carried into the control rooms and plugged into the OT network, and undocumented networks are connected for convenience.  

Showing the organisation examples of other OT cyber-attacks such as the Stuxnet attack, the Sandworm attack targeting and disabling the Ukraine electrical infrastructure, the Oldmar’s treatment plant attack, and the ongoing attacks relating to the current Russian and Ukraine war is a good way of starting a conversation about your own vulnerabilities. 

To close the IT/OT organisational gap, it’s important to acknowledge and address how different areas of expertise will work together and establish common terminologies between your OT and cyber engineers to make looking at the technology easier.  

However, this isn’t the most significant factor in building OT defences. A strong, trustworthy and mutually respectful relationship between OT and cyber experts is critical so that cyber security can be discussed in an open and accepting way.

The best way to build this relationship is to have continuous meetings, making sure that any OT cyber experts play a prominent role in sitting with OT teams and helping them take the cyber security journey.  

CGI: Making effective Australian cyber security easy 

We have over 30 years’ experience partnering with OT organisations with responsibility for Australia’s critical infrastructure and essential services. 

We help keep the water, trams and electricity running, providing services to houses all over Australia. Our security team works closely with engineers and continually shares knowledge to make sure that everyone involved in OT can contribute to discussions about security.   

In terms of specific experience, we currently provide support through:  

  • monitoring water, wastewater and sewerage networks 

  • substation automation using our Australian Developed RTU 

  • RTU-based automation and enablement software supporting various energy transition related use cases and 

Bringing OT and IT together under one cyber security umbrella can be challenging, requiring a blend of IT security expertise, OT domain knowledge and a strong collaborative spirit.  

Find out more about our cyber security services in Australia