OT cybersecurity: no longer a niche field

Companies have plenty of reasons to pay closer attention to matters of cybersecurity in their factories. Digitalization and OT/IT connections are drivers of innovation and come with many advantages, but they also increase vulnerability to cyberattacks. The second part of the OT security series shows the consequences: implementation of the security standards for operational technology (OT) is still lagging behind IT.

Here’s a little brain teaser: five frogs are sitting on a log. One decides to jump. Now how many frogs are sitting on the log? Four? Wrong. Deciding to do something is not the same as actually doing it. This discrepancy between planning and doing is a part of many areas of our lives. Take climate change, for instance: we know that we have to do something, and yet we find it so difficult.

 

Which takes us to cybersecurity. These days, most companies know that it’s merely a matter of time before they get hacked, but they still often struggle to implement countermeasures. For both climate change and cybersecurity, doing nothing is dangerous and will come back to bite us eventually. Sooner rather than later when it comes to cybersecurity. 

IT relies on CIA

We need to make the distinction that the situation is better in information technology (IT) – for example office computers, networks and data centers – than in operational technology (OT), which primarily relates to the automation of factories and buildings. There has been no debate for many years that you need to have a virus scanner installed on your computer and regularly update it. This awareness is just now arising in OT. The reason for this is CIA – no, not the Central Intelligence Agency of the United States – but the three most important security objectives in IT, ranked in order of importance: confidentiality, integrity, availability. This can make OT experts start to sweat, because nothing can be allowed to endanger the availability of production facilities. So they still often apply the reverse order: AIC.

This is also why OT experts sometimes keep kicking the can down the road when it comes time to update automation components. If something goes wrong during the update, production stops and – while the minutes tick away during troubleshooting – the company can lose thousands, if not millions, of euros. But not doing anything is no longer an option, since hackers have chosen the automation of factories and critical infrastructure such as waterworks, oil pipelines and hospitals as the targets of their attempts at extortion. Attacks that result in short supplies are a powerful demonstration of this fact – like the recent example of the Colonial Pipeline. And experts suspect that cyberattacks around the world are going to increase due to the events of the war in Ukraine.

Experts in OT security are even harder to find than IT experts.

The gap remains

“Back when the Stuxnet incident occurred, the security level in OT was ten years behind IT,” says Stefan Woronka, Director of Industrial Security Services at Siemens, “and we’re only slowly closing this gap, unfortunately.” This is down to several factors. One is that those responsible for production do not want to be to blame if production comes to a standstill as a result of a security update, for example.

Woronka sees the shortage of skilled workers as another reason for the deficit in OT security: “Experts in OT security are even harder to find than IT experts.” Some security technology providers think they can turn the weakness into a strength. If there aren’t any OT experts, then they just replace them with IT experts. That may sound like a good plan, because OT is becoming increasingly similar to IT with the networking of machines and complex software functions, so it makes sense to use the relevant IT methods such as virus scanners and firewalls here as well. “But that doesn’t work,” warns Saman Farsian, Head of Cybersecurity OT Protection and Consulting at Siemens. OT security requires OT experts who know their way around automation technologies.

 

Siemens has them, because the company has invested significant effort in recent years to protect its own factories and those of its customers. Siemens relies on concepts such as security by design or security by default, which means that products come with security integrated and activated when they leave the factory. But it is seldom the case that exclusively Siemens technology is used in a factory, and many systems are years if not decades old. To this end, Siemens develops technologies that assess the production facilities to be protected along with their gaps in security and offers tailored solutions to create several layers of security around critical components that attackers will hardly be able to breach.

Standardized rules thanks to the Charter of Trust

In doing so, the Siemens experts also have to ensure that the applicable requirements in the respective countries and markets are met. “Many of the national laws are different around the world,” says Woronka. This is a fact that hinders rather than helps the establishment of good cybersecurity across borders. This is where the Charter of Trust comes in, which Siemens initiated at the Munich Security Conference in 2018.

The charter currently has 17 companies as members who make up various working groups on topics such as secure supply chains and security by default and define minimum requirements in this regard. These efforts are only now bearing their first fruits: the governments of Australia and Japan asked the members of the initiative to examine their cybersecurity frameworks for the purpose of determining whether they reflect the latest level of knowledge and are compatible with international standards.

 

There is still much work to be done for Siemens and its partners, both with regard to the Charter of Trust as well as with regard to products and services. Above all, customers need to be educated on the subject. Stefan Woronka: “We have to finally remove the ‘niche’ label from OT cybersecurity by more clearly communicating the risks along with the wide array of possibilities of better protection.”

Bernd Müller

Pictures: 1-2 GettyImages; 3-4 Siemens AG

Click here for more articles of our series, that will explore the issue of industrial cybersecurity.

 

Part 1: Cybersecurity in production: From a nice-to-have to a must have

Part 2: OT cybersecurity: no longer a niche field

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.