3 Reasons IT and OT Systems Are Vulnerable to Industrial Control Hack Attacks — Plus 3 Risk Management Solutions

By: | June 12, 2021

Wade Chmielinski is staff vice president, group manager, cyber security consultants at FM Global, one of the world’s largest commercial property insurance companies.

Cyber criminals are becoming bolder, and their targets no longer just threaten data. Increasingly, their targets threaten both public safety and the very infrastructure we rely upon in our daily lives.

Two recent examples of information technology (IT) and operational technology (OT) hacks demonstrate the new reality we are living in.

In February, the hack of the industrial control systems of a municipal water treatment plant in Florida could have threatened the health of 15,000 people by tampering with their drinking water. Luckily, the attack was noticed quickly, and no people consumed the water hackers had poisoned by increasing the amount of lye from about 100 parts per million to 11,100 parts per million.

In May, a cyber attack on the operator of one of the largest U.S. fuel pipelines forced the company to shut down its operations for days, causing gasoline shortages and panic buying, until the company was sure it could safely restore services.

While tragedy was ultimately averted in both cases, these hacks serve to lay bare why the vulnerabilities once confined to IT (business networks) are now also in the realm of America’s operating technology systems and demonstrate why they are so important to mitigate.

It is evident these vulnerabilities won’t be addressed without a massive culture shift that forces accountability.

How Ransomware Is Shaping the Game

Over the last few years, there has been a significant increase in cyber attacks, specifically ransomware, against IT networks. Bad actors realized how easy it was to make money by infiltrating the technology systems organizations rely upon to do business.

In the Colonial hack, the company reportedly paid a $5 million ransom to regain access to its network.

According to SentinelOne, ransomware claims increased 239% from 2018 to 2019. But while IT hacks continue, security teams are building resilience within those environments. Bad actors will eventually look for other opportunities to extort organizations.

One likely scenario is bad actors focusing their attacks on the OT environment where the security isn’t as mature.

The OT “soft target” is also where the greatest impact can occur, as these environments are usually the lifeblood of an organization. The high likelihood a cyber attack on OT having a large impact to the bottom line should be a huge concern for both risk managers and insurance companies alike.

So why do we think these environments are the next big target for cyber attackers? There are three problems organizations face today that directly relate to this exposure:

First, operating technologies, sometimes called industrial control systems, encompass different types of control systems and associated instrumentation, which include the devices, systems, networks and controls used to operate and/or automate not only industrial processes but also things such as building security, lighting, environmental systems and more.

Of the three tenants of security (confidentiality, integrity and availability), OT systems were designed to meet only one availability.

They were not designed to connect to the Internet, to restrict access or provide any level of resilience to the most basic types of cyber attacks. Any disruption in availability can be catastrophic to an organization, therefore connecting these systems to the Internet has increased risk significantly.

Second, in many organizations, there is not one individual assigned to ensure the OT environment, the systems and the data are protected.

As stated previously, organizations are focused on availability, not confidentiality or integrity, therefore a single accountable person for cyber security is perceived as unnecessary. And when no one person is held accountable, there is no accountability.

Third, the culture of most organizations has favored the IT side of an organization, and traditionally, information security has lived within this realm. This is where all three of the security triad have been viewed as critical!

Yet, while the IT experts know how to keep your business systems protected, they don’t generally have the visibility or skillsets to understand the OT environment and its vulnerabilities.

OT employs very specialized hardware and software that is designed to get a job done. And the people who are familiar with running those environments are focused on producing, not on security.

When you add these elements together, you create a perfect storm where bad things can potentially happen.

3 Risk Management Solutions That Are Key

So, what are the immediate solutions risk managers can take to address the growing threat posed by attacks to operating technology? How can risk managers influence the organization to invest in areas where OT environments begin to build resilience to cyber attacks?

The solutions are not all technical. They are simple and straightforward — but often overlooked.

1) It is absolutely imperative that the IT and OT environments are completely separated.

There should be a firewall in place that only allows traffic in the specific environment. Access to most OT environments will come from IT being breached, so a good security architecture protecting OT from IT is essential in mitigating this risk.

2) Organizations need to assess their business culture and commit to making one individual responsible for the OT environment and its security.

This accountable individual will create written policies that outline the security requirements for the OT environment.

By documenting and communicating these requirements to personnel managing the OT environments, you are providing the security requirements that address all three aspects of the security triad: confidentiality, integrity and availability.

Providing OT personnel with documented security requirements is the first step in changing the culture from availability to all three aspects of the security triad.

3) There should be a plan to address legacy software.

Legacy software is software that is out-of-date and not supported by the vendor. Security updates are no longer available for this software; therefore vulnerabilities are most likely present.

Documenting these instances of legacy software and applying protections around it can go a long way in reducing the likelihood and impact of a cyber attack.

Looking Ahead

The fuel pipeline and Florida water treatment plant hacks should be a wake-up call to organizations large and small. Don’t be fooled into thinking this is going to happen to someone else. It can happen to you, and it just might!

The risk from hackers holding an organizations’ operating technology for ransom is as real to an organization in the same way that fire, flood and other climate-related hazards can be.

Those who take the threat seriously and adopt a security-minded culture will ensure long-term success.

Those whose culture is to ignore the problem may deliver their organization, its stability, reputation and financial success to the mercy of criminals. &

More from Risk & Insurance