Operational technology (OT) systems are increasingly at the heart of modern industrial processes. They provide organizations with the ability to better automate, control and monitor these processes and ultimately integrate them with operational and financial management systems.
Example systems include programmable logic controllers (PLC), supervisory control and data acquisition (SCADA), and process information (PI) systems. This technology may also be referred to as industrial control systems (ICS) or simply as SCADA.
Due to the business-critical nature of the processes this technology supports, OT has always presented an inherently high risk and organizations are likely already experiencing the impact of failures. This risk is evolving and increasing, however, as systems become more connected, threats become more prevalent and risk management practices lag. Failure to manage these risks is now more likely to cause disruptions to production, catastrophic financial loss and, very possibly, fatalities.
Challenges and Opportunities
Connectivity is compelling but dangerous. Historically, OT systems have been proprietary and isolated from corporate IT systems. OT suppliers have now largely converged onto common, connected IT platforms, such as Windows and IP networks. This shift presents several compelling opportunities, among them:
- Remote monitoring and management – SCADA and distributed control systems (DCS) allow process supervision to move from the plant floor into control rooms located either onsite or at a remote location.
- More timely vendor support – Internet connectivity provides for near real-time support from OT vendors, eliminating delays in response time or the need to have a vendor specialist onsite.
- Improved operational and financial management – PI systems allow for aggregated analysis. Networked industrial applications (e.g., LIMS, MES) can improve the predictability and control of production outputs, leading to better business decisions being made from more accurate and timely information.
These opportunities have the potential to decrease costs and improve revenues significantly. However, realizing this benefit requires convergence onto common, connected IT platforms that expose industrial operations to common IT-based threats.
OT environments are poorly governed. OT environments often fall outside the remit of the individuals responsible for IT governance structures, including audit, risk, IT security, change management and third-party risk management. Where OT is included in scope, skill shortages in those teams often result in misguided coverage or advice.
While it is clear that this lack of governance can result in a misalignment of OT practices with organizational policies, the otherwise well-governed areas of the organization can also unintentionally expose OT environments to risk. Vulnerability scans leaking into OT networks and patches being automatically applied to untested OT systems can cause failures simply because those systems were not visible and the responsible teams were not properly engaged.
Our Point of View
Recent high-profile attacks on OT systems, including Stuxnet, Flame and Duqu, have raised awareness of OT risks. Owners of high-profile, critical infrastructure OT systems should take steps to protect themselves from these types of attacks, which are commonly referred to as advanced persistent threats (APTs).
There is a danger, however, in believing that highly sophisticated attacks on OT systems supporting critical infrastructure are the only concern. Less-publicized but often more damaging incidents have been attributed to broader OT risk management failures across a variety of industries. Among them are the incidental USB attack that ICS-CERT reported delayed a power plant restart by up to three weeks (October 2012), the Washington, D.C., Metro collision that killed nine people (June 2009), the Salt River Project power outage that affected almost 100,000 customers (June 2007) and the Olympic Pipeline rupture that killed three people and caused more than US$45 million in environmental damage (June 1999).
These failures can happen in any OT environment and are often the result of poor management practices combined with inherent OT system vulnerabilities, including:
- Poorly “equipped” systems – While not intent on disrupting operations, malware exhausts critical system resources in OT systems that have been designed for maximum efficiency. This malware often leaks from the corporate network or is introduced from rogue devices. Traditional IT protection mechanisms, such as patching, anti-virus and IDS/IPS, can be effective but also require the use of precious system resources.
- Lack of IT engagement – OT administrators are often very capable IT users who do not depend on IT teams to deploy and support their systems. This, as well as IT’s lack of operational understanding, can result in a lack of engagement with IT and a corresponding misalignment with IT policies. The relationship with IT can quickly worsen, where IT is seen as slow to respond or its “rules” are viewed as a blocker of OT initiatives.
- Vendor-introduced risks – Compared to IT, OT environments are more likely to be reliant on vendors for ongoing support but less likely to manage the associated risks in a formal way. These vendors are often granted privileged access through their own laptops and USB devices, the Internet and/or fully hosted environments with little control. Even with no malicious intent, this access poses a high risk. It is important to note that these vendor systems are also treated by their organizations as OT and they are under-governed in the same way as their customer systems.
How We Help Companies Succeed
Protiviti’s IT Consulting professionals provide practical advice and delivery capabilities to OT operating organizations across the globe. This is based on a sound understanding of OT environments and the unique challenges they present. Our teams combine this understanding with industry-leading capabilities in process analysis and risk management, IT risk, and security to provide our clients with the mix of skills required to enable OT without exposing the organization to unmanaged risks.
Protiviti led a large multiyear OT continuity program that the client estimates will save US$1.5 million in outage costs annually and provide the basis for a broader OT risk framework. The program included a group-wide assessment of capability, the development of an appropriate target operating model and overall program management for the deployment.
To identify OT assets effectively and consistently across the client’s 50+ locations, Protiviti used customized tools and partnered with operational personnel to establish a common language for describing and classifying OT systems and operational processes. The team also leveraged the client’s risk framework to tailor a tool specifically for assessing outage risks.
We are now partnering with the client to use the risk information as well as the critical OT asset inventory as the basis for a subsequent phase of work in which governance will be better formalized and broader OT risks will be prioritized and addressed. Whereas the first phase was seen as “stabilizing” the OT environment, the second phase of work is viewed as “controlling” it.