Cybersecurity managers continue to face significant challenges when it comes to recruiting and retaining the professionals needed to secure their organizations – with studies showing that hiring the right cybersecurity skills is only getting harder.
It’s even tougher, though, for utilities to hire qualified security workers because utilities must protect both the usual information technology (IT) stack that runs their business operations as well as the operational technology (OT) that delivers the critical services that the utilities provide.
Although there are some overlapping skills, protecting IT and safeguarding OT require different expertise and different strategies.
As such, utilities can’t successfully secure their organizations if they have only the standard IT-oriented cybersecurity skills on their teams because those professionals – as skilled as they may be – don’t know the unique security challenges of operational environments. Utilities need people who have the specific expertise and specialized acumen needed to secure operational technology.
Utilities who lack those specialized OT security skills risk not only a breach but also risk hindering their operations. Apply some standard IT cybersecurity techniques to operational technology, you have a good chance of negatively impacting operations.
There are plenty of examples that illustrate why IT and OT security are different disciplines. Consider firewall selection. Security experts working in utilities should know to choose firewalls that work with and are able to inspect Industrial Control System (ICS) and OT protocols – an additional selection requirement that only security professionals with OT-focused expertise would likely know.
Similarly, security experts working in utilities need to understand which hardware scanning tools to use – or whether to use any at all – within their organizations. Most hardware scanning tools aren’t effective in an OT environment and, in fact, can do more harm than good if deployed without proper configuration. For instance, a Network Mapper (Nmap) scan is a standard tool used to find open ports and detect systems running on remote machines in an IT environment. But run it in an OT environment and it will likely brick the older remote terminal units. Utility personnel then will have to reboot the Remote Terminal Unit (RTU) and hope that maneuver works. If it doesn’t work, which is frequently the case, then they’ll have to actually replace the RTU. In the interim, without an operable RTU, the utility will be without remote control capabilities and the telemetry it needs for optimal operations.
There are other circumstances related to OT environments that create unique security challenges for utilities.
Utilities use proprietary, purpose-built technologies to run their operations; these are not standard off-the-shelf systems. As a result, vendors don’t offer security patches for such systems at the same speed and frequency they do for their standard applications. Instead, vendors take more time to test and issue patches to fix identified security problems within proprietary software. Vendors that offer weekly or monthly patches for their standard software could take 4-6 months to release patches for custom-built OT systems. Meanwhile, hardware vendors might only come out with updates once a year. That means utilities must live with known vulnerabilities within their environments for months and therefore should know how to configure their security strategies accordingly.
OT systems also tend to have significantly longer lifecycles than IT applications and platforms. It’s not uncommon to find operational technologies that are 15 to 20 years old; a utility, for example, could have decades-old switch relays. Contrast that with IT systems, which today typically have lifecycles of five years or less. Consequently, most or even all of the systems within a modern IT stack have been built with current security risks and threats in mind. On the other hand, those old OT systems have no such built-in considerations; they simply weren’t designed to handle modern cybersecurity threats.
Moreover, those older OT systems are usually end of life. That means vendors aren’t issuing any more patches even as they uncover new security vulnerabilities. And utilities often must run outdated, unsupported IT systems, such as older versions of Microsoft Windows, because they need those legacy IT systems in place to work with the legacy OT systems. That further complicates the security scenario within the OT environment.
Now there is some good news on the security front for utilities. A typical OT environment has a much lower number of gateways to the Internet, if any, than a standard IT environment, making OT environments a bit safer from external breaches when compared to IT infrastructures.
That, however, hardly negates the cybersecurity risks to utilities – and the significant consequences that could come with a successful cyber-related breach.
In fact, the potential magnitude of a compromised physical equipment tends to be greater than that of a data breach within an IT environment. Even slight OT cyber incidents can lead to not only huge financial losses but damaging ramifications, too, such as water contamination, gas shortages, manufacturing down time, and power outages.
Utility leaders must recognize what’s at stake and why finding security help skilled in OT is so critical. They should recognize that IT security prioritizes privacy and confidentiality – essentially guarding data against unauthorized access. But OT security must prioritize safety and reliability, because an OT-related cybersecurity attack can put utility personnel and the public itself at risk of injury or even death.
We’ve already witnessed the damage that security incidents involving operational technology can cause. A 2007 Department of Homeland Security program called the Aurora Project, which was intended to bring attention to the issue of cybersecurity, exploited a known vulnerability that resulted in over-torque stresses in a generator. Hackers breached a Florida water treatment plant in February 2021 and tried to poison the water by changing the levels of added chemicals – a change caught by a diligent worker before it was executed. And the May 2021 ransomware attack on Colonial Pipeline caused gas shortages around the East Coast for weeks.
Such incidents highlight the importance of having security professionals with the expertise needed for OT, and not just IT, environments.
Utilities need security specialists with the experience and skills to administer patches which require them to take down highly sensitive OT environments that were designed to run 24/7. They need professionals capable of choosing the right security tools for their own unique requirements. And they need cybersecurity workers who can devise holistic security strategies that account for all such issues.
Utilities benefit from cybersecurity professionals who can successfully collaborate with the plant engineers who built and now run the operational technology, who can understand the unique complexities of the operational technologies that run their utilities, and who can design and deliver a layered, defense-in-depth approach that prioritizes the protection of the utility’s most critical assets.
Photo Credit: Canva
by Dominick Birolin, CISSP, CISA. Vice President of Cybersecurity at Rokster