Cybersecurity in OT is an attribute of quality, says expert Martin Fábry.
With the rise of digitalization, the advent of IIoT and the interconnection of IT and OT systems, industrial technology cybersecurity is the domain of today. New vulnerabilities requiring specific security measures and emerging solutions are on the table every day. In this interview with Martin Fabry, we discuss the risks, priorities and real incidents in the industry.
Cybersecurity Operational Technology (OT) deals with the protection of operational technology systems, which are often part of critical infrastructure. Unlike IT systems that primarily manage business processes and data, OT manages mission-critical operations, the failure of which can have immediate and serious consequences for the functioning of society, critical infrastructure and industry.
According to OT safety expert Martin Fabry, industrial control systems (ICS) once operated as closed, analogue solutions that were virtually “unbreakable”. However, their evolution towards digitalisation has brought about a fundamental breakthrough. Anything today that contains a processor and network connectivity can become a potential target for attack. In addition, the advent of IIoT and smart sensors has expanded the attack surface so much that protecting ICS systems has become a challenge.
Let’s first define which devices in the OT infrastructure most often serve as a gateway for cyber attacks.
Most attacks are on exposed remote RDP/VNC connections that are either poorly secured by IT or, worse, pushed out to the Internet. Next, programmable logic controllers (PLCs) or remote terminal units (RTUs), which are key components of industrial control, are targeted. Another risk point is an un-updated engineering station – the device from which the PLC is programmed. If an attacker gets hold of this station, he can manipulate the system’s control logic and, for example, shut down production completely. Engineering stations in production often run on the Windows operating system and are a frequent target of ransomware attacks designed to make them inaccessible or encrypt them. Risk factors include outdated systems, missing security patches or the absence of antivirus protection.
What are the most common types of cyber attacks that industrial control systems are currently facing?
There are three main vectors. The most common are ransomware attacks from IT to OT – mainly due to the fact that many operators have control systems connected to the Internet. Attackers get in through vulnerable communication channels or exposed ports. Control systems are many times not updated and “visible” from the online space, making them easily vulnerable. Another common threat is untrained users who bring their own USB keys into the facility and connect these to the network. Suppliers are similarly at risk. They come with their own laptops for maintenance or integration, but these are often insecure devices that can introduce malicious code into the system.
Securing an ICS is significantly more complex than securing a conventional IT environment. Why is this so?
Because ICS has completely different priorities than IT.
In industrial systems, availability comes first, then integrity, then reliability, and finally confidentiality. In IT, it’s just the opposite. In an OT environment, it is crucial that the system runs continuously and stably, because if it fails, it can have serious consequences. Not only economic, but also on people’s health. In manufacturing, we often work with hazardous chemicals, robots, in environments with a high risk of explosion, such as in an oil refinery. It is not like managing an office network, it is about safety and lives.
Let’s look at the OT from the other side as well. What are the basic pillars of protecting ICS systems and what should be the basis of a security strategy in an OT environment?
The foundation is always based on three pillars: people, processes and technology. If management does not have information about risks, it lives in the idea that everything works. Many times, it has no one in production who can realistically report threats to it. As a result, the necessary measures are not even taken. On the other side, however, there is already pressure from legislation – the amended Cyber Security Act with the transposed NIS2 Directive is forcing the statutory bodies to act. Whether they like it or not, even SMEs will have to address cyber security as they will be subject to regular audits.
Is there a best practice that you recommend to clients when building a security strategy?
In practice, we recommend focusing on five critical measures. The first is secure access to the IT and OT environment, i.e., controlled connectivity and elimination of direct inputs from the Internet to the control system. The second pillar is a secure architecture: network segmentation, firewall between IT and OT, deployed IDS/IPS systems. The third is monitoring – without it, you don’t know what’s going on. The OT world requires specialized threat detection tools.
The fourth pillar is people. There is often a shortage of safety experts in manufacturing, and even if there are, companies don’t want to pay them. Cybersecurity is still treated as a cost, not as part of quality. And the fifth point is to have an incident response plan and business continuity plan in place, i.e. knowing what to do when an attack occurs and who to contact. It’s good to have an external partner to help restore operations. Today, cybersecurity is one of the attributes of production quality, without it you don’t have all the machines and people you need.
What if I am the managing director of a company and I decide to use an external cyber security vendor. How do I distinguish that this is a reliable partner?
You definitely need to do a thorough background check. Ask for references, ideally from OT projects in the last five years. Check to see what technologies they work with, what vendors they have, and, most importantly, if they have certified staff. It should go without saying that he can document the professional certifications of his people. In Slovakia, decisions are often made on price, but here it is important to look at quality, reputation and real experience.
Have you experienced situations where the implementation of security measures helped to prevent an attack or at least significantly mitigate its impact?
In fact, in practice it works exactly the opposite. Companies only start to address measures to minimise the impact of an incident when it occurs. Most of the time, it is only after the attacker demands a ransom of €100,000 in bitcoins that the statutory body realises that it could have better invested resources in measures and people.
On the other hand, there are also companies that invest in security preventively and have cyber hygiene in OT under control. With monitoring tools, for example, they can identify an infected vendor laptop and isolate it before it causes a problem. An incident does start, but thanks to preparedness, it doesn’t spread further.
Cloud and AI are also making inroads into the OT world. What does this mean for business and security?
In the OT world, connecting manufacturing systems to the cloud is increasingly emerging – for analytics, AI data processing, predictive maintenance, and more. It’s a trend that’s only going to grow. Just as banks were once hesitant to move to the cloud, which has now become the standard, now the industry is going to see the same, and OT systems will increasingly be integrated with cloud environments.
That is why it is extremely important that these changes are reflected in the area of cyber security. Connections to the cloud must be made with the utmost care to ensure that sensitive production systems are not compromised.
OT safety specialists are becoming increasingly rare. Do you think artificial intelligence could play a bigger role in training them in the future?
It certainly does. However, in the OT security field, I see a greater benefit of AI especially in threat detection – as part of intrusion detection systems. However, let’s not expect AI to replace the expert who designs security for the entire operation. The singularity is still a long way off in OT, at least for the next 10 years.
Where do you see the main reasons for the shortage of cybersecurity managers, is it about the low interest of young people, undersized training, or poor working conditions and salaries?
Many are overworked, underpaid, change jobs frequently and go for better offers. There are few of them on the market and many companies can’t even afford them. However, the figures quoted that Slovakia is short of thousands of cyber security managers are out of touch with reality. Maybe one or two companies are looking for them on job portals. The real solution is outsourcing – one such manager for several companies, otherwise it is impossible to manage capacity-wise. And training is also a problem. Few students apply for technical studies, two thirds of them do not even finish their studies. If the state does not start systematically supporting technical education and universities, we will remain without specialists.
If we compare CTU or Masaryk University in Brno with Slovakia, if we look at what capacities are coming out of there and how many startups there are in the Czech Republic, we can see that we will have a problem in the future. I repeat: As long as the state does not invest in education and does not support students in universities, the situation will be alarming.
