When thinking about Industrial Control Systems (ICS) and Operational Technology (OT), what may first come to mind is the critical national infrastructure that we all rely on every day. From power stations and water treatment plants, to surface and subsurface transportation networks – the cyber security of these systems is vital and, without them, our society would cease to function as it does today.
However, there are other forms of OT that are less obvious but equally important. Many organisations rely on technology that is operationally critical, and where availability and integrity is paramount. Take the examples of an ambulance or fire dispatch system. The ability to deploy these vital assets where they are needed relies on a 24x7 system, with accurate information on incidents and the location of assets. The same could be said for logistics companies where parcels are tracked and delivery routes optimised. Other examples include medical equipment such as MRI scanners, and technologies like smart meters and smart thermostats that control aspects of the physical world.
These systems are traditionally considered IT, but shouldn't they be considered OT as well? If this doesn't happen, organisations risk seeing and managing only half the picture. Despite being comprised of similar off-the-shelf technologies as IT, the use of OT and the demand for high availability and integrity can introduce its own challenges.
The principles developed for OT security are completely applicable to this and many other situations. The first principle is to adopt a lifecycle approach, as this enables an organisation to effectively design and plan for security-related activities throughout system design, build, operation, modification and decommission. Applying this approach to OT systems – for example, with upgrading and patching – can simplify these notoriously difficult but necessary activities in a constantly evolving threat environment. The second principle is to focus on resilience. This is essential to ensure the availability and integrity of OT systems and services, and the continuation of critical business operations in the event of an incident. To start using these OT principles and managing the full picture, organisations should:
- Understand where OT is already being used and relied upon – this involves identifying systems in the organisation that are critical to business operations.
- Assess how these systems should be managed and maintained – instead of focusing on the confidentiality of data, the priority for OT systems should shift to the availability and integrity of the system and the services it provides.
- Integrate OT cyber security best practices into everyday activities – this requires the development and implementation of technical, procedural and behavioural controls that focus on availability and integrity.
By applying the lessons learned from OT-heavy industries, organisations can begin to design, build, operate and maintain systems more securely. The ultimate goal for businesses is to adapt and thrive in any situation. By investing in resilience, organisations can minimise exposure to security risks while harnessing new technologies and practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.