Councils urged to consider OT risks

Local authorities are being urged to consider operational technology (OT) as part of their cyber security risk landscape, attacks on which could potentially result in serious health and safety incidents.

Operational Technology (OT) refers to technology used to monitor and control processes. Recent years have seen an increase in attacks on OT. The reasons are twofold: firstly, hackers have realised that OT often presents a vulnerable target and, secondly, systems are more integrated than ever before, increasing the likelihood that malware can move between IT systems and connected OT.

In May 2021, the Colonial Pipeline Company in America had to shut off its oil pipeline due to concerns that a ransomware attack on its billing system could spread to its OT network – an example of how an IT attack could compromise OT. While in July 2022, an Iranian steel manufacturer saw a hacktivist group target machinery causing a fire at its plant in an intentional direct attack on OT.

Local authorities might believe that they don’t have OT of any significance, but Major General Martin Smith CB MBE, the Managing Director of CyberPrism, a managed services company which protects Operational Technology (OT) and IT in the UK and internationally, said this is a commonly held misconception. OT that might be at risk of direct or indirect attack could include CCTV systems, traffic light systems, lifts, security-controlled doors, fire control systems, heating, lighting, air conditioning and more. In public services such as the NHS it can include equipment such as hospital scanners.

“There is a whole range of OT that local authorities won’t have addressed. The fact is that most organisations know nothing about their OT, so some form of basic assessment is a good place to start,” explained Major General Smith. “Until about two years ago those out there who wanted to hack into networks knew nothing about operational technology. They are starting to get the idea now as you can see from various attacks, such as the American Colonial pipeline attack. They now understand that attacking OT is good for two reasons. Firstly, it is vulnerable because organisations have not secured it. Secondly, if you can hack into OT, it is not just a case of stealing data, you can cause disruption. From a ransomware point of view, it becomes even more powerful. What if I stop the lift? Tamper with security-controlled doors? There is a considerable health and safety element too.”

Dane Clackworthy, Head of Business Development and Sales at CyberPrism, encouraged local authorities to take stock of their OT and look at how to protect it. “Every organisation knows that they need to secure their IT but not everyone knows about OT. There is a real gap in understanding what OT is and how we can protect it. One of the first steps is knowing what OT the organisation has. If you don’t know what you have, you can’t protect it and that is an inherent vulnerability.”

There is little doubt numbers of OT attacks are increasing. According to a report, OT Security Incidents: 2021 Trends and Analyses, the number of attacks with physical consequences in process and discrete manufacturing industries more than doubled in 2021 compared with 2020. The authors of the report predicted that ransomware-induced OT outages would triple in 2022 over 2021, stating that due to production outages and other physical consequences, attackers are realising that there is a likelihood ransoms would be paid. State-on-state attacks are also increasing. In 2022, for example, a sophisticated malware attack attempted to destroy the Ukrainian national grid as part of the Russian and Ukraine conflict.

One of the key strategies organisations can take is to segregate OT and IT and introduce software which will shut parts of the network off when a threat is detected without stopping the processes from taking place. “Networks are becoming ever more connected together which means that if malware gets into one area it could pass into everything. What you need is a more closed system where you know exactly where the gateway is, and you can segregate the systems effectively,” explained Major General Smith.

Also important are systems for monitoring activity and alerting to threats, while OT cyber security training is essential for staff and board members. One thing is clear, doing nothing is not a safe strategy. “While we might not yet quite be at the point where local authorities are being targeted through OT, attackers don’t have to attack the OT specifically to cause an effect. It could be an IT attack which could filter through to OT and have serious consequences. We know these types of attack will become more prevalent,” Clackworthy warned.

Both Major General Smith and Dane Clackworthy from CyberPrism are part of the Cyber Centre of Excellence (CCOE) Advisory Forum. The company provides consultancy services, such as OT audits, and access to specialised software-as-a-service to protect OT.

• Find out more about Cyberprism: https://cyberprism.net