Michael Murphy, acting operational technology leader, APAC, Fortinet
New Zealand’s engineering, manufacturing, and electrical sectors are rapidly embracing operational technology (OT) systems. These are the cogs and wheels of 21st century industries, where connectivity and data flow play a critical role. However, as organisations open up to a new horizon of opportunities, the threats they face are evolving and becoming more sophisticated.
Historically, OT systems enjoyed a semblance of protection through their isolation. As these systems were predominantly air-gapped from the broader internet, their risk exposure was minimal. However, as the demand for real-time data, remote monitoring, and smart automation grows, so does the inherent risk associated with OT systems being connected online.
When OT systems are compromised, the repercussions can be massive, extending beyond the loss of data. In fact, a cyberattack can cause equipment malfunctions, health and safety hazards, significant financial losses, and even irreparable damage to a company’s reputation. Given the potential societal impacts—like the Oldsmar water treatment incident, where an alleged cybercriminal tried to poison the city’s water—it’s evident that the stakes are extremely high.
The nature of threats in the OT domain differs from that of traditional IT. Whereas IT often faces threats motivated by financial gain, the OT environment experiences a wider range of motivations: from geopolitical leverage and ego among hacking communities to the act of pure disruption without any sort of gain, financial or otherwise. What’s even more alarming is the growing audacity and capabilities of these threat actors. In the near future, weaponised OT environments might lead to actual human harm.
It’s clear that just increasing security isn’t the answer; business leaders need to make their OT systems more resilient. Building resilience means preparing the OT infrastructure to withstand, recover, and evolve in the face of cyber threats. It’s about adopting a multi-faceted approach that integrates best practices from both the OT and IT domains, including:
• Centralised visibility: a single pane of glass approach, providing real-time visibility across all assets and processes, is crucial. By bridging the OT-IT divide with a centralised management system, organisations can ensure timely detection and mitigation of threats.
• Automated asset management: with an ever-evolving OT infrastructure, knowing one’s assets is half the battle won. Automated asset inventories offer a comprehensive view of all devices, helping in better risk assessment and management.
• Network segmentation: the days of one-size-fits-all are gone. Modern OT environments require targeted security approaches and segmenting networks ensure that threats don’t get a free run across the entire infrastructure.
• Regular security assessments: red teaming, penetration tests, and real-world simulations are no longer just for IT networks. By emulating possible attack vectors, OT systems can be better prepared for actual threats.
• Continuous cyber resilience measurement: resilience is not a one-off goal but an ongoing process. Regularly measuring and reporting on current risks, and adapting strategies accordingly, is key to a resilient OT environment.
As industries rapidly transition towards a cloud-centric, internet-driven model, OT operators, from C-level executives to managers, should be able to understand the risk factors, the incentives at play, and the differences in motivations between hacker groups to build and maintain cyber resilience across OT environments.
The technological innovation New Zealand’s industries are experiencing is undeniably transformative; however, with great innovation comes great responsibility. It’s not just about adopting the latest OT solutions but about building resilience into the core of these systems.
With a proactive approach focused on resilience, not just security, business leaders can ensure that their industries are protected now and futureproofed against the known and unknown cyber threats of tomorrow.