Part of my research coverage at Gartner (in addition to identity and access management) is in what we refer to as the operational technology security environment. We refer to it as operational technology because most of the systems in question are used in the operations environments of industries and other companies. Some of you may have also read in the press about ‘smart grid security’, or ‘industrial control security’. All of these are part of a broad set of issues facing our country (and indeed, most countries) when it comes to critical infrastructure protection, or CIP.
Consider it this way. In addition to the personal computers we have at home and the computers large and small at work, there are also millions upon millions of smaller processing devices– computers in automobiles, on manufacturing assembly lines, in advanced medical equipment, modern electric, gas, and water meters. Everywhere you look there are small computers performing specialized functions across many industries. Increasingly, those processors are being networked, and in some cases even finding their way onto the Internet, either intentionally or unintentionally. This is where things can really start to get interesting, and not in a good way.
You have no doubt seen stories in the media about the hacking of critical infrastructure systems. One of the most notorious occurred in 2010 with the Stuxnet virus, which attacked specific technology from a specific vendor involved in (among other things) the nuclear power industry. In this case, it seemed likely that the incident was part of industrial espionage on the part of nation-states, but it highlighted the issues regarding the myriad of critical computing going on throughout our infrastructure.
One of the biggest problems however has been to separate the fear and near-hysteric tone of some of these reports from the real issues facing various industries today with operational technology. What exactly do we know for sure about operational technology security, and upon what can we commonly agree? Well, let’s see:
1- Operational technology security is a real and serious issue. The proliferation of processors and their supporting firmware, operating system, and application environments have been deployed in many cases without considering basic principles of secure development. The means to secure these environments as a “layer” of data and systems protection has also not been a high priority for many industries, resulting in areas of weakness throughout the networks of systems;
2- Operational technology security is actually larger in terms of devices, systems, and code than information technology. Think about it– for every computer we have, there are hundreds of smaller processing devices (networked and not networked) throughout the world. These processors, embedded in so many different systems, constitute the largest deployment of information systems in the world. As these devices become more ‘intelligent’ and grow in complexity and function, the ‘attack surface’ for those devices grows;
3- We are becoming increasingly dependent upon operational technology to run our industries, our transportation, and our utilities. If key critical infrastructure within those industries remains in a compromised state, the risk for those enterprises goes up, and the likelihood of compromised systems also goes up over time;
4- There are lessons that have been learned in the ‘traditional’ computer security world that can be applied to the operational technology world, as long as the differences between operational and information technology are recognized and accommodated. While some of the practices and processes by which we began to successfully address computer security are applicable, there will be entirely new approaches necessary for some operational technology security needs.
There are no doubt other common facts upon which we can agree about operational technology security. The first step in doing something about the problem is to be aware that it exists, and to take practical and pragmatic steps to mitigate the risk to our critical infrastructure before, during, and after deployment of said infrastructure. In the days ahead, we will write more about this to contribute to that awareness. Gartner has existing research in this area and there is more to come.
Category: Uncategorized Tags: