Operational Technology: The cyber blind spot

The cyber security of Operational Technology (OT) is often a blind spot for management teams. In our experience of working with customers cyber security has not always kept pace with the rapid adoption of Industry 4.0 – cloud computing, automation, Internet of Things, advanced analytics, and the rise of smart cities. 

Lack of ownership, overconfidence, and inadequate adoption of controls mean the threat has increased, but management teams are often unaware of the scale of the problem. 

What is operational technology? 

OT is the software and hardware used to control or monitor industrial plant and equipment. Manufacturing machinery, MRI scanners, electric vehicle chargers, oil and gas platform drills are types of OT. These devices are essential in manufacturing, energy networks, building management, transport, and public infrastructure.  

Why is OT a problem for cyber resilience?  

In the past these devices would be controlled physically by people on site, not connected to ICT networks. As the Internet of Things expands OT devices are connected, but not necessarily securely, and are targeted by cybercriminals as a weak link. Malicious probes using OT increased by 23 times in 2021. That is an increase of 2200%. 

Typically, we find a range of problems with management and technical controls: 

• IT experts know there is a vulnerability but do not know where to start or how to allocate limited budgets, if a budget exists at all  
• A lack of visibility or responsibility for OT 
• No agreed standards to manage OT 
• No inventory documenting what OT exists, or how it is being secured 
• OT connected to IT networks with security architecture that was never designed to protect it 
• Security updates to OT are done less frequently because downtime is seen as a loss of revenue 
• Over-reliance on vendor assurances 

Examples of OT Attacks 

These attacks are happening, and the threat is growing. OT was reportedly exploited in an attack on production facilities at AGCO. The malicious shutdown of the Colonial Pipeline prompted a presidential response because it was an attack on critical national infrastructure. Water and waste treatment plants have also been targeted. Toyota had to shutdown all its Japanese factories following an attack on a supplier. 

Loss of life and harm to people is not the only consequence. Reputational damage, shutdowns, fines, contractual penalties, and increased scrutiny from regulators can all result from successful OT cyberattacks. OT controls will also affect the terms available from insurers for cyber cover. 

What can be done 

To check how prepared your organisation is, consider:   

1. Is there a named person who is accountable for managing the OT risk? 
2. When was the latest full risk assessment involving ICT experts, operational managers, and equipment operators? Did it cover patching, network and OT segmentation, and poor password hygiene such as having passwords written down, easy to guess, or shared between operators?  
3. Does your health & safety risk assessment cover risks to people arising from OT cyberattacks?  
4. When did you last verify that OT can continue to operate when the ICT network is down? 
5. When did you last update your OT inventory - the register of software and operating system version for devices in the OT environment? 
6. When were OT security controls last verified by an independent 3rd party? 

Five years ago, OT threats were a niche problem. The scale of the threat grows as digitalisation and automation gathers pace across all industries. Organisations are exposed because OT security was never designed for a world with the Internet of Things, and accountability for OT risks is often unclear. Managing OT threats effectively requires clear accountability, a comprehensive view of the OT environment, a thorough risk assessment by a range of stakeholders, and independent 3rd party verification of controls. 

Providing support 

Zurich Resilience Solutions (ZRS) is the Risk Engineering Services division of Zurich Insurance. Zurich, being one of the largest insurance providers in the world, brings in a wealth of experience to the risk management space. ZRS combines its expertise and utilises data to share best practices, providing specialist risk management services to both our insured and non-insured customers. 

Cyber is one of the key risk areas where we have internal capabilities, complemented by external partnerships with security firms such as Barrier Networks. We are able to provide a holistic and comprehensive cyber resilience risk advisory service for customers to help them tackle the present cyber threat landscape, and help navigate the present hard market for insurance.

Barrier Networks are a market-leading supplier of cyber security services in the UK.  Barrier specialises in helping customers to build cyber resilience and in developing strategies which defend against cyber-attacks.  Barrier provides managed cyber security operations into sectors such as defence, government, energy, and manufacturing.  They have specialist expertise in DevSecOps, OT, and Cloud Security and their solutions are underpinned by their award-winning services.

For further information contact zrs.enquiries@uk.zurich.com, visit https://www.barriernetworks.com/ or visit our ZRS website.

Further Guidance

• Cyber Resilience before Cyber Insurance
• How senior leaders can manage the cyber risks facing themselves and their organisations 
• Listen to our podcast, Silent Cyber Risk: Impact on Directors and Officers. 

• Share this article by email